www.belgium.be Logo of the federal government

WARNING: HIGH SEVERITY UNAUTHORISED INCREASE OF AUTHENTICATION LEVEL VULNERABILITY IN LEMONLDAP. PATCH IMMEDIATELY!

Référence: 
Advisory #2024-281
Version: 
1.0
Logiciels concernés : 
LemonLDAP versions earlier than 2.20.1
Type: 
Unauthorised Access, Unauthorised increase of authentication level
CVE/CVSS: 

CVE-2024-52946: CVSS 8.8(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Sources

NIST - https://nvd.nist.gov/vuln/detail/CVE-2024-52946

Risques

LemonLDAP is a free software that provides WebSSO (Single Sign On), Access Management and Identity Federation.

A vulnerability that can allow unauthorized access has been discovered in LemonLDAP. As of the time of writing (2024-12-02) it is unknown if the vulnerability has been exploited.

This vulnerability has a high impact on confidentiality, integrity, and availability.

Description

A threat actor can log in and after clicking on “Refresh my rights”, the “Adaptive authentication” rule is triggered, and the authentication level is increased, instead of returning the absolute value of the authentication level. That increase in unauthorized. That can allow the user to gain access to applications (or files) that he should not connect.

That vulnerability is caused by incorrect default permissions.

Actions recommandées

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://ccb.belgium.be/en/cert/report-incident.

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

Références

LemonLDAP Gitlab - https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3255