On April 14, Microsoft issued a vulnerability alert – now tracked as CVE-2015-1635 – about an issue that might permit remote code execution if an attacker sends a specially crafted HTTP request to an affected Windows system. If patching your production Windows servers immediately is not an option, then NGINX and NGINX Plus can help protect you from attacks.
The specific details of the vulnerability have not been released as of this writing, but attackers are reportedly trying to find vulnerable systems by sending HTTP requests with very large Range requests, which can trigger a buffer overflow and cause a crash in the Windows system.
Users are strongly advised to apply Microsoft’s patch to address this vulnerability. However, if you are not able to apply the patch to all of your production systems and are using NGINX or NGINX Plus to load balance or proxy traffic to them, a simple configuration change is enough to intercept and fix the special requests sent to vulnerable systems.
Identifying and Handling Reconnaissance Traffic
Mattias Geniar has analysed the attack traffic and reports that HTTP requests with a large byte range in the Range header trigger the crash:
The simplest fix is to use the proxy_set_header directive to set the Range header to "" (the empty string), which effectively deletes the header before the HTTP request is forwarded to the Windows server named by the proxy_pass directive:
If your application requires byte‑range support, you can use the map directive to replace any string that resembles a large integer with the empty string, before using the proxy_set_header directive to set the Range header:
Alternatively, you can return HTTP code 444 when the value in the Range header resembles a large integer. Code 444 instructs NGINX and NGINX Plus to close the client connection immediately without returning anything.
Keep safe and apply the patch, but if you can’t do that immediately, NGINX and NGINX Plus can help close the potential hole over.
To try NGINX Plus, start your free 30-day trial today or contact us for a demo.
About the Author
Related Blog Posts
Secure Your API Gateway with NGINX App Protect WAF
As monoliths move to microservices, applications are developed faster than ever. Speed is necessary to stay competitive and APIs sit at the front of these rapid modernization efforts. But the popularity of APIs for application modernization has significant implications for app security.
How Do I Choose? API Gateway vs. Ingress Controller vs. Service Mesh
When you need an API gateway in Kubernetes, how do you choose among API gateway vs. Ingress controller vs. service mesh? We guide you through the decision, with sample scenarios for north-south and east-west API traffic, plus use cases where an API gateway is the right tool.
Deploying NGINX as an API Gateway, Part 2: Protecting Backend Services
In the second post in our API gateway series, Liam shows you how to batten down the hatches on your API services. You can use rate limiting, access restrictions, request size limits, and request body validation to frustrate illegitimate or overly burdensome requests.
New Joomla Exploit CVE-2015-8562
Read about the new zero day exploit in Joomla and see the NGINX configuration for how to apply a fix in NGINX or NGINX Plus.
Why Do I See “Welcome to nginx!” on My Favorite Website?
The ‘Welcome to NGINX!’ page is presented when NGINX web server software is installed on a computer but has not finished configuring