“Any headline that ends with a question mark can be answered with the word no,” says Betteridge’s law. Security experts are hoping this is the case after a hacktivist group claimed it had exploited a 0-day or previously unknown vulnerability in NGINX – a web server used by a third of the world’s websites.
US company F5 bought NGINX in 2019. Contacted by The stack For comment, as speculation circulated about the reported NGINX vulnerability, a spokesperson told us: “We are aware of reports of an issue with the NGINX web server. We have given priority to investigating the matter and will provide further information as soon as possible.
A hacktivist group called Against the West has been posting claims about the alleged NGINX 0day in a GitHub repository since April 9. The vulnerability appears to be possibly related to how NGINX interacts with LDAP directory services – along the lines of Log4Shell and its abuse of malicious LDAP servers. (NGINX itself is written in C and does not use Java or Java-based libraries, so was not affected by the Log4j vulnerabilities…)
There is no public exploit floating around that we have seen and we await further details from F5.
“Against the West” said: “The module related to the LDAP authentication daemon in nginx is severely affected. 😉 Anything that includes optional LDAP logins will also work. This includes Atlassian accounts. I’m just working on whether we can bypass some common WAFs. Default nginx configurations seem to be the vulnerable type or general configurations.
They added in the GitHub ReadMe: “We strongly recommend the
ldapDaemon.enabled Property. If you plan to set it up, make sure you change those
ldapDaemon.ldapConfig properties flag with the correct information and don’t leave it at default. This can be changed until Nginx (damn it) responds to their emails and DMs.”
The group had not responded to our requests for more details on apparent errors when we posted them.
More to come as we hear from F5/get details from the group in question.
Igor Sysoev – the author of NGINX and co-founder of NGINX, Inc. – left NGINX and F5 in January 2022 (presumably after an earn-out period following the sale of the open-source company in 2019), “for more time to spend with his friends and family and to pursue personal projects,” according to an NGINX blog.
The former system administrator began developing NGINX in 2002 with the vision of “a better way of handling web traffic, a novel architecture that would enable high-traffic websites to better handle tens of thousands of simultaneous connections, and rich content such as photos or Caching videos page load slowdown”.
NGINX powers almost over a fifth of the millions of world’s busiest websites and hundreds of millions more.