F5 investigating reports of NGINX zero day
InterServer Web Hosting and VPS

Application security giant F5 said it is investigating an alleged zero day vulnerability affecting the NGINX Web Server.

“We are aware of reports of an issue with NGINX Web Server. We have prioritized investigating the matter and will provide more information as quickly as we can,” a spokesperson told The Record on Monday. 

InterServer Web Hosting and VPS

F5 purchased the company behind the popular open-source web server for $670 million in 2019. 

The issue first came to light on Saturday, when a Twitter account connected to a group called “BlueHornet” tweeted about an experimental exploit for NGINX 1.18.

“As we’ve been testing it, a handful of companies and corporations have fallen under it,” the group said. They did not respond to requests for comment, but another researcher shared a conversation they had with the people behind BlueHornet about the issue. 

The group explained that the exploit has two stages and starts with LDAP injection. LDAP stands for Lightweight Directory Access Protocol and LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input.

BlueHornet said they would share the issue with the Nginx security team through bug bounty firm HackerOne or their internal platform. 

The group later created a GitHub page where they explained in detail how they discovered the issue and how it works. 

“We had been given this exploit from our sister group, BrazenEagle, who had been developing it for some weeks. Or atleast since Spring4Shell came out,” the group said.

“We were initially confused, as LDAP doesn’t interact much with NGINX, however, there is an ldap-auth daemon used alongside NGINX, which allows for this to be used. It primarily is used to gain access to private Github, Bitbucket, Jekins & Gitlab instances. As some further analysis is ongoing, the module relating to the LDAP-auth daemon within nginx is affected greatly. 😉 Anything that involves LDAP optional logins works as well. This includes Atlassian accounts.”

They claimed that default NGINX configurations seemed to be vulnerable and they recommended users disable certain features to stay protected. 

The group also criticized NGINX for not responding to their messages. 

On Sunday, the group claimed it tested the zero day on the Royal Bank of Canada but did not explain whether the bank had actually been breached. It later said it breached the systems of the Chinese branch of UBS Securities.

Neither institution responded to requests for comment.

Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.

Source link