Full Report
The Mendix LDAP module is affected by an LDAP injection vulnerability that could allow an unauthenticated remote attacker to bypass username verification. Siemens has released a new version for Mendix LDAP and recommends to update to the latest version.
Analysis Summary
# Vulnerability: LDAP Injection in Mendix LDAP Module Allows Username Verification Bypass
## CVE Details
- CVE ID: CVE-2024-56841
- CVSS Score: 9.1 (Critical, using CVSS v4.0 base score)
- CWE: CWE-90 (Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection'))
## Affected Systems
- Products: Mendix LDAP Module
- Versions: All versions prior to V1.1.2
- Configurations: Any configuration utilizing the affected module for user authentication against an LDAP server (e.g., Microsoft Active Directory).
## Vulnerability Description
The Mendix LDAP module is vulnerable to an LDAP injection flaw when processing username verification requests. An unauthenticated remote attacker can leverage this vulnerability by manipulating input to bypass the intended username check, potentially leading to unauthorized account access or enumeration, depending on the application's subsequent operations.
## Exploitation
- Status: Not explicitly stated as exploited in the wild, but PoC is highly likely given the nature of the vulnerability type (LDAP Injection).
- Complexity: Medium (CVSS v3.1 AC:H suggests complexity, but CVSS v4.0 AV:N/AC:L suggests low attack complexity once the vector is known). Assuming **Medium** due to required network access and specific query crafting.
- Attack Vector: Network (AV:N)
## Impact
- Confidentiality: High (Allows unauthorized access/discovery)
- Integrity: High (Allows modifications if the bypassed user context grants write permissions)
- Availability: None (No direct impact on system availability noted)
## Remediation
### Patches
- **Update to Mendix LDAP Module V1.1.2 or later.**
- Patch Link (Marketplace): hxxps://marketplace.mendix.com/link/component/210270
### Workarounds
- No specific technical workaround is detailed beyond updating; however, general recommendations include protecting network access to devices leveraging the module.
## Detection
- **Indicators of Compromise (IoCs):**
- Unusual or malformed LDAP query strings appearing in application or server logs directed towards the LDAP server, specifically those containing LDAP special characters used for injection (e.g., `*`, &(, |), !).
- **Detection Methods and Tools:**
- Review LDAP server access logs for query patterns that deviate from expected lookups.
- Implement WAF or IPS signatures capable of detecting common LDAP injection payloads targeting the application's authentication endpoint.
## References
- Siemens Advisory: SSA-314390