Nginx Developers Confirmed Hackers’ Information About a Critical Vulnerability in a Web Server

Critical vulnerability in Nginx
Written by Emma Davis

The hacker group BlueHornet has announced that it has a working exploit for a critical vulnerability in Nginx 1.18. The Nginx developers confirmed that the problem the hackers wrote about exists and told how to deal with it.

Messages about a certain 0-day vulnerability in Nginx appeared on BlueHornet’s Twitter (currently hidden from prying eyes) over the weekend. The hackers wrote that “several companies and corporations” suffered from the exploit during testing. In a conversation with an information security researcher, the hackers said that the exploit consists of two parts, and it all starts with an LDAP injection.

Critical vulnerability in Nginx

Soon, BlueHornet representatives said that they would share information about the issue with the Nginx security team through HackerOne or through an internal platform. The group later created a GitHub page where they explained in detail how the issue was discovered and how it works.

This exploit was provided to us by our sister group BrazenEagle, which has been developing it for several weeks, or at least since the Spring4Shell [vulnerability] appeared. At first, we were confused, because LDAP does not interact much with Nginx, but along with Nginx, the ldap-auth daemon is used. It is mainly used to access private instances of GitHub, Bitbucket, Jekins and GitLab. As research continued, [it became clear that] the module related to the LDAP-auth daemon in nginx would be heavily affected [by the vulnerability]. Everything related to optional LDAP logins, too, including Atlassian accounts.wrote BlueHornet.

As a result, members of BlueHornet argued that any default Nginx configurations were vulnerable, and recommended that users disable certain features for protection. The group also criticized the Nginx developers for not responding to their messages.

As the developers that published the BlueHornet claim, only the reference implementations may be affected by the issue, but it does not affect Nginx Open Source and Nginx Plus, meaning that no action is required from users if it is not the reference implementation.

However, even reference implementations can be vulnerable only under certain conditions, including using the command line to configure the Python daemon, using a number of optional parameters, and cases where LDAP authentication depends on group membership.

In the blog, the developers analysed each such case separately and explained how to mitigate the impact of the problem.

Let me remind you that we also talked about the fact that Apache patches a 0-day vulnerability already exploited by hackers, and also that Researchers discovered two vulnerabilities in GoAhead web server, one of which is critical.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply


This site uses Akismet to reduce spam. Learn how your comment data is processed.