NGINX Client Certificate Authentication Bypass Vulnerability via TLS Session Resumption

A vulnerability exists in NGINX when multiple server blocks share the same IP address and port. This issue allows an attacker to bypass client certificate authentication by reusing SSL sessions, specifically when TLS 1.3 is enabled with session resumption features. The vulnerability affects NGINX versions 1.11.4 through 1.27.3, excluding NGINX compiled with LibreSSL or BoringSSL. The problem arises in both the NGINX HTTP and stream modules when the default server block is configured to require client authentication.

Impact

Exploitation of this vulnerability can lead to unauthorized access to resources or functionalities that require client certificate authentication, potentially allowing attackers to interact with the server in ways that should be restricted.

Remediation

To address this vulnerability, NGINX users should upgrade to version 1.26.3 or 1.27.4. For those using NGINX Plus, the same versions apply. Additionally, it's recommended to configure each server block with a unique IP address and port combination or to create a default stub server that does not require client authentication. Authorization checks for client certificate values can also be implemented as an extra layer of security.