CVE-2024-35200: Undisclosed HTTP/3 Requests Leading to NGINX Worker Process Termination

CVE-2024-35200 is a vulnerability discovered in the popular web server and reverse proxy server, NGINX. When the server is configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 requests can cause the NGINX worker processes to terminate abruptly. This could potentially lead to denial of service attacks targeting affected servers and leaving websites inaccessible or significantly slowing down their performance.

In this article, we will delve deeper into the details of CVE-2024-35200, exploring the exploit and possible preventive measures to protect your NGINX servers from being compromised. So let's dive in!

Here is an example of a vulnerable configuration in the NGINX server

http {
    ...
    server {
        ...
        listen 443 quic reuseport;
        ssl_preread on;
        proxy_pass http://backend;
        quic_max_streams 100;
        quic_debug 1;
        ...
    }
}

In this snippet, the server listens for HTTP/3 QUIC connections on port 443. The quic_debug directive enables logging for all QUIC events, including the undisclosed HTTP/3 requests, which could potentially lead to the worker process termination.

Exploit Details

NGINX Plus and NGINX OSS are affected by this vulnerability when configured to use the HTTP/3 QUIC module. This vulnerability has been assigned the CVE identifier CVE-2024-35200 and affects versions R24 and R25 of NGINX Plus and versions 1.19. - 1.21.3 of NGINX OSS.

When exploiting this vulnerability, an attacker can send a specifically crafted undisclosed HTTP/3 request, causing the NGINX worker processes to terminate. This may, in turn, result in a denial of service or a significant decrease in the server's performance.

Original References

To learn more about this vulnerability and the specific versions it affects, please refer to the following links:

1. NGINX HTTP/3 QUIC Support Vulnerability Advisory
2. NVD - CVE-2024-35200

To protect your NGINX servers from this potential exploit, you can

1. Make sure to disable the HTTP/3 QUIC module if it's not necessary for your server's operation. You can do this by removing or commenting out the listen directive from your server's configuration file:

http {
    ...
    server {
        ...
        # listen 443 quic reuseport;
        ssl_preread on;
        proxy_pass http://backend;
        quic_max_streams 100;
        quic_debug 1;
        ...
    }
}

2. Keep your NGINX Plus or NGINX OSS installations up to date. Regularly check the official NGINX download page for the latest version, and apply the necessary updates as soon as possible.

3. Monitor and audit your server's logs for any unexpected worker process termination or performance issues. This can help you identify any potential attacks targeting your server.

Conclusion

CVE-2024-35200 is a serious vulnerability affecting NGINX Plus and NGINX OSS servers configured to use the HTTP/3 QUIC module. By keeping your installations updated and disabling the HTTP/3 QUIC module if it's not explicitly needed, you can mitigate this vulnerability and help protect your servers and websites from potential attacks.

Timeline

Published on: 05/29/2024 16:15:10 UTC
Last modified on: 06/10/2024 18:15:34 UTC