Vulnerability and Technical Details
Security researchers have uncovered a severe heap buffer overflow vulnerability in the NGINX rewrite module that remained undiscovered for 18 years. The flaw, named NGINX Rift, resides in the ngx_http_rewrite_module and can be triggered when an attacker sends specially crafted HTTP requests. The issue occurs when a rewrite directive is followed by specific directives and includes unnamed PCRE captures with a replacement string containing a question mark. This can cause a heap buffer overflow in the NGINX worker process, potentially leading to a denial of service or remote code execution on systems without ASLR protection.
The vulnerability has received a CVSS v4 score of 9.2, indicating its critical severity. What makes this particularly dangerous is that it requires no authentication to exploit, meaning any remote attacker could potentially compromise affected systems. Researchers from depthfirst discovered the bug and responsibly disclosed it to F5, the maintainer of NGINX Plus.
Impact and Scope
The flaw affects a wide range of NGINX products, including NGINX Plus, NGINX Open Source, NGINX Instance Manager, F5 WAF for NGINX, and NGINX App Protect WAF. All versions from the early days of NGINX through the latest releases are impacted. F5 has released patches in NGINX Open Source versions 1.30.1 and 1.31.0, as well as updates for NGINX Plus. Older versions 0.6.27 through 0.9.7 will not receive fixes. Users are strongly advised to update their installations immediately to prevent potential exploitation of this long standing vulnerability.
Source: The Hacker News
