Patching of nginx CVE-2021-23017 for EOL systems is being deployed

TuxCare Team

May 27, 2021

nginx

Nginx is a critical part of the infrastructure of many organizations. It is used as a web server, a load balancer, a (reverse) proxy server, a port forwarder, and as a video streaming platform, among its many uses. Standalone or as part of a software stack, it supports a non-negligible share of the overall internet infrastructure we rely upon. 

So when a new CVE affects nginx, the team at TuxCare pays special attention.

CVE-2021-23017 is an off-by-one flaw found in nginx code that affects all EOL versions we cover with our Extended Lifecycle Support service. Patches are already being rolled out for all systems.

Taking a deeper look at the vulnerability, it affects the part of the code responsible for DNS resolution within nginx. A malicious DNS server can send a specially crafted packet in response to a DNS query from nginx that results in a “.” character being written out-of-bounds in a buffer inside nginx. For a properly motivated attacker, it is trivial for out-of-bounds flaws to be exploited into (remote) code execution scenarios. 

Additionally, nginx has no spoofing mitigations when performing DNS queries. A machine could be placed between the secure non-malicious DNS server and inject traffic containing spoofed DNS replies into nginx through a man-in-the-middle attack. This would trigger the vulnerability in this new CVE, so this issue can have a severe impact and reach.

While there are no known malware tools currently available with this exploit code, proof-of-concept code has been developed to demonstrate the exploitation of this vulnerability.

Running unsupported End-of-Life Linux systems has risks. Learn how to minimize them and protect your systems from Linux vulnerabilities here.

This CVE was disclosed on the 26th of May, 2021, and TuxCare started rolling out patches for it on the same day. If you are a TuxCare Extended Lifecycle Support service subscriber, you can rest assured that your systems are not vulnerable to this flaw. If you are interested in subscribing to the service, contact our engineers here for more information.

Stay in the Loop