http/modules/ngx_http_proxy_module.c in nginx 1.1.4 through 1.2.8 and 1.3.0 through 1.4.0, when proxy_pass is used with untrusted HTTP servers, allows remote attackers to cause a denial of service (crash) and obtain sensitive information from worker process memory via a crafted proxy response, a similar vulnerability to CVE-2013-2028.

According to its Server response header, the installed version of nginx is greater than or equal to 1.1.4 and prior to 1.2.9, or greater than or equal to 1.3.0 and prior to 1.4.1. It is, therefore, affected by multiple vulnerabilities :

 - A stack-based buffer overflow in 'ngx_http_parse.c' may allow a remote attacker to execute arbitrary code or trigger a denial of service condition via a specially crafted HTTP request. This vulnerability only affects versions greater than or equal to 1.3.9 and less than 1.4.1. (CVE-2013-2028)

 - A memory disclosure vulnerability in 'ngx_http_parse.c' affects servers that use 'proxy_pass' to untrusted upstream servers. This issue can be triggered by a remote attacker via a specially crafted HTTP request. Failed attempts may result in a denial of service condition. (CVE-2013-2070)

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

This version update for nginx to 1.2.9 includes a security fix and several bugfixes and feature enhancements. (bnc#821184)

*) Security: contents of worker process memory might be sent to a client if HTTP backend returned specially crafted response (CVE-2013-2070); the bug had appeared in 1.1.4.

  - changes with 1.2.8 :

    *) Bugfix: new sessions were not always stored if the     'ssl_session_cache shared' directive was used and there     was no free space in shared memory.

    *) Bugfix: responses might hang if subrequests were used     and a DNS error happened during subrequest processing.

    *) Bugfix: in the ngx_http_mp4_module.

    *) Bugfix: in backend usage accounting.

  - changes with nginx 1.2.7

    *) Change: now if the 'include' directive with mask is     used on Unix systems, included files are sorted in     alphabetical order.

    *) Change: the 'add_header' directive adds headers to     201 responses.

    *) Feature: the 'geo' directive now supports IPv6     addresses in CIDR notation.

    *) Feature: the 'flush' and 'gzip' parameters of the     'access_log' directive.

    *) Feature: variables support in the 'auth_basic'     directive.

    *) Feature: the $pipe, $request_length, $time_iso8601,     and $time_local variables can now be used not only in     the 'log_format' directive.

    *) Feature: IPv6 support in the ngx_http_geoip_module.

    *) Bugfix: nginx could not be built with the     ngx_http_perl_module in some cases.

    *) Bugfix: a segmentation fault might occur in a worker     process if the ngx_http_xslt_module was used.

    *) Bugfix: nginx could not be built on MacOSX in some     cases.

    *) Bugfix: the 'limit_rate' directive with high rates     might result in truncated responses on 32-bit platforms.

    *) Bugfix: a segmentation fault might occur in a worker     process if the 'if' directive was used.

    *) Bugfix: a '100 Continue' response was issued with     '413 Request Entity Too Large' responses.

    *) Bugfix: the 'image_filter',     'image_filter_jpeg_quality' and 'image_filter_sharpen'     directives might be inherited incorrectly.

    *) Bugfix: 'crypt_r() failed' errors might appear if the     'auth_basic' directive was used on Linux.

    *) Bugfix: in backup servers handling.

    *) Bugfix: proxied HEAD requests might return incorrect     response if the 'gzip' directive was used.

    *) Bugfix: a segmentation fault occurred on start or     during reconfiguration if the 'keepalive' directive was     specified more than once in a single upstream block.

    *) Bugfix: in the 'proxy_method' directive.

    *) Bugfix: a segmentation fault might occur in a worker     process if resolver was used with the poll method.

    *) Bugfix: nginx might hog CPU during SSL handshake with     a backend if the select, poll, or /dev/poll methods were     used.

    *) Bugfix: the '[crit] SSL_write() failed (SSL:)' error.

    *) Bugfix: in the 'fastcgi_keep_conn' directive.

The remote host is affected by the vulnerability described in GLSA-201310-04 (nginx: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in nginx. Please review       the CVE identifiers referenced below for details.
  Impact :

    A remote attacker could send a specially crafted request, possibly       resulting in execution of arbitrary code with the privileges of the       process, or a Denial of Service condition. Furthermore, a       context-dependent attacker may be able to obtain sensitive information.
  Workaround :

    There is no known workaround at this time.

http/modules/ngx_http_proxy_module.c in nginx 1.1.4 through 1.2.8 and 1.3.0 through 1.4.0, when proxy_pass is used with untrusted HTTP servers, allows remote attackers to cause a denial of service (crash) and obtain sensitive information from worker process memory via a crafted proxy response, a similar vulnerability to CVE-2013-2028 .

A buffer overflow has been identified in nginx, a small, powerful, scalable web/proxy server, when processing certain chunked transfer encoding requests if proxy_pass to untrusted upstream HTTP servers is used. An attacker may use this flaw to perform denial of service attacks, disclose worker process memory, or possibly execute arbitrary code.

The oldstable distribution (squeeze) is not affected by this problem.

According to its Server response header, the installed version of nginx is 1.1.4 through 1.2.8, 1.3.x, or 1.4.x prior to 1.4.1.  It is, therefore, affected by multiple vulnerabilities :

  - A stack-based buffer overflow in 'ngx_http_parse.c' may     allow a remote attacker to execute arbitrary code or     trigger a denial of service condition via a specially     crafted HTTP request. This vulnerability only affects     versions greater than or equal to 1.3.9 and less than     1.4.1. (CVE-2013-2028)

  - A memory disclosure vulnerability in 'ngx_http_parse.c'     affects servers that use 'proxy_pass' to untrusted     upstream servers.  This issue can be triggered by a     remote attacker via a specially crafted HTTP request.
    Failed attempts may result in a denial of service     condition. (CVE-2013-2070)

According to its Server response header, the installed version of nginx is 1.1.x, greater than or equal to 1.1.4, or 1.2.x prior to 1.2.9. It is, therefore, affected by a memory disclosure vulnerability in 'ngx_http_proxy_module.c' when 'proxy_pass' to untrusted upstream servers is used. 

By sending a specially crafted request, an attacker may be able to gain access to worker process memory or trigger a denial of service condition.

Update to upstream release 1.2.9 which fixes :

  - CVE-2013-2070 'denial of service or memory disclosure     when using proxy_pass' fix build on platforms without     gperftools Update to upstream release 1.4.0, which     includes support for proxying of WebSocket connections,     OCSP stapling, SPDY module, gunzip filter and more.
    Build with '--with-debug' to enable optional debugging

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Older versions of nginx are affected by the following vulnerabilities:

  - Older versions using proxy_pass can cause denial of service or disclosure of worker process memory. Failed exploit attempts will result in a denial-of-service condition. (CVE-2013-2070)

  - A related vulnerability in nginx versions 1.3.9-1.4.0 is a stack-based buffer-overflow vulnerability, due to an error in the 'ngx_http_parse.c' source file. Specifically, this issue occurs in a worker process when handling a specially crafted request. Successfully exploiting this issue allows attackers to execute arbitrary code in the context of the vulnerable application (CVE-2013-2028).

The nginx project reports :

A stack-based buffer overflow might occur in a worker process process while handling a specially crafted request, potentially resulting in arbitrary code execution. [CVE-2013-2028]

A security problem related to CVE-2013-2028 was identified, affecting some previous nginx versions if proxy_pass to untrusted upstream HTTP servers is used.

The problem may lead to a denial of service or a disclosure of a worker process memory on a specially crafted response from an upstream proxied server. [CVE-2013-2070]

ID	Name	Product	Family	Severity
98951	Nginx < 1.2.9 ngx_http_proxy_module.c Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	high
98950	Nginx < 1.4.1 ngx_http_proxy_module.c Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	high
75025	openSUSE Security Update : nginx (openSUSE-SU-2013:1015-1)	Nessus	SuSE Local Security Checks	medium
70310	GLSA-201310-04 : nginx: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
69748	Amazon Linux AMI : nginx (ALAS-2013-189)	Nessus	Amazon Linux Local Security Checks	medium
67202	Debian DSA-2721-1 : nginx - buffer overflow	Nessus	Debian Local Security Checks	medium
66672	nginx ngx_http_proxy_module.c Multiple Vulnerabilities	Nessus	Web Servers	critical
66671	nginx ngx_http_proxy_module.c Memory Disclosure	Nessus	Web Servers	medium
66577	Fedora 18 : nginx-1.2.9-1.fc18 (2013-8182)	Nessus	Fedora Local Security Checks	medium
6795	nginx < 1.4.1 / 1.5.0 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	high
66341	FreeBSD : nginx -- multiple vulnerabilities (efaa4071-b700-11e2-b1b9-f0def16c5c1b)	Nessus	FreeBSD Local Security Checks	high

Detections

Analytics

CVE-2013-2070

high

Tenable Plugins

high

high

medium

high

medium

medium

critical

medium

medium

high

high