Is there a 0day in NGINX? F5 investigates claims, finds LDAP issues
NGINX owner F5 says it is investigating hacktivist group's claims...
UPDATED April 12 9:30AM GMT.
"Any headline that ends in a question mark can be answered by the word no" says Betteridge's Law. Security professionals may well hope that is the case after a hacktivist group claimed that they had exploited a 0day or previously unknown security flaw in NGINX -- a web server used by a third of the world's websites.
US company F5 bought NGINX in 2019. Contacted by The Stack for comment, as speculation about the reported NGINX vulnerability circulated, a spokeperson told us: "We are aware of reports of an issue with NGINX Web Server. We have prioritized investigating the matter and will provide more information as quickly as we can.
UPDATED: NGINX early Tuesday confirmed security vulnerabilities in the NGINX LDAP reference implementation. This uses LDAP to authenticate users of applications being proxied by NGINX. It is published as a Python daemon. NGINX noted in its advisory that it is "published as a reference implementation... [and is] not a production‑grade LDAP solution. For example, there is no encryption of the username and password used for the sample login page, and security notices call this out." Nonetheless this non-default, sample configuration intended for illustrative purposes was seemingly being deployed by a subset of users and can be attacked under three different circumstances.
Hardly the horror that some had feared. NGINX's advisory with details, mitigation is here.
Follow us on LinkedIn > here <
A hacktivist group called "Against the West" has been posting claims about the supposed NGINX 0day to a GitHub repository since April 9. The vulnerability appears, potentially, to be related to how NGINX interacts with LDAP directory services -- in shades of Log4Shell and its abuse of malicious LDAP servers. (NGINX itself is written in C and does not use Java or any Java‑based libraries so was unaffected by the Log4j vulnerabilities...)
There is no public exploit circulating that we have seen and we await more detail from F5. A member of the group Tweeting as @_Blue_hornet told The Stack that they had made multiple attempts to reach NGINX in recent days, finally confirming receipt of a DM shortly after 16:30 GMT April 11 -- after we published. They added of the bug: "It's not an RCE. If any NGINX instance doesn't talk to LDAP, then it's useless. Same if you setup a WAF."
Against the West, which has focussed on targeting Russian and Chinese organisations, has previously leaked data from the Chinese Communist Party, People's Bank of China, Alibaba Cloud, as well as power station blueprints and schematics. The group also claims to be exploring a previously unknown vulnerability in MongoDB.
Again, we could not confirm that in any meaningful way.
"Against the West" said: "The module relating to the LDAP-auth daemon within nginx is affected greatly. ;) Anything that involves LDAP optional logins works as well. This includes Atlassian accounts. Just working out if we can bypass some common WAFs. Default nginx configs seem to be the vulnerable type, or common configs.
They added in the GitHub ReadMe: "We highly recommend disabling the ldapDaemon.enabled
property. If you plan on setting it up, be sure to change the ldapDaemon.ldapConfig
properties flag with the correct information and don't leave it on default. This can be changed until Nginx (fucking) respond to their emails and DMs."
More to follow as soon as we hear from F5/get details from the group in question.
Igor Sysoev -- the author of NGINX and co‑founder of NGINX, Inc. – quit NGINX and F5 in January 2022 (presumably after an earn-out period ended following the 2019 sale of the open source company) "in order to spend more time with his friends and family and to pursue personal projects" according to an NGINX blog.
The former systems administrator started development of NGINX in 2002 envisioning "a better way to handle web traffic, a novel architecture that would allow high‑traffic sites to better handle tens of thousands of concurrent connections and cache rich content such as photos or videos that was slowing down page loads".
NGINX powers nearly over a fifth of the world's million busiest websites and hundreds of millions more.