WARNING: HIGH SEVERITY UNAUTHORISED INCREASE OF AUTHENTICATION LEVEL VULNERABILITY IN LEMONLDAP. PATCH IMMEDIATELY!
CVE-2024-52946: CVSS 8.8(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Sources
NIST - https://nvd.nist.gov/vuln/detail/CVE-2024-52946
Risques
LemonLDAP is a free software that provides WebSSO (Single Sign On), Access Management and Identity Federation.
A vulnerability that can allow unauthorized access has been discovered in LemonLDAP. As of the time of writing (2024-12-02) it is unknown if the vulnerability has been exploited.
This vulnerability has a high impact on confidentiality, integrity, and availability.
Description
A threat actor can log in and after clicking on “Refresh my rights”, the “Adaptive authentication” rule is triggered, and the authentication level is increased, instead of returning the absolute value of the authentication level. That increase in unauthorized. That can allow the user to gain access to applications (or files) that he should not connect.
That vulnerability is caused by incorrect default permissions.
Actions recommandées
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/en/cert/report-incident.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
Références
LemonLDAP Gitlab - https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3255