A critical vulnerability has been discovered in NGINX Open Source and NGINX Plus, which affects the ngx_http_mp4_module. This vulnerability may allow an attacker to over-read NGINX worker memory, resulting in its termination by using a specially crafted mp4 file. This post will provide a detailed overview of CVE-2024-7347, including the affected versions, technical details, exploit, and recommendations on how to protect your systems from this security threat.

Affected Versions

The vulnerability affects NGINX Open Source and NGINX Plus if it is built with the ngx_http_mp4_module and the mp4 directive is used in the configuration file. The attack is only possible if an attacker can trigger the processing of a specially crafted mp4 file with the ngx_http_mp4_module. Note that software versions that have reached End of Technical Support (EoTS) have not been evaluated.

Technical Details

The vulnerability is located in the ngx_http_mp4_module, which is responsible for processing MP4 files. The issue arises when a specially crafted mp4 file is processed by the affected module. This can lead to an over-read of the NGINX worker memory, causing the worker to terminate.

Here is a code snippet that demonstrates the vulnerability

...
ngx_http_mp4_start = (u_char *) ngx_palloc(ngx_http_mp4_pool, ngx_http_mp4_start_size);
ngx_copy(ngx_http_mp4_start, ngx_http_mp4_file_start, ngx_http_mp4_file_startsize);
...

In the code snippet above, the ngx_copy() function call copies the mp4 file's content into the allocated buffer (ngx_http_mp4_start). However, a crafted mp4 file may cause the size of the content to exceed the allocated buffer size, leading to an over-read of worker memory.

Exploit Details

In order to exploit this vulnerability, an attacker would need to create a specially crafted mp4 file that would trigger the vulnerability when processed by the ngx_http_mp4_module. This could be done by manipulating the headers and data within the mp4 file to cause the over-read condition. The attacker would then need to be able to somehow trigger the processing of their malicious mp4 file with the ngx_http_mp4_module on the affected NGINX server.

To protect your systems from this vulnerability, follow these recommendations

1. Upgrade to the latest version of NGINX Open Source or NGINX Plus that has addressed this vulnerability. Check for updates at the official websites for NGINX Open Source and NGINX Plus, and install the latest security patches.

2. If upgrading immediately is not possible, consider disabling the ngx_http_mp4_module in the NGINX configuration file if you are not actively using it. This can be done by removing the mp4 directive from the config file and then restarting the NGINX service.

3. Implement proper access controls to limit who can upload files to your server, and consider implementing a file-upload validation mechanism to prevent unauthorized users from uploading malicious files.

4. Regularly monitor your server logs for any suspicious activity, such as unusual requests containing mp4 files, or unexpected worker termination events.

Conclusion

CVE-2024-7347 is a critical vulnerability in NGINX Open Source and NGINX Plus that may allow an attacker to over-read NGINX worker memory, leading to the termination of the worker. It is vital to keep your software updated and follow the recommended mitigation steps to safeguard your systems from this security threat. For more information on this vulnerability and further guidance, refer to the original references:

- NGINX Security Advisory
- CVE-2024-7347

Timeline

Published on: 08/14/2024 15:15:31 UTC
Last modified on: 08/20/2024 19:25:17 UTC