The hacker group BlueHornet has announced that it has a working exploit for a critical vulnerability in Nginx 1.18. The Nginx developers confirmed that the problem the hackers wrote about exists and told how to deal with it.
Messages about a certain 0-day vulnerability in Nginx appeared on BlueHornet’s Twitter (currently hidden from prying eyes) over the weekend. The hackers wrote that “several companies and corporations” suffered from the exploit during testing. In a conversation with an information security researcher, the hackers said that the exploit consists of two parts, and it all starts with an LDAP injection.
Soon, BlueHornet representatives said that they would share information about the issue with the Nginx security team through HackerOne or through an internal platform. The group later created a GitHub page where they explained in detail how the issue was discovered and how it works.
As a result, members of BlueHornet argued that any default Nginx configurations were vulnerable, and recommended that users disable certain features for protection. The group also criticized the Nginx developers for not responding to their messages.
As the developers that published the BlueHornet claim, only the reference implementations may be affected by the issue, but it does not affect Nginx Open Source and Nginx Plus, meaning that no action is required from users if it is not the reference implementation.
However, even reference implementations can be vulnerable only under certain conditions, including using the command line to configure the Python daemon, using a number of optional parameters, and cases where LDAP authentication depends on group membership.
In the blog, the developers analysed each such case separately and explained how to mitigate the impact of the problem.
Let me remind you that we also talked about the fact that Apache patches a 0-day vulnerability already exploited by hackers, and also that Researchers discovered two vulnerabilities in GoAhead web server, one of which is critical.
