[German]Those who use nginx on Windows as a web server, reverse proxy and email proxy may have a problem. Sombody just found out that nginx for Windows in various versions like 1.22.1 has a vulnerability that allows privilege elevation for normal users. The reason is that the used OpenSSL library is loaded from a path that can be manipulated.
Advertising
nginx for Windows with vulnerability
I just became aware on Twitter from a tweet by Will Dormann that nginx for Windows has a vulnerability related to the OpenSSL library that allows privilege escalation.
On the nginx site there is this ticket where someone states that the official Windows builds of nginx contain a vulnerability. Once nginx is started, it tries to load the OpenSSL configuration file from:
C:\MinGW\msys\1.0\home\Administrator\nginx\objs.msvc8\lib\openssl-1.1.1q\openssl\ssl\openssl.cnfUnfortunately, any user with standard privileges can create this path with the folders and write to the file if it exists. An attacker could manipulate openssl.cnf to load an arbitrary OpenSSL engine library on some path.
This can potentially be exploited for privilege escalation by injecting an arbitrary OpenSSL engine library. In many cases, nginx is run either by an administrator or in the context of NT AUTHORITY\SYSTEM, resulting in privilege escalation if malicious code is reloaded from the OpenSSL engine library.
Advertising
The flaw was tested with nginx-1.22.1 (stable) and 1.23.2 (mainline) on Windows 10 21H2. The tester who created the ticket suspects that the bug was first introduced in the legacy build nginx-1.20.2.zip.
What is nginx?
nginx is a web server that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache. The software was developed by Igor Sysoev and released in 2004. Nginx is free and open source software released under the terms of the BSD license with two clauses. A large portion of web servers use Nginx, often as a load balancer.
I could imagine that nginx for Windows is used as a reverse proxy for Microsoft Exchange to isolate this software from the Internet. At least that's what I've heard on Facebook and within my German blog.
At the moment the whole software industry is waiting for details about a vulnerability in OpenSSL that is classified as critical. OpenSSL is a widely used code library that enables secure communication over the Internet. OpenSSL includes implementations of network protocols and various ciphers. As of Oct. 31, 2022, I addressed the topci within the blog post OpenSSL 3.0.7 with patch for vulnerability on Nov. 1, 2022 announced. But the bug mentioned above has nothing to do with the vulnerability in OpenSSL.
