Vulnerabilities > CVE-2017-7529

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
NONE
Availability impact
NONE
network
low complexity
f5
puppet
apple
nessus

Summary

Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range filter module resulting into leak of potentially sensitive information triggered by specially crafted request.

Vulnerable Configurations

Part Description Count
Application
F5
347
Application
Puppet
78
Application
Apple
85

Nessus

  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2017-894.NASL
    descriptionA flaw within the processing of ranged HTTP requests has been discovered in the range filter module of nginx. A remote attacker could possibly exploit this flaw to disclose parts of the cache file header, or, if used in combination with third party modules, disclose potentially sensitive memory by sending specially crafted HTTP requests. (CVE-2017-7529)
    last seen2020-06-01
    modified2020-06-02
    plugin id103228
    published2017-09-15
    reporterThis script is Copyright (C) 2017-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/103228
    titleAmazon Linux AMI : nginx (ALAS-2017-894)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-AECD25B8A9.NASL
    descriptionThis update includes nginx 1.12.1, fixing CVE-2017-7529, and adds the http_auth_request module. See http://mailman.nginx.org/pipermail/nginx-announce/2017/000200.html for more information on CVE-2017-7529. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-08-24
    plugin id102719
    published2017-08-24
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102719
    titleFedora 26 : 1:nginx (2017-aecd25b8a9)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_B28ADC5B669311E7AD43F0DEF16C5C1B.NASL
    descriptionMaxim Dounin reports : A security issue was identified in nginx range filter. A specially crafted request might result in an integer overflow and incorrect processing of ranges, potentially resulting in sensitive information leak (CVE-2017-7529).
    last seen2020-06-01
    modified2020-06-02
    plugin id101381
    published2017-07-12
    reporterThis script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101381
    titleFreeBSD : nginx -- a specially crafted request might result in an integer overflow (b28adc5b-6693-11e7-ad43-f0def16c5c1b)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1024.NASL
    descriptionIt was discovered that there was vulnerability in the range filter of nginx, a web/proxy server. A specially crafted request might result in an integer overflow and incorrect processing of HTTP ranges, potentially resulting in a sensitive information leak. For Debian 7
    last seen2020-03-17
    modified2017-07-14
    plugin id101535
    published2017-07-14
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101535
    titleDebian DLA-1024-1 : nginx security update
  • NASL familyWeb Servers
    NASL idNGINX_1_13_3.NASL
    descriptionAccording to its Server response header, the installed version of nginx is prior to 1.12.1 or 1.13.x prior to 1.13.3. It is, therefore, affected by an integer overflow vulnerability in the range filter module. An unauthenticated, remote attacker can exploit this, via a specially crafted request to disclose potentially sensitive information.
    last seen2020-05-09
    modified2018-10-16
    plugin id118151
    published2018-10-16
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118151
    titlenginx Data Disclosure Vulnerability
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3352-1.NASL
    descriptionIt was discovered that an integer overflow existed in the range filter feature of nginx. A remote attacker could use this to expose sensitive information. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id101546
    published2017-07-14
    reporterUbuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101546
    titleUbuntu 14.04 LTS / 16.04 LTS / 16.10 / 17.04 : nginx vulnerability (USN-3352-1)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-C27A947AF1.NASL
    descriptionThis update includes nginx 1.12.1, fixing CVE-2017-7529, and adds the http_auth_request module. See http://mailman.nginx.org/pipermail/nginx-announce/2017/000200.html for more information on CVE-2017-7529. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-08-24
    plugin id102720
    published2017-08-24
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102720
    titleFedora 25 : 1:nginx (2017-c27a947af1)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3908.NASL
    descriptionAn integer overflow has been found in the HTTP range module of Nginx, a high-performance web and reverse proxy server, which may result in information disclosure.
    last seen2020-06-01
    modified2020-06-02
    plugin id101490
    published2017-07-13
    reporterThis script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101490
    titleDebian DSA-3908-1 : nginx - security update
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2018-316.NASL
    descriptionThis update for nginx to version 1.13.9 fixes the following issues : - CVE-2017-7529: nginx: Integer overflow in nginx range filter module allowed memory disclosure (bsc#1048265) This update also contains all updates and improvements in 1.13.9 upstream release.
    last seen2020-06-05
    modified2018-03-27
    plugin id108639
    published2018-03-27
    reporterThis script is Copyright (C) 2018-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/108639
    titleopenSUSE Security Update : nginx (openSUSE-2018-316)
  • NASL familyWeb Servers
    NASL idNGINX_1_13_2.NASL
    descriptionAccording to the self-reported version in its response header, the version of nginx hosted on the remote web server is < 1.13.2. It is, therefore, affected by an integer overflow vulnerability
    last seen2020-05-01
    modified2020-05-02
    plugin id105359
    published2017-12-18
    reporterThis script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/105359
    titlenginx < 1.13.2 Integer Overflow Vulnerability
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2017-0038.NASL
    descriptionAn update of [gnutls, c-ares, nginx, mercurial, linux, mesos, git, binutils, krb5, dnsmasq] packages for PhotonOS has been released.
    last seen2019-02-21
    modified2019-02-07
    plugin id111887
    published2018-08-17
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=111887
    titlePhoton OS 1.0: Binutils / C / Dnsmasq / Git / Gnutls / Krb5 / Linux / Mercurial / Mesos / Nginx PHSA-2017-0038 (deprecated)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2017-867.NASL
    descriptionThis update for nginx fixes the following issues : - CVE-2017-7529: A remote attacker could have used specially crafted requests to trigger an integer overflow the nginx range filter module to leak potentially sensitive information (boo#1048265)
    last seen2020-06-05
    modified2017-07-31
    plugin id102057
    published2017-07-31
    reporterThis script is Copyright (C) 2017-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/102057
    titleopenSUSE Security Update : nginx (openSUSE-2017-867)

Redhat

advisories
rhsa
idRHSA-2017:2538
rpms
  • rh-nginx110-nginx-1:1.10.2-8.el6
  • rh-nginx110-nginx-1:1.10.2-8.el7
  • rh-nginx110-nginx-debuginfo-1:1.10.2-8.el6
  • rh-nginx110-nginx-debuginfo-1:1.10.2-8.el7
  • rh-nginx110-nginx-mod-http-image-filter-1:1.10.2-8.el6
  • rh-nginx110-nginx-mod-http-image-filter-1:1.10.2-8.el7
  • rh-nginx110-nginx-mod-http-perl-1:1.10.2-8.el6
  • rh-nginx110-nginx-mod-http-perl-1:1.10.2-8.el7
  • rh-nginx110-nginx-mod-http-xslt-filter-1:1.10.2-8.el6
  • rh-nginx110-nginx-mod-http-xslt-filter-1:1.10.2-8.el7
  • rh-nginx110-nginx-mod-mail-1:1.10.2-8.el6
  • rh-nginx110-nginx-mod-mail-1:1.10.2-8.el7
  • rh-nginx110-nginx-mod-stream-1:1.10.2-8.el6
  • rh-nginx110-nginx-mod-stream-1:1.10.2-8.el7

Seebug

bulletinFamilyexploit
descriptionA security issue was identified in nginx range filter. A specially crafted request might result in an integer overflow and incorrect processing of ranges, potentially resulting in sensitive information leak (CVE-2017-7529). When using nginx with standard modules this allows an attacker to obtain a cache file header if a response was returned from cache. In some configurations a cache file header may contain IP address of the backend server or other sensitive information. Besides, with 3rd party modules it is potentially possible that the issue may lead to a denial of service or a disclosure of a worker process memory. No such modules are currently known though. The issue affects nginx 0.5.6 - 1.13.2. The issue is fixed in nginx 1.13.3, 1.12.1. For older versions, the following configuration can be used as a temporary workaround: ``` max_ranges 1; ``` **patch** ``` diffsrc/http/modules/ngx_http_range_filter_module.c b/src/http/modules/ngx_http_range_filter_module.c --- src/http/modules/ngx_http_range_filter_module.c +++ src/http/modules/ngx_http_range_filter_module.c @@ -377,6 +377,10 @@ ngx_http_range_parse(ngx_http_request_t range->start = start; range->end = end; + if (size > NGX_MAX_OFF_T_VALUE - (end - start)) { + return NGX_HTTP_RANGE_NOT_SATISFIABLE; + } + size += end - start; if (ranges-- == 0) { ```
idSSV:96273
last seen2017-11-19
modified2017-07-13
published2017-07-13
titleNginx Remote Integer Overflow Vulnerability(CVE-2017-7529 )