Nginx UI Unauthenticated Backup Download Vulnerability with Encryption Key Disclosure

A vulnerability in Nginx UI prior to version 2.3.3 allows unauthenticated access to the /api/backup endpoint, which discloses encryption keys needed to decrypt the backup. The X-Backup-Security response header contains these keys, enabling an attacker to download a full system backup encrypted with AES-256-CBC and immediately decrypt it. The backup includes sensitive data such as user credentials, session tokens, SSL private keys, and Nginx configurations.

Impact

Exploitation of this vulnerability allows for unauthorized access to sensitive data through the downloaded backup, which can be decrypted using the exposed encryption keys. This includes user credentials, session tokens, SSL private keys, and Nginx configuration files.

Reproduction

To reproduce this vulnerability, send a GET request to the /api/backup endpoint without authentication. The response will include the encrypted backup file and the X-Backup-Security header containing the Base64-encoded AES-256 encryption key and initialization vector (IV) needed for decryption. After downloading the backup, the encryption keys can be used to decrypt the files, which are then extracted from the backup archive.

Remediation

Users should update to Nginx UI version 2.3.3 or later, where this vulnerability has been patched.