NGINX Open Source and NGINX Plus Buffer Over-read/Over-write Vulnerability in ngx_http_mp4_module Allowing Denial-of-Service or Possible Code Execution

A vulnerability exists in the ngx_http_mp4_module of NGINX Open Source and NGINX Plus, which could allow an attacker to manipulate an MP4 file in a way that causes a buffer over-read or over-write in the NGINX worker memory. This could lead to the termination of the worker process or potentially allow for code execution. The vulnerability is present only if the MP4 module is enabled and the mp4 directive is used in the NGINX configuration. Exploitation requires the ability to process a specially crafted MP4 file with the ngx_http_mp4_module.

Impact

Exploitation of this vulnerability disrupts NGINX traffic by terminating the worker process, which then restarts. This causes a temporary denial-of-service condition. Additionally, there is a possibility of unauthorized code execution.

Remediation

To address this vulnerability, users can update to NGINX Open Source version 1.29.7 or 1.28.3, or NGINX Plus versions R36 P3, R35 P2, or R32 P5. If an immediate update is not possible, the MP4 module can be disabled in the NGINX configuration by commenting out the mp4 directives. After making this change, NGINX should be reloaded to apply the new configuration.