<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Backup-Tampering - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/backup-tampering/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 02 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/backup-tampering/feed.xml" rel="self" type="application/rss+xml"/><item><title>nginx-ui Backup Restore Allows Tampering with Encrypted Backups</title><link>https://feed.craftedsignal.io/briefs/2024-01-nginx-ui-backup-restore-tampering/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-nginx-ui-backup-restore-tampering/</guid><description>The nginx-ui backup restore mechanism allows attackers to tamper with encrypted backup archives and inject malicious configuration during restoration, potentially leading to arbitrary command execution.</description><content:encoded><![CDATA[<p>The <code>nginx-ui</code> application, version v2.3.3 and earlier, contains a vulnerability in its backup and restore functionality. The backup format lacks a trusted integrity root, allowing attackers to manipulate encrypted backups. Specifically, the encryption key and initialization vector (IV) are provided to the client, and the integrity metadata (<code>hash_info.txt</code>) is encrypted using the same key. An attacker who obtains the backup security token can decrypt the archive, modify its contents, recalculate the integrity hashes, and re-encrypt the backup. The vulnerable code exists within <code>backup_crypto.go</code>, <code>backup.go</code>, <code>restore.go</code>, and <code>SystemRestoreContent.vue</code>. This vulnerability can be exploited in default Docker deployments.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains access to the nginx-ui backup security token (Key and IV) through HTTP response headers or a <code>.key</code> file.</li>
<li>The attacker decrypts the <code>nginx-ui.zip</code> and <code>nginx.zip</code> archives using the obtained token and AES-256-CBC.</li>
<li>The attacker modifies the decrypted <code>app.ini</code> file within the extracted archive to inject malicious configuration, such as setting <code>StartCmd = bash</code>.</li>
<li>The attacker re-compresses the modified files into new <code>nginx-ui.zip</code> and <code>nginx.zip</code> archives.</li>
<li>The attacker calculates the SHA-256 hashes of the re-encrypted archive files.</li>
<li>The attacker updates the <code>hash_info.txt</code> file with the newly calculated SHA-256 hashes corresponding to the manipulated archives.</li>
<li>The attacker re-encrypts the modified archive and the <code>hash_info.txt</code> using the original Key and IV.</li>
<li>The attacker uploads the tampered backup to the <code>nginx-ui</code> restore interface, which accepts the malicious backup due to the lack of integrity verification. This results in the restoration of the attacker-controlled configuration and potential arbitrary command execution on the host.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack allows an attacker to manipulate the <code>nginx-ui</code> application's configuration and internal state during the restoration process. This could lead to persistent configuration tampering, backdoor insertion into the nginx configuration, execution of attacker-controlled commands depending on the configuration settings, and potentially complete compromise of the <code>nginx-ui</code> instance. The severity is highly dependent on the restore permissions and the specific deployment configuration of <code>nginx-ui</code>.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the patched version of nginx-ui (v2.3.4 or later) to remediate <strong>CVE-2026-33026</strong>.</li>
<li>Implement a trusted integrity root for backups. Integrity metadata must not be solely derived from data contained in the backup as described in the overview.</li>
<li>Enforce integrity verification in the restore operation to abort the process if hash verification fails, mitigating the tampering vulnerability detailed in the attack chain.</li>
<li>Monitor the <code>nginx-ui</code> application logs for any suspicious activity related to backup and restore operations, particularly those involving warnings related to hash mismatches as described in the PoC.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>nginx-ui</category><category>backup-tampering</category><category>vulnerability</category></item></channel></rss>