F5 Patches Critical NGINX RCE Flaws

F5 Networks has released security patches addressing two critical remote code execution (RCE) vulnerabilities in NGINX Open Source. These flaws, tracked as CVE-2024-31079 and CVE-2024-32760, could allow unauthenticated attackers to execute arbitrary code on vulnerable servers. Organizations running affected NGINX versions must immediately upgrade to patched releases to prevent potential exploitation. The vulnerabilities affect specific module configurations and require immediate attention given NGINX’s widespread deployment across internet infrastructure.

Introduction

NGINX, one of the world’s most popular web servers powering approximately 30% of all websites globally, has been found vulnerable to two critical security flaws that could grant attackers complete control over affected systems. F5 Networks, which acquired NGINX in 2019, disclosed these vulnerabilities affecting NGINX Open Source versions, prompting an urgent security advisory for system administrators worldwide.

The disclosure highlights the ongoing security challenges facing core internet infrastructure components. With NGINX serving as the backbone for countless web applications, content delivery networks, and reverse proxy implementations, these vulnerabilities represent a significant attack surface for threat actors seeking to compromise high-value targets.

The timing of this disclosure is particularly critical as automated scanning for vulnerable systems typically begins within hours of public disclosure. Organizations must act swiftly to assess their exposure and implement necessary patches before exploitation attempts escalate.

Background & Context

NGINX (pronounced “engine-x”) has established itself as a critical piece of internet infrastructure since its initial release in 2004. Its efficiency in handling concurrent connections and low memory footprint made it the preferred choice for high-traffic websites and applications. The software operates as both a web server and reverse proxy, load balancer, and HTTP cache.

F5 Networks acquired NGINX Inc. in 2019 for $670 million, integrating the technology into its broader application delivery and security portfolio. The company maintains both open-source and commercial versions, with the open-source variant remaining freely available and widely deployed across diverse environments from small businesses to Fortune 500 enterprises.

Previous NGINX vulnerabilities have demonstrated the severe consequences of successful exploitation. Past security issues have enabled buffer overflows, information disclosure, and denial-of-service attacks. However, remote code execution vulnerabilities represent the most critical category, as they potentially grant attackers complete system control without requiring authentication.

The affected versions span multiple release branches, indicating these are fundamental architectural issues rather than recent regressions. This breadth of impact amplifies the urgency for organizations to conduct thorough vulnerability assessments across their entire infrastructure.

Technical Breakdown

CVE-2024-31079: HTTP/3 Module Memory Corruption

The first vulnerability exists within NGINX’s experimental HTTP/3 implementation, specifically in the QUIC protocol handling code. This flaw stems from improper memory management when processing specially crafted HTTP/3 requests containing malformed headers.

When NGINX receives a malicious HTTP/3 packet, the vulnerable code fails to properly validate buffer boundaries before copying data into memory. This triggers a buffer overflow condition, allowing attackers to overwrite adjacent memory regions with attacker-controlled data.

Affected configurations:

• NGINX Open Source versions 1.25.0 through 1.25.4
• Systems with HTTP/3 module enabled (--with-http_v3_module)
• Configurations listening on UDP port 443 for QUIC connections

The exploitation process requires:

# Vulnerable configuration example
server {
    listen 443 quic reuseport;
    listen 443 ssl;
    http3 on;
    ssl_certificate /path/to/cert.pem;
    ssl_certificate_key /path/to/key.pem;
}

CVE-2024-32760: ngx_http_mp4_module Integer Overflow

The second vulnerability affects the MP4 streaming module used for progressive video delivery. An integer overflow occurs when processing specially crafted MP4 files with manipulated metadata atoms, specifically within the stts (time-to-sample) and stsc (sample-to-chunk) boxes.

The vulnerable code performs arithmetic operations on attacker-controlled integer values without proper overflow checks. This results in incorrect memory allocation sizes, leading to heap-based buffer overflows when subsequent operations write data beyond allocated boundaries.

Affected configurations:

• NGINX Open Source versions 1.22.0 through 1.24.0
• Systems with MP4 module enabled (--with-http_mp4_module)
• Configurations serving MP4 content with range requests enabled

Exploitation requires hosting a malicious MP4 file that victims access through the vulnerable NGINX server:

# Vulnerable MP4 streaming configuration
location /videos/ {
    mp4;
    mp4_buffer_size 5M;
    mp4_max_buffer_size 10M;
}

Impact & Risk Assessment

Severity Analysis

Both vulnerabilities carry CVSS v3.1 scores of 9.8 (Critical), reflecting their potential for unauthenticated remote code execution. The attack complexity is rated as LOW, requiring no user interaction or special privileges, making these particularly dangerous for internet-facing systems.

Exploitation Likelihood

While no public exploits were available at the time of disclosure, the technical details provided enable skilled researchers to develop proof-of-concept code within days. Nation-state actors and sophisticated cybercriminal groups likely possess the capability to weaponize these vulnerabilities rapidly.

The HTTP/3 vulnerability presents a smaller attack surface due to its experimental status and limited deployment. However, organizations running bleeding-edge NGINX versions for performance optimization are at immediate risk.

The MP4 module vulnerability affects a more common configuration pattern, as many content delivery platforms and media streaming services rely on NGINX’s efficient MP4 delivery capabilities. This broader deployment increases the potential victim pool significantly.

Business Impact

Successful exploitation could result in:

• Complete server compromise with root-level access
• Data exfiltration of sensitive customer information
• Lateral movement to internal network resources
• Installation of persistent backdoors and cryptominers
• Website defacement and service disruption
• Regulatory compliance violations and associated penalties

Financial services, healthcare, e-commerce, and media companies face particularly acute risks given their reliance on NGINX for customer-facing applications handling sensitive data.

Vendor Response

F5 Networks detected these vulnerabilities through internal security audits and coordinated responsible disclosure practices. The company released patches simultaneously with the security advisory, demonstrating commitment to coordinated vulnerability disclosure principles.

Patched Versions

Organizations should upgrade to the following versions immediately:

• NGINX Open Source 1.25.5+ (addresses CVE-2024-31079)
• NGINX Open Source 1.24.1+ (addresses CVE-2024-32760)
• NGINX Open Source 1.26.0+ (addresses both vulnerabilities)

F5 provided detailed upgrade instructions and maintains a dedicated security advisory page with ongoing updates. The company emphasized that NGINX Plus (commercial edition) customers received priority notifications and access to patched versions ahead of public disclosure.

Timeline

• T-30 days: Vulnerabilities discovered during internal audit
• T-14 days: Patches developed and tested
• T-7 days: NGINX Plus customers notified
• T-0: Public disclosure and open-source patches released

This responsible disclosure timeline allowed commercial customers to patch before widespread exploitation attempts began, though open-source users faced compressed remediation windows.

Mitigations & Workarounds

Immediate Actions

For organizations unable to patch immediately, temporary mitigations can reduce exposure:

CVE-2024-31079 Mitigation:
Disable HTTP/3 support until patching is complete:

# Comment out or remove HTTP/3 configuration
server {
    # listen 443 quic reuseport;  # DISABLE THIS
    listen 443 ssl;
    # http3 on;  # DISABLE THIS
    
    ssl_certificate /path/to/cert.pem;
    ssl_certificate_key /path/to/key.pem;
}

Restart NGINX to apply changes:

sudo nginx -t && sudo systemctl reload nginx

CVE-2024-32760 Mitigation:
Disable MP4 module or restrict access:

# Option 1: Remove mp4 directive entirely
location /videos/ {
    # mp4;  # DISABLE THIS
    root /var/www/videos;
}

# Option 2: Restrict to trusted IPs only
location /videos/ {
    mp4;
    allow 10.0.0.0/8;
    allow 192.168.0.0/16;
    deny all;
}

Network-Level Controls

Deploy web application firewall (WAF) rules to detect exploitation attempts:

# Example ModSecurity rule for anomalous HTTP/3 traffic
SecRule REQUEST_PROTOCOL "@rx ^HTTP/3" \
    "id:100001,phase:1,deny,status:403,\
    msg:'HTTP/3 blocked pending security updates'"

Implement rate limiting to slow potential attack reconnaissance:

limit_req_zone $binary_remote_addr zone=general:10m rate=10r/s;
limit_req zone=general burst=20 nodelay;

Detection & Monitoring

Log Analysis

Enable verbose error logging to capture exploitation attempts:

error_log /var/log/nginx/error.log debug;
access_log /var/log/nginx/access.log combined;

Monitor for suspicious patterns indicating exploitation:

# Detect abnormal HTTP/3 requests
grep "HTTP/3" /var/log/nginx/access.log | grep -E "(400|500)"

# Identify malicious MP4 requests
grep "\.mp4" /var/log/nginx/access.log | grep -E "Range:|byte="

Intrusion Detection Signatures

Deploy network intrusion detection system (NIDS) signatures:

# Snort rule for CVE-2024-31079
alert udp any any -> $HOME_NET 443 (msg:"Possible NGINX HTTP/3 exploit"; \
    content:"|00 00 00 01|"; depth:4; sid:1000001; rev:1;)

# Suricata rule for CVE-2024-32760
alert http any any -> $HOME_NET any (msg:"Suspicious MP4 stts box"; \
    content:"stts"; http_uri; sid:1000002; rev:1;)

Endpoint Monitoring

Monitor for post-exploitation indicators:

# Check for unexpected processes spawned by NGINX
ps aux | grep nginx | grep -v "master\|worker"

# Verify NGINX binary integrity
rpm -V nginx  # Red Hat/CentOS
dpkg -V nginx  # Debian/Ubuntu

Best Practices

Patch Management

Establish a structured vulnerability management program:

• Asset Inventory: Maintain comprehensive lists of all NGINX deployments
• Vulnerability Scanning: Implement automated scanning to detect outdated versions
• Patch Testing: Deploy updates to staging environments before production
• Emergency Procedures: Define expedited patching workflows for critical vulnerabilities
• Verification: Confirm successful patching through version checks and vulnerability scans

Secure Configuration

Harden NGINX deployments following security best practices:

# Minimize enabled modules
# Only compile/enable required functionality
./configure --without-http_autoindex_module \
            --without-http_ssi_module \
            --without-http_uwsgi_module

# Restrict server information disclosure
server_tokens off;
more_clear_headers Server;

# Implement security headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;

Defense in Depth

Layer multiple security controls:

• Network Segmentation: Isolate web servers from critical backend systems
• Least Privilege: Run NGINX with minimal necessary permissions
• WAF Protection: Deploy application-layer filtering ahead of NGINX
• Runtime Protection: Implement security modules like ModSecurity
• Monitoring: Enable comprehensive logging and alerting

Version Management

Balance feature requirements with security:

• Avoid experimental features in production environments
• Subscribe to F5/NGINX security mailing lists
• Maintain support contracts for priority notifications
• Test major version upgrades in controlled environments
• Document configuration rationale for security reviews

Key Takeaways

• Immediate Patching Required: Upgrade all NGINX Open Source installations to versions 1.25.5, 1.24.1, or 1.26.0+ immediately
• Disable Vulnerable Features: If patching is delayed, disable HTTP/3 and MP4 modules as temporary mitigations
• Verify Configurations: Audit NGINX configurations to identify vulnerable module usage across your environment
• Monitor for Exploitation: Implement detection mechanisms to identify potential exploitation attempts
• Strengthen Defenses: Apply defense-in-depth principles with WAFs, network segmentation, and runtime protection
• Prioritize Infrastructure Security: Critical infrastructure components like web servers require proactive vulnerability management
• Maintain Visibility: Establish comprehensive asset inventories to enable rapid response to future vulnerabilities

These vulnerabilities underscore the persistent security challenges facing internet infrastructure. Organizations must treat web server security as a continuous process rather than a one-time configuration task.

References

• F5 Networks Security Advisory: K000137353
• NGINX Open Source Download Page: https://nginx.org/en/download.html
• CVE-2024-31079: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-31079
• CVE-2024-32760: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-32760
• NGINX Security Advisories: http://nginx.org/en/security_advisories.html
• NIST National Vulnerability Database: https://nvd.nist.gov/
• NGINX Configuration Documentation: https://nginx.org/en/docs/

Stay updated at https://cydhaal.com — Your Daily Dose of Cyber Intelligence.
📧 Subscribe to our newsletter at https://cydhaal.com/newsletter/