User credentials are logged and emailed in plain text if an exception is raised during login

[ben-kuhn]

When LDAP is misconfigured, the stack trace sent to syslog and via email to the configured admins contains the users password in plain text. This is an information disclosure vulnerability as users of the syslog system, email administrators, and anyone configured as a NetBox admin receives a plain-text copy of a users password if LDAP authentication fails.

If a NetBox server was compromised in some other way, the attacker could use this to gather credentials, pivot, potentially escalate privileges, and move throughout the network.

If this were to happen accidentally, the user logging in and seeing the login failure may not know that their password was exposed to users with access to the NetBox system, email system, email archive, or syslog servers and not realize that their password would need to be changed.

Here is an obfuscated snippet from the email I received when encountering this bug:

Exception Type: ImproperlyConfigured at /login/
Exception Value: AUTH_LDAP_USER_SEARCH must be an LDAPSearch instance.
Request information:
USER: AnonymousUser

GET: No GET data

POST:
csrfmiddlewaretoken = 'token'
next = '/'
username = 'myUserName'
password = 'myPasswordInPlainText'

FILES: No FILES data

COOKIES:
csrftoken = 'token'

Environment

• Python version: 3.6.7
• NetBox version: 2.5.5

Steps to Reproduce

1. Install NetBox from git
2. Configure Admins and Mail settings
3. Configure Logging
4. Configure LDAP, but make a mistake somewhere so that authentication will not work
5. Attempt to log in. Don't use a real password if this is a production environment

Expected Behavior

Errors to be logged and potentially emailed with passwords hashed,obfuscated, or not included at all

Actual Behavior

My LDAP password was emailed in plain text as part of the stack trace to the entire team, as well as logged in the log file locally and on the remote syslog server

[jeremystretch]

NetBox employs the django-auth-ldap library for LDAP authentication. Please raise this issue with that project.

[ben-kuhn]

I opened an issue upstream for this. Issue 114. Jon reports this is an implementation issue and has provided documentation on how to avoid this problem.