{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/nginx-ui/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Nginx-UI"],"_cs_severities":["high"],"_cs_tags":["ssrf","nginx-ui","web-application"],"_cs_type":"advisory","_cs_vendors":["0xJacky"],"content_html":"\u003cp\u003eNginx-UI versions 2.3.4 and earlier contain a Server-Side Request Forgery (SSRF) vulnerability in the cluster node proxy middleware. An authenticated user can exploit this flaw by creating a malicious cluster node that points to an arbitrary internal URL, such as localhost services or cloud metadata endpoints. The vulnerability lies in the lack of validation for the node URL within the \u003ccode\u003einternal/middleware/proxy.go\u003c/code\u003e file. Successful exploitation allows attackers to bypass network segmentation, access sensitive internal resources, and potentially escalate privileges, especially when combined with other vulnerabilities like njs code injection. This issue allows attackers to reach internal services that should not be exposed.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the Nginx-UI web interface.\u003c/li\u003e\n\u003cli\u003eAttacker retrieves the \u003ccode\u003enode_secret\u003c/code\u003e via a \u003ccode\u003eGET\u003c/code\u003e request to \u003ccode\u003e/api/settings\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a \u003ccode\u003ePOST\u003c/code\u003e request to \u003ccode\u003e/api/nodes\u003c/code\u003e to create a new cluster node.\u003c/li\u003e\n\u003cli\u003eThe crafted node configuration includes a malicious \u003ccode\u003eurl\u003c/code\u003e parameter pointing to an internal resource (e.g., \u003ccode\u003ehttp://127.0.0.1:51820\u003c/code\u003e or \u003ccode\u003ehttp://169.254.169.254\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAttacker sends an API request (e.g., \u003ccode\u003eGET /api/settings\u003c/code\u003e) with the \u003ccode\u003eX-Node-ID\u003c/code\u003e header set to the ID of the newly created malicious node.\u003c/li\u003e\n\u003cli\u003eThe Nginx-UI proxy middleware (\u003ccode\u003einternal/middleware/proxy.go\u003c/code\u003e) intercepts the request and forwards it to the attacker-specified internal URL.\u003c/li\u003e\n\u003cli\u003eThe request is executed on the server-side, effectively performing an SSRF attack.\u003c/li\u003e\n\u003cli\u003eAttacker gains access to internal resources, cloud metadata, or triggers internal-only njs endpoints.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an authenticated attacker to access internal services, cloud metadata endpoints, and internal-only njs endpoints. This can lead to the theft of sensitive information such as IAM credentials, port scanning of internal networks, and ultimately, remote code execution and privilege escalation if combined with other vulnerabilities. This vulnerability bypasses network segmentation and firewalls designed to restrict inbound traffic, potentially exposing critical internal resources.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Nginx-UI SSRF via X-Node-ID Header\u003c/code\u003e to identify requests with the \u003ccode\u003eX-Node-ID\u003c/code\u003e header that may indicate SSRF attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Nginx-UI Malicious Node Creation\u003c/code\u003e to detect the creation of cluster nodes with suspicious URLs (e.g., internal IPs).\u003c/li\u003e\n\u003cli\u003eMonitor network connections originating from the Nginx-UI server to internal IPs and cloud metadata endpoints using existing network monitoring tools.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:30:00Z","date_published":"2024-01-03T14:30:00Z","id":"/briefs/2024-01-nginx-ui-ssrf/","summary":"Nginx-UI version 2.3.4 and earlier is vulnerable to Server-Side Request Forgery (SSRF) allowing authenticated users to access internal services by manipulating cluster node configurations.","title":"Nginx-UI SSRF Vulnerability via Cluster Node Proxy","url":"https://feed.craftedsignal.io/briefs/2024-01-nginx-ui-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed — Nginx-UI","version":"https://jsonfeed.org/version/1.1"}