{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/nginx-ui--2.0.0--2.3.5/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Nginx-UI (\u003e= 2.0.0, \u003c= 2.3.5)"],"_cs_severities":["medium"],"_cs_tags":["nginx-ui","initial-access","authentication-bypass"],"_cs_type":"advisory","_cs_vendors":["0xJacky"],"content_html":"\u003cp\u003eThe \u003ccode\u003enginx-ui\u003c/code\u003e application versions 2.0.0 through 2.3.5 are vulnerable to an unauthenticated initial administrator claim. An attacker can exploit this by sending a POST request to the \u003ccode\u003e/api/install\u003c/code\u003e endpoint during the first-run setup window. This allows the attacker to set the admin email, username, and password, effectively taking control of the application before the legitimate administrator. The vulnerability exists because the \u003ccode\u003e/api/install\u003c/code\u003e endpoint lacks proper authentication and the request-encryption flow only protects confidentiality, not authenticity. This can lead to complete compromise of the Nginx-UI instance and the systems it manages.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA fresh \u003ccode\u003enginx-ui\u003c/code\u003e instance is deployed and exposed to the network.\u003c/li\u003e\n\u003cli\u003eAn unauthenticated attacker sends a GET request to \u003ccode\u003e/api/install\u003c/code\u003e to verify the instance is unlocked (\u003ccode\u003e\u0026quot;lock\u0026quot;: false, \u0026quot;timeout\u0026quot;: false\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker sends a POST request to \u003ccode\u003e/api/crypto/public_key\u003c/code\u003e to obtain the server\u0026rsquo;s RSA public key.\u003c/li\u003e\n\u003cli\u003eThe attacker encrypts a JSON payload containing the attacker\u0026rsquo;s desired admin email, username, and password using the obtained public key. The payload is formatted as \u003ccode\u003e{\u0026quot;email\u0026quot;:\u0026quot;attacker@example.com\u0026quot;,\u0026quot;username\u0026quot;:\u0026quot;attacker\u0026quot;,\u0026quot;password\u0026quot;:\u0026quot;Password12345\u0026quot;}\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker base64-encodes the resulting ciphertext.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a POST request to \u003ccode\u003e/api/install\u003c/code\u003e with the base64-encoded ciphertext in the \u003ccode\u003eencrypted_params\u003c/code\u003e field (e.g., \u003ccode\u003e{\u0026quot;encrypted_params\u0026quot;:\u0026quot;base64_encoded_ciphertext\u0026quot;}\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe server overwrites the initial admin user (ID 1) in the database with the attacker-provided credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker logs in to the \u003ccode\u003enginx-ui\u003c/code\u003e interface with the attacker-controlled username and password, gaining complete control of the application.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an attacker to gain complete control over the \u003ccode\u003enginx-ui\u003c/code\u003e application. Since \u003ccode\u003enginx-ui\u003c/code\u003e manages Nginx configurations, certificates, and other host-level settings, this can lead to unauthorized configuration changes, certificate management abuse, backup manipulation, service disruption, and broader operational takeover of the managed environment. This vulnerability affects fresh, uninitialized instances that are reachable over the network during the installation window.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Nginx-UI Unauthenticated Initial Admin Claim Attempt\u0026rdquo; to your SIEM to identify exploitation attempts based on requests to the \u003ccode\u003e/api/install\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eApply network access controls to restrict access to the \u003ccode\u003enginx-ui\u003c/code\u003e instance during the installation window.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003e/api/install\u003c/code\u003e and \u003ccode\u003e/api/crypto/public_key\u003c/code\u003e from unusual source IP addresses.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T17:22:00Z","date_published":"2024-01-03T17:22:00Z","id":"/briefs/2024-01-nginx-ui-initial-admin-takeover/","summary":"An unauthenticated network attacker can claim the initial administrator account on a fresh Nginx-UI instance during the first-run setup window by exploiting the publicly accessible /api/install endpoint.","title":"Nginx-UI Unauthenticated Initial Admin Claim Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-nginx-ui-initial-admin-takeover/"}],"language":"en","title":"CraftedSignal Threat Feed — Nginx-UI (\u003e= 2.0.0, \u003c= 2.3.5)","version":"https://jsonfeed.org/version/1.1"}