F5 NGINX Plus and Open Source Vulnerability Allow Attackers to Execute Code Using MP4 file

A serious security hole has been found that affects both NGinX Open Source and NGINX Plus This article explores underneath ngx_http_mp4_. . There is no exposure in the control plane because the vulnerability is only in the application's data plane.

F5 has released updates to its software to fix this security hole in all of its affected product lines. This flaw does not affect any other F5 products, such as BIG-IP, BIG-IQ, F5OS, or F5 Distributed Cloud. Using the mp4 directive, security engineers need to find all server and location blocks and comment them out with a hash character. The MP4 streaming module can be turned off for a short time by administrators.

This fix turns off server-side pseudo-streaming support for MP4 files, which stops the attack from happening. If you can't patch right away because it's outside of your current maintenance window, F5 suggests using configuration-based mitigations to make your infrastructure safer.

The flaw gets a CVSS v4.0 base score of 8.5 and a CVSS v3.1 score of 7.8. It lets attackers who are already on the network and have been verified cause a denial-of-service (DoS) condition or possibly run any code on the system underneath. The ngx_http_mp4_ module must be installed on the NGIN X instance and the mp 4 directive must be used in its configuration file for the system to be vulnerable.

You can fix the bug by changing the main configuration files, which are usually found in the /etc/nginx directory. Limiting media publishing rights to only trusted users can also help lessen the problem. This stops people who shouldn't be able to from putting the crafted MP4 payload into the server environment. Go to F5.com for more information.