{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/bootstrap-takeover/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["nginx-ui (2.3.5)"],"_cs_severities":["critical"],"_cs_tags":["nginx-ui","bootstrap-takeover","unauthenticated-access","initial-access"],"_cs_type":"advisory","_cs_vendors":["nginx-ui"],"content_html":"\u003cp\u003eNginx-UI version 2.3.5 contains a critical vulnerability that allows unauthenticated remote attackers to take complete administrative control of a fresh instance. The vulnerability lies in the \u003ccode\u003e/api/install\u003c/code\u003e endpoint, which is accessible without authentication during a short initial setup window. This window is intended for the first-time configuration of the application. By sending a specially crafted POST request to \u003ccode\u003e/api/install\u003c/code\u003e, an attacker can set the application\u0026rsquo;s JWT secret, node secret, certificate email, and initial administrator credentials before the legitimate operator. This attack is most relevant during initial deployments, rebuilds, ephemeral test environments, LAN-accessible fresh installs, or temporarily exposed setup workflows. The attacker gains full control without needing to exploit any authenticated feature or guess default credentials. The observed exploitation was reproduced over HTTP against live local instances started from \u003ccode\u003enginx-ui\u003c/code\u003e \u003ccode\u003ev2.3.5\u003c/code\u003e using Docker image \u003ccode\u003euozi/nginx-ui@sha256:d73343e3009c9b558129a2be0cacd6c2c57ed8006a5871873b874b812e612e5a\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA fresh \u003ccode\u003enginx-ui\u003c/code\u003e instance is deployed, exposing the \u003ccode\u003e/api/install\u003c/code\u003e endpoint over HTTP before initial configuration.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a GET request to \u003ccode\u003e/api/install\u003c/code\u003e to determine if the instance is uninitialized (checks for \u003ccode\u003e{\u0026quot;lock\u0026quot;:false,\u0026quot;timeout\u0026quot;:false}\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker sends a GET request to \u003ccode\u003e/api/crypto/public_key\u003c/code\u003e to retrieve the public key used for encryption.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the retrieved public key to encrypt a JSON payload containing the desired administrator username, password, and email.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a POST request to \u003ccode\u003e/api/install\u003c/code\u003e with the encrypted payload in the \u003ccode\u003eencrypted_params\u003c/code\u003e field.\u003c/li\u003e\n\u003cli\u003eThe server processes the request, sets the attacker-chosen credentials, and locks the installation (\u003ccode\u003e{\u0026quot;lock\u0026quot;:true,\u0026quot;timeout\u0026quot;:false}\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker sends a POST request to \u003ccode\u003e/api/login\u003c/code\u003e with the attacker-chosen username and password, also encrypted with the previously obtained public key.\u003c/li\u003e\n\u003cli\u003eThe server authenticates the attacker and returns a valid token, granting them administrative access to the \u003ccode\u003enginx-ui\u003c/code\u003e instance.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a remote attacker to completely compromise a fresh \u003ccode\u003enginx-ui\u003c/code\u003e instance. The attacker gains full administrative privileges and can configure the application, manage Nginx configurations, and potentially use the compromised server as a pivot point for further attacks. The exposure window is limited to the initial setup phase, but if successfully exploited, the attacker effectively becomes the administrator of the system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003e/api/install\u003c/code\u003e with a non-empty \u003ccode\u003eencrypted_params\u003c/code\u003e field, especially from unusual source IP addresses, to detect potential takeover attempts. Deploy the Sigma rule \u003ccode\u003eDetect Nginx-UI Initial Setup Takeover Attempt\u003c/code\u003e to your SIEM.\u003c/li\u003e\n\u003cli\u003eRestrict access to the \u003ccode\u003e/api/install\u003c/code\u003e endpoint to localhost or trusted networks during the initial setup phase using firewall rules or web server configuration.\u003c/li\u003e\n\u003cli\u003eApply the suggested fixes from the advisory, including requiring a local-only or out-of-band bootstrap secret for \u003ccode\u003ePOST /api/install\u003c/code\u003e, to prevent unauthorized installation claims.\u003c/li\u003e\n\u003cli\u003eMonitor for unexpected processes creating files or directories under \u003ccode\u003e/etc/nginx\u003c/code\u003e or \u003ccode\u003e/etc/nginx-ui\u003c/code\u003e immediately after a new deployment of \u003ccode\u003enginx-ui\u003c/code\u003e to identify potential persistence attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-nginx-ui-takeover/","summary":"Nginx-UI version 2.3.5 is vulnerable to an unauthenticated takeover via the `/api/install` endpoint during the initial setup window, allowing a remote attacker to claim administrative control of a fresh instance.","title":"Nginx-UI Unauthenticated Bootstrap Takeover","url":"https://feed.craftedsignal.io/briefs/2024-01-nginx-ui-takeover/"}],"language":"en","title":"CraftedSignal Threat Feed — Bootstrap-Takeover","version":"https://jsonfeed.org/version/1.1"}