Beware of Undisclosed Requests Causing NGINX Worker Processes to Terminate

CVECVE-2024-24989
CVSScvssV3_1: 7.5
SourceCVE-2024-24989

NGINX is an open source web server that is widely used to serve static files, dynamic content and act as a reverse proxy and load balancer. A vulnerability has been discovered in NGINX when configured to use the experimental HTTP/3 QUIC module.

Undisclosed requests sent to NGINX servers using the QUIC protocol can cause NGINX worker processes to unexpectedly terminate. This could lead to denial of service and interruptions in service.

The vulnerability lies in how NGINX handles certain malformed requests when HTTP/3 over QUIC is enabled. By crafting and sending specific bad requests, attackers may be able to crash individual NGINX worker processes or the whole server.

If you are using NGINX with the QUIC module enabled, we recommend disabling it until an update is available from NGINX to address this issue. You can also consider additional authentication and rate limiting measures to filter out unintended requests. Regularly applying security updates is also important to patch vulnerabilities over time.

While concerning, the attack requires knowledge of the vulnerability and direct access to targeted servers. Most NGINX users will not have HTTP/3 over QUIC enabled by default. But it’s still best to check your configurations and take precautions to ensure your NGINX installation remains secure and stable.

References