===================================================================== CERT-Renater Note d'Information No. 2022/VULN234 _____________________________________________________________________ DATE : 06/07/2022 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running LDAP Account Manager versions prior to 8.0. ===================================================================== https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-r387-grjx-qgvw https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-q8g5-45m4-q95p https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-q9pc-x84w-982x https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-wxf8-9x99-6gp4 https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-6m3q-5c84-6h6j _____________________________________________________________________ Unauthenticated Arbitrary Object Instantiation / Unauthenticated Remote Code Execution High gruberroland published GHSA-r387-grjx-qgvw Package ldap-account-manager (none) Affected versions < 8.0 Patched versions 8.0 Description Impact There are cases where LAM instantiates objects from arbitrary classes. An attacker can inject the first constructor argument. This can lead to code execution if non-LAM classes are instantiated that execute code during object creation. Patches The issue is fixed in version 8.0. Workarounds None For more information If you have any questions or comments about this advisory: Open an issue in https://github.com/LDAPAccountManager/lam/issues Email us on lam-public mailinglist Credits Arseniy Sharoglazov Severity High 8.7/ 10 CVSS base metrics Attack vector Network Attack complexity High Privileges required None User interaction None Scope Changed Confidentiality High Integrity None Availability High CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:H CVE ID CVE-2022-31084 Weaknesses No CWEs _____________________________________________________________________ Incorrect Default Permissions High gruberroland published GHSA-q8g5-45m4-q95p Package ldap-account-manager (none) Affected versions < 8.0 Patched versions 8.0 Description Impact The tmp directory, which is accessible by /lam/tmp/, allows interpretation of .php (and .php5/.php4/.phpt/etc) files. An attacker capable of writing files under www-data privileges can write a web-shell into this directory, and gain a Code Execution on the host. Patches The issue is fixed in version 8.0. Workarounds Disallow executing PHP scripts in (/var/lib/ldap-account-manager/)tmp directory. For more information If you have any questions or comments about this advisory: Open an issue in https://github.com/LDAPAccountManager/lam/issues Email us on lam-public mailinglist Credits Arseniy Sharoglazov Severity High 7.8/ 10 CVSS base metrics Attack vector Local Attack complexity Low Privileges required Low User interaction None Scope Unchanged Confidentiality High Integrity High Availability High CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE ID CVE-2022-31087 Weaknesses No CWEs _____________________________________________________________________ Incorrect Regular Expressions Moderate gruberroland published GHSA-q9pc-x84w-982x 9 days ago Package ldap-account-manager (none) Affected versions < 8.0 Patched versions 8.0 Description Impact Incorrect regular expressions allow to upload PHP scripts to config/templates/pdf. This vulnerability could lead to a Remote Code Execution if the /config/templates/pdf/ directory is accessible for remote users. This is not a default configuration of LAM. Patches The issue is fixed in version 8.0. Workarounds None For more information If you have any questions or comments about this advisory: Open an issue in https://github.com/LDAPAccountManager/lam/issues Email us on lam-public mailinglist Credits Arseniy Sharoglazov and Andrey Medov Severity Moderate 4.7/ 10 CVSS base metrics Attack vector Network Attack complexity Low Privileges required High User interaction None Scope Unchanged Confidentiality Low Integrity Low Availability Low CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L CVE ID CVE-2022-31086 Weaknesses No CWEs _____________________________________________________________________ Unauthenticated LDAP Injection Moderate gruberroland published GHSA-wxf8-9x99-6gp4 Package ldap-account-manager (none) Affected versions < 8.0 Patched versions 8.0 Description Impact The user name field at login could be used to enumerate LDAP data. This is only the case for LDAP search configuration. Patches The issue is fixed in version 8.0. Workarounds Allow admin access via fixed list instead of LDAP search. For more information If you have any questions or comments about this advisory: Open an issue in https://github.com/LDAPAccountManager/lam/issues Email us on lam-public mailinglist Credits Arseniy Sharoglazov Severity Moderate 6.5/ 10 CVSS base metrics Attack vector Network Attack complexity Low Privileges required None User interaction None Scope Unchanged Confidentiality Low Integrity None Availability Low CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L CVE ID CVE-2022-31088 Weaknesses No CWEs _____________________________________________________________________ Reflected XSS (Internet Explorer only) Low gruberroland published GHSA-6m3q-5c84-6h6j Package ldap-account-manager (none) Affected versions < 8.0 Patched versions 8.0 Description Impact On Internet Explorer there is an XSS issue. This is mitigated by the fact that LAM no longer supports IE anyway. Also it has no more vendor support. Patches The issue is fixed in version 8.0. Workarounds Install a recent browser. For more information If you have any questions or comments about this advisory: Open an issue in https://github.com/LDAPAccountManager/lam/issues Email us on lam-public mailinglist Credits Arseniy Sharoglazov Severity Low CVE ID CVE-2022-31085 Weaknesses No CWEs ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================