OPNsense LDAP Injection Vulnerability in Authentication Component

A vulnerability exists in OPNsense's LDAP authentication connector, affecting versions through 26.1.5. The issue arises because the connector passes the login username directly into an LDAP search filter without proper sanitization. This flaw allows an unauthenticated attacker to inject LDAP filter metacharacters into the username field on the WebGUI login page. As a result, attackers can enumerate valid LDAP usernames or, if the LDAP server configuration includes group membership restrictions, bypass those restrictions to authenticate as any LDAP user whose password is known.

Impact

Exploitation of this vulnerability allows for unauthorized LDAP username enumeration and, in cases where group membership restrictions are bypassed, unauthorized authentication as specific LDAP users.

Reproduction

To reproduce this vulnerability, access the OPNsense WebGUI login page and enter a username that includes LDAP wildcard characters, such as an asterisk. After logging in, the LDAP server log can be checked to confirm that the injected username was processed without escaping, indicating successful exploitation. Additionally, if the LDAP server is configured to restrict logins based on group membership, the same injection technique can be used to bypass those restrictions and authenticate as a user whose password is known.

Remediation

Users should update to OPNsense version 26.1.6 or later, where this vulnerability has been fixed.