{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/lemur--1.9.0/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Lemur (\u003c 1.9.0)"],"_cs_severities":["high"],"_cs_tags":["ldap","injection","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["Netflix"],"content_html":"\u003cp\u003eLemur, a certificate management tool, is vulnerable to LDAP filter injection in versions prior to 1.9.0. The vulnerability resides within the \u003ccode\u003elemur/auth/ldap.py\u003c/code\u003e module, where user-supplied input from the username field is used to construct LDAP search filters without proper sanitization. Specifically, the \u003ccode\u003e_bind()\u003c/code\u003e method uses Python string interpolation to build LDAP queries based on the provided username. This allows an authenticated LDAP user to inject LDAP filter metacharacters, manipulating group membership queries and potentially escalating their privileges to administrator. Successful exploitation grants unauthorized access to certificates, private keys, and CA configurations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a Lemur instance with LDAP authentication enabled.\u003c/li\u003e\n\u003cli\u003eAttacker obtains valid LDAP credentials for a low-privilege user.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious username containing LDAP filter metacharacters, such as \u003ccode\u003e)(memberOf=CN=LemurAdmins,DC=corp,DC=example,DC=com\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a \u003ccode\u003ePOST /auth/login\u003c/code\u003e request with the crafted username and valid password.\u003c/li\u003e\n\u003cli\u003eLemur\u0026rsquo;s \u003ccode\u003eldap.py\u003c/code\u003e module constructs an LDAP filter using the unsanitized username, resulting in a modified query.\u003c/li\u003e\n\u003cli\u003eThe LDAP server processes the malicious filter, potentially returning unintended group memberships.\u003c/li\u003e\n\u003cli\u003eLemur assigns the user the \u003ccode\u003eadmin\u003c/code\u003e role based on the manipulated LDAP query results.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive resources, including certificates, private keys, and CA configurations, and can issue certificates under any authority.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to gain administrative privileges within Lemur, potentially compromising all managed certificates and associated private keys. The attacker can then issue certificates under any authority, leading to a complete compromise of trust within the affected organization. While the exact number of affected Lemur instances is unknown, this vulnerability poses a significant risk to organizations relying on Lemur for certificate management, particularly those in highly regulated sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Lemur to version 1.9.0 or later to patch the LDAP injection vulnerability (CVE-2026-44304).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect suspicious process creations with arguments indicative of exploitation attempts.\u003c/li\u003e\n\u003cli\u003eEnable webserver logging to monitor for unusual characters in usernames submitted via POST requests to \u003ccode\u003e/auth/login\u003c/code\u003e to proactively identify potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-08T12:00:00Z","date_published":"2024-01-08T12:00:00Z","id":"/briefs/2024-01-lemur-ldap-injection/","summary":"Lemur versions before 1.9.0 are vulnerable to LDAP filter injection, where an authenticated LDAP user can inject LDAP filter metacharacters through the username field to manipulate group membership queries and escalate their privileges to administrator.","title":"Lemur LDAP Filter Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-lemur-ldap-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Lemur (\u003c 1.9.0)","version":"https://jsonfeed.org/version/1.1"}