NGINX, a widely deployed reverse proxy and load balancer, contains a high-severity vulnerability that enables attackers-in-the-middle to inject data into server responses, potentially altering them or causing redirects.
The vulnerability affects both open source and paid versions of NGINX. It has a severity score of 8.2 out of 10.
NGINX is a server that sits in front of the website and determines where visitors’ requests should go. It’s one of the most popular web servers, accounting for 33.8% of all websites, according to W3Techs.
Attackers could exploit this bug to inject fake or malicious content into the traffic sent to website users. However, the exploitation is not trivial and requires the attackers to position themselves in the middle of the network connection between the NGINX proxy server and the actual backend web servers.
“An attacker with a man-in-the-middle (MITM) position on the upstream server side—along with conditions beyond the attacker's control—may be able to inject plain text data into the response from an upstream proxied server,” reads the security advisory released by F5.
The flaw affects NGINX servers that are configured to forward TLS-encrypted traffic to backend servers.
The NGINX server accepts the attacker's premature plaintext input before the TLS-encryption handshake completes. This brief timing window allows hackers to inject malicious data that NGINX then forwards to website visitors, potentially serving fake content or causing redirects.
This could potentially lead to a complete site takeover, with attackers exploiting legitimate websites to steal credentials, serve malicious ads, distribute malware, and launch additional attacks.
New versions – nginx-1.28.2 stable and nginx-1.29.5 mainline – have been released, with a fix and F5 urges upgrading. The company also said it discovered the issue internally.
Another NGINX exploitation campaign is raging
Security researchers from Datadog Security Labs identified another active web traffic hijacking campaign targeting NGINX installations, especially those using management panels like Baota, which are popular in Asia. The threat actors are associated with the recent React2Shell exploitation.
The report doesn’t explain how attackers gain initial access. In later stages, the attack relies on automated shell scripts that inject malicious proxy rules into configuration files.
“The malicious configuration intercepts legitimate web traffic between users and websites and routes it through attacker-controlled backend servers,” the researchers warned in the report.
Attackers focus on compromising government and educational websites and redirect the users to gambling and scam sites.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked