Lemur LDAP Injection Vulnerability Leading to Privilege Escalation

A vulnerability in Lemur's LDAP authentication module prior to version 1.9.0 allows authenticated LDAP users to inject LDAP filter metacharacters through the username field. This injection manipulates group membership queries, enabling users to escalate their privileges to administrator. The vulnerability arises because the LDAP search filters are constructed using unsanitized user input, creating an opportunity for injection attacks that can alter query semantics and result in unauthorized access to sensitive resources such as certificates, private keys, and CA configurations.

Impact

Exploitation of this vulnerability allows an authenticated LDAP user to inject filter syntax that manipulates group membership queries, leading to unauthorized assignment of administrative roles in Lemur. This access includes all certificates, private keys, and CA configurations, as well as the ability to issue certificates under any authority.

Reproduction

To reproduce this vulnerability, deploy Lemur with LDAP authentication enabled, ensuring it is configured for Active Directory. After creating a valid LDAP user account, send a login request with a crafted username that includes LDAP metacharacters, such as filter injection syntax. Once the injection is processed, the user will be assigned elevated privileges, such as administrative rights.

Remediation

Users are advised to update to Lemur version 1.9.0 or later, and to apply the `ldap.filter.escape_filter_chars()` function to all user-controlled values before interpolating them into LDAP filters.