A new vulnerability has been reported in NGINX Plus and NGINX OSS when they are configured to use the HTTP/3 QUIC module and the network infrastructure supports a Maximum Transmission Unit (MTU) of 4096 or greater without fragmentation. The vulnerability, CVE-2024-34161, may cause NGINX worker processes to leak previously freed memory due to the undisclosed QUIC packets. In this blog post, we will discuss the details of this vulnerability, how to detect if your system is affected, and the steps to mitigate the risk.

Vulnerability Details

The NGINX HTTP/3 QUIC module attempts to process the received QUIC packets, and it fails to properly handle undisclosed QUIC packets that cause the NGINX worker processes to leak previously freed memory. This can cause a Denial of Service (DoS) condition on the affected system, making it unresponsive to legitimate requests.

The Common Vulnerabilities and Exposures (CVE) website has assigned a unique identifier CVE-2024-34161 to this issue. The original advisory was published by NGINX on their security advisory page: https://www.nginx.com/security-advisories/

Affected Versions

Both NGINX Plus and NGINX OSS are affected by this vulnerability if they are using the HTTP/3 QUIC module and have a network infrastructure that supports MTU of 4096 or greater without fragmentation.

A sample NGINX configuration using the HTTP/3 QUIC module may look like this

# HTTP/3 module in NGINX config
http {
    server {
        listen 443 ssl http3 reuseport;
        ssl_certificate server.crt;
        ssl_certificate_key server.key;

        http3_max_table_capacity 4096;
        http3_max_blocked_streams 100;

        location / {
            root /path/to/your/website;
            index index.html;
    }
}

To determine if your system is affected by this vulnerability, you can perform the following steps

1. Check the NGINX configuration file (nginx.conf) and see if the HTTP/3 QUIC module is in use (look for the "http3" directive). If it's not in use, your system is not affected.

2. Check with your network infrastructure provider to see if your system is on a network that supports an MTU of 4096 or greater without fragmentation.

There are two primary means to mitigate the risk associated with CVE-2024-34161

1. Disable HTTP/3 QUIC module: Temporarily disable the HTTP/3 QUIC module in your NGINX configuration. You can modify the nginx.conf to remove the "http3" directive. This will revert your system to operate over HTTP/2 or HTTPS (HTTP over TLS).

2. Limit MTU size: Contact your network infrastructure provider and ask them to limit the MTU size to less than 4096 bytes for your system. This will prevent the network from handling QUIC packets larger than the limit, effectively reducing the chance of triggering the vulnerability.

It is also recommended to patch your NGINX Plus or NGINX OSS software to the latest available version that includes the fix for CVE-2024-34161. Check the NGINX security advisory page for the updated software version and follow the steps provided in the advisory to apply the patch: https://www.nginx.com/security-advisories/

Conclusion

In this blog post, we discussed the critical vulnerability CVE-2024-34161 affecting NGINX Plus and NGINX OSS when using the HTTP/3 QUIC module. We provided details on detecting if your system is affected and steps to mitigate the risk. It is essential to keep your systems up to date with the latest available patches to ensure the security of your system and the protection of your users' information.

Timeline

Published on: 05/29/2024 16:15:10 UTC
Last modified on: 06/10/2024 18:15:34 UTC