Highly critical vulnerability fixed in Nginx Web server software
Nginx 1.4.1 and 1.5.0 address remote code execution flaw that could lead to compromised servers
IDG News Service - The development team behind the popular Nginx open-source Web server software released security updates on Tuesday to address a highly critical vulnerability that could be exploited by remote attackers to execute arbitrary code on susceptible servers.
Identified as CVE-2013-2028, the vulnerability is a stack-based buffer overflow and was first introduced in the Nginx 1.3.9 development version back in November 2012. The flaw is also present in the 1.4.0 stable version released last month.
The bug, which has been rated as highly critical by vulnerability management firm Secunia, was fixed in the new Nginx 1.4.1 stable version and Nginx 1.5.0 development version. The vulnerability can be exploited by malicious attackers by sending specially crafted HTTP chunks to an exposed Nginx server.
Successful exploitation can lead to arbitrary code execution and system compromise, Secunia said in its advisory.
Nginx is developed with performance and low memory usage in mind and can be used as an HTTP server, as a reverse proxy server and as a load balancer. This makes it appealing to websites that receive a considerable amount of traffic.
Nginx is the third most widely used Web server software on the Internet after Apache and Microsoft IIS with a market share of over 15 percent, according to a recent Web server survey by Internet services firm Netcraft.
The software's growing popularity has, however, also attracted the attention of cybercriminals. On Tuesday, researchers from security vendor ESET reported the discovery of a sophisticated backdoor program designed specifically for Nginx servers. The existence of this malicious program is evidence that cybercriminals are no longer only targeting the most popular software.
- 2013 Cyber Risk Report The "Cyber risk report 2013 Executive summary" presents the major findings of HP Security Research's comprehensive dive into today's cyber vulnerability and threat...
- Why You Need a Next-Generation Firewall This white paper explores the reasons for implementing next-generation (NG) firewalls and lays out a path to success for overburdened IT organizations.
- Path Selection Infographic Path Selection Infographic
- Hyperconvergence Infographic A wide range of observers agree that data centers are now entering an era of "hyperconvergence" that will raise network traffic levels faster...
- Cloud Knowledge Vault Learn how your organization can benefit from the scalability, flexibility, and performance that the cloud offers through the short videos and other resources...
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users? All Malware and Vulnerabilities White Papers | Webcasts