NGINX Open Source and NGINX Plus Buffer Overflow Vulnerability in WebDAV Module

A buffer overflow vulnerability has been identified in the WebDAV module of NGINX Open Source versions 1.0.0 through 1.29.6 and NGINX Plus versions R32 to R36. This vulnerability could allow an attacker to disrupt the NGINX worker process or improperly modify file names outside the designated document root. The issue arises when the DAV module's MOVE or COPY methods are used, along with prefix locations and alias directives. While the vulnerability could lead to unauthorized file name changes, the impact is limited as the NGINX worker process operates with low user privileges and restricted system access.

Impact

Exploitation of this vulnerability causes a denial-of-service condition by crashing the NGINX worker process, which must then be restarted. Additionally, it allows for unauthorized modifications of file names accessed by the NGINX worker process, potentially disrupting normal operations.

Remediation

To address this vulnerability, users can update to NGINX Open Source version 1.29.7 or 1.28.3, or NGINX Plus version R36 P3, R35 P2, or R32 P5. For those unable to upgrade, a mitigation strategy involves adding a check in the WebDAV location block to validate the HTTP Destination request header, ensuring it is either empty or begins with the expected location name. After making these changes, NGINX configurations should be tested and then reloaded to apply the updates.