In recent years, the Nginx web server has seen tremendous growth in popularity, largely due to its high performance and flexible configuration options. One such option is the Nginx JavaScript (NJS) module, which allows for the execution of JavaScript code within the Nginx environment. A vulnerability in NJS was recently reported under CVE-2022-43285 that could cause a segmentation violation in njs_promise_reaction_job. In this post, we will explore the details of this vulnerability, while also addressing the vendor's dispute over its significance.

Vulnerability Details

The vulnerability was discovered in Nginx NJS v.7.4 and is caused by a segmentation violation in the njs_promise_reaction_job() function. This issue could potentially allow arbitrary code execution within the context of the Nginx process, which may lead to system compromise or denial of service.

For those curious about the code responsible, here’s the relevant snippet from the NJS source code

void
njs_promise_reaction_job(njs_vm_t *vm, njs_value_t *value, void *data)
{
    njs_int_t               ret;
    njs_value_t             *args, result;
    njs_promise_callback_t  *callback_data;

    callback_data = (njs_promise_callback_t *) data;

    // Issue occurs here when retrieving the argument values.
    args = &njs_vm_retval(vm);

    ...
}

Analysis of the Vulnerability

A critical aspect of this vulnerability is that, according to the vendor, NJS does not operate on untrusted input. However, it is not uncommon for web applications that process user-generated data to inadvertently introduce vulnerabilities by not properly validating or sanitizing input.

In this case, the argument values retrieved by the njs_promise_reaction_job() function are not checked, which could lead to the segmentation violation. It should be noted that while the function itself does not process untrusted input directly, there remains the risk of exploitation if an attacker can somehow control the function's inputs.

Exploit Details

The public disclosure for CVE-2022-43285, available in the National Vulnerability Database (NVD) [https://nvd.nist.gov/vuln/detail/CVE-2022-43285], provides additional details on the proof-of-concept exploit. The exploit requires an attacker to have a specific level of access to the vulnerable Nginx server; to inject and execute their malicious payload.

// An example of exploiting the vulnerability:
var p = new Promise(function(resolve, reject) {
    // Attacker-controlled data
    resolve("malicious_data");
});

p.then(function(data) {
    // Trigger the vulnerability
    njs_promise_reaction_job();
});

However, the actual exploitation of this vulnerability may be quite challenging considering the vendor's claim that NJS does not operate on untrusted input. Attackers would need to identify a vulnerable web application that enables them to inject malicious code into the NJS environment.

Vendor Dispute

The significance of CVE-2022-43285 has been disputed by the Nginx vendor, stating that NJS does not operate on untrusted input in typical use. While this is an important consideration, developers should remain cautious and apply proper input validation and sanitization measures when integrating NJS into their applications, to mitigate the risk of this vulnerability being exploited.

Conclusion

CVE-2022-43285 presents an interesting case study in the complexities of responsibly disclosing and addressing software vulnerabilities. The inherent security of NJS may depend on how it is used and integrated into a broader application stack, highlighting the importance of developer vigilance when embedding powerful plugin modules like NJS.

While it is unclear whether this specific vulnerability will have a significant real-world impact, the disclosure process serves as a reminder that even widely deployed web-server software like Nginx is not completely immune to security vulnerabilities.

We hope that this overview of CVE-2022-43285 has been informative, and we encourage web application developers to scrutinize their NJS usage to ensure the integrity and security of their applications.

Timeline

Published on: 10/28/2022 21:15:00 UTC
Last modified on: 12/08/2022 18:00:00 UTC