WARNING: HIGH SEVERITY UNAUTHORISED INCREASE OF AUTHENTICATION LEVEL VULNERABILITY IN LEMONLDAP. PATCH IMMEDIATELY!

Reference:
Advisory #2024-281

Version:
1.0

Affected software:
LemonLDAP versions earlier than 2.20.1

Type:
Unauthorised Access, Unauthorised increase of authentication level

CVE/CVSS:
CVE-2024-52946: CVSS 8.8(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Sources

NIST - https://nvd.nist.gov/vuln/detail/CVE-2024-52946

Risks

LemonLDAP is a free software that provides WebSSO (Single Sign On), Access Management and Identity Federation.

A vulnerability that can allow unauthorized access has been discovered in LemonLDAP. As of the time of writing (2024-12-02) it is unknown if the vulnerability has been exploited.

This vulnerability has a high impact on confidentiality, integrity, and availability.

Description

A threat actor can log in and after clicking on “Refresh my rights”, the “Adaptive authentication” rule is triggered, and the authentication level is increased, instead of returning the absolute value of the authentication level. That increase in unauthorized. That can allow the user to gain access to applications (or files) that he should not connect.

That vulnerability is caused by incorrect default permissions.

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident.

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

LemonLDAP Gitlab - https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3255