Nginx UI Race Condition Vulnerability Leading to Configuration Corruption and Denial-of-Service

A race condition vulnerability has been identified in Nginx UI versions prior to 2.3.4. The issue arises from a lack of synchronization mechanisms and non-atomic file writes, allowing concurrent requests to severely corrupt the primary configuration file, 'app.ini'. This corruption causes a persistent denial-of-service condition and creates a non-deterministic path for remote code execution through configuration cross-contamination.

Impact

Exploitation of this vulnerability leads to permanent corruption of application settings and system-level configuration, causing a persistent denial-of-service that cannot be recovered via the web UI. Additionally, there is a risk of remote code execution, as certain fields in the configuration can be manipulated to execute arbitrary commands.

Reproduction

To reproduce this vulnerability, log into the Nginx UI dashboard and navigate to the Preferences section. Capture a 'POST /api/settings' request and send it to Burp Suite Intruder. Configure the attack with null payloads or a fuzzing list, set the resource pool to 20-50 concurrent requests, and monitor the 'app.ini' file for corruption. Observations will include empty lines or incomplete key-value pairs, leading to a service redirecting to '/install' or experiencing a total service collapse.

Remediation

Users are advised to update to Nginx UI version 2.3.4, where this vulnerability has been patched.