Pierluigi Paganini November 10, 2018

Nginx developers released security updates to address several denial-of-service (DoS) vulnerabilities affecting the nginx web server.

nginx is an HTTP and reverse proxy server, a mail proxy server, and a generic TCP/UDP proxy server, it is used by 25.28% busiest sites in October 2018.

Nginx development team released versions 1.15.6 and 1.14.1 to address two HTTP/2 implementation vulnerabilities that can cause a DoS condition in Nginx versions 1.9.5 through 1.15.5.

Two security flaws affecting the nginx HTTP/2 implementation, tracked as CVE-2018-16843 and CVE-2018-16844, might respectively cause excessive memory consumption and CPU usage,

The  CVE-2018-16844 flaw was discovered by Gal Goldshtein from F5 Networks.

“Two security issues were identified in nginx HTTP/2 implementation, which might cause excessive memory consumption (CVE-2018-16843) and CPU usage (CVE-2018-16844).” wrote nginx core developer Maxim Dounin.

“The issues affect nginx compiled with the ngx_http_v2_module (not compiled by default) if the “http2” option of the “listen” directive is used in a configuration file.” 

At the time of writing, querying the Shodan search engine it is possible to find more than 1 million servers running unpatched nginx versions.

nginx team also fixed a flaw affecting the ngx_http_mp4_module module (CVE-2018-16845) that could be exploited by an attacker to cause the worker process to crash or leak memory by getting the module to process a specially crafted MP4 file.

“nginx before versions 1.15.6, 1.14.1 has a vulnerability in the ngx_http_mp4_module, which might allow an attacker to cause infinite loop in a worker process, cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted mp4 file.” reads the security advisory published by NVD.

“The issue only affects nginx if it is built with the ngx_http_mp4_module (the module is not built by default) and the .mp4. directive is used in the configuration file. Further, the attack is only possible if an attacker is able to trigger processing of a specially crafted mp4 file with the ngx_http_mp4_module.

The CVE-2018-16845 flaw affects nginx 1.1.3 and later and 1.0.7 and later, nginx team fixed it with the release of versions 1.15.6 and 1.14.1.

Pierluigi Paganini

(Security Affairs – hacking, Nginx server)

[adrotate banner=”5″]

[adrotate banner=”13″]