Highly critical vulnerability fixed in Nginx Web server software

Nginx 1.4.1 and 1.5.0 address remote code execution flaw that could lead to compromised servers

The development team behind the popular Nginx open-source Web server software released security updates on Tuesday to address a highly critical vulnerability that could be exploited by remote attackers to execute arbitrary code on susceptible servers.

Identified as CVE-2013-2028, the vulnerability is a stack-based buffer overflow and was first introduced in the Nginx 1.3.9 development version back in November 2012. The flaw is also present in the 1.4.0 stable version released last month.

The bug, which has been rated as highly critical by vulnerability management firm Secunia, was fixed in the new Nginx 1.4.1 stable version and Nginx 1.5.0 development version. The vulnerability can be exploited by malicious attackers by sending specially crafted HTTP chunks to an exposed Nginx server.

Successful exploitation can lead to arbitrary code execution and system compromise, Secunia said in its advisory.

Nginx is developed with performance and low memory usage in mind and can be used as an HTTP server, as a reverse proxy server and as a load balancer. This makes it appealing to websites that receive a considerable amount of traffic.

Nginx is the third most widely used Web server software on the Internet after Apache and Microsoft IIS with a market share of over 15 percent, according to a recent Web server survey by Internet services firm Netcraft.

The software's growing popularity has, however, also attracted the attention of cybercriminals. On Tuesday, researchers from security vendor ESET reported the discovery of a sophisticated backdoor program designed specifically for Nginx servers. The existence of this malicious program is evidence that cybercriminals are no longer only targeting the most popular software.

FREE Computerworld Insider Guide: IT Certification Study Tips
Join the discussion
Be the first to comment on this article. Our Commenting Policies