CVE-2021-23019
📋 TL;DR
CVE-2021-23019 exposes NGINX Controller administrator passwords in the systemd.txt file within support packages. This allows attackers with access to these files to gain administrative control of NGINX Controller instances. Affected users are those running NGINX Controller versions 2.0.0 through 2.9.0 or 3.x before 3.15.0.
💻 Affected Systems
- NGINX Controller
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full administrative compromise of NGINX Controller leading to complete control over managed NGINX instances, configuration manipulation, data exfiltration, and lateral movement to backend systems.
Likely Case
Unauthorized administrative access to NGINX Controller allowing configuration changes, service disruption, and potential credential harvesting from managed systems.
If Mitigated
Limited impact if support packages are properly secured and access to systemd.txt files is restricted to authorized personnel only.
🎯 Exploit Status
Exploitation requires access to the systemd.txt file; no authentication bypass needed once file is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.15.0 and later, or upgrade to NGINX Controller versions beyond affected ranges
Vendor Advisory: https://support.f5.com/csp/article/K04884013
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Upgrade to NGINX Controller 3.15.0 or later. 3. Restart NGINX Controller services. 4. Regenerate any support packages to remove exposed credentials.
🔧 Temporary Workarounds
Secure Support Package Access
linuxRestrict access to NGINX Controller support packages and ensure systemd.txt files are not accessible to unauthorized users.
chmod 600 /path/to/support/package/*
rm -f /path/to/old/systemd.txt
🧯 If You Can't Patch
- Immediately delete all existing support packages containing systemd.txt files
- Implement strict access controls and monitoring for any remaining support packages
🔍 How to Verify
Check if Vulnerable:
Check NGINX Controller version via web interface or CLI; if version is between 2.0.0-2.9.0 or 3.0.0-3.14.x, search for systemd.txt files in support packages for password strings.Check Version:
nginx-controller-cli versionVerify Fix Applied:
After upgrade to 3.15.0+, verify version and ensure new support packages do not contain plaintext passwords in systemd.txt.📡 Detection & Monitoring
Log Indicators:
- Unauthorized login attempts to NGINX Controller admin interface
- Unexpected configuration changes
Network Indicators:
- Unusual administrative access patterns to NGINX Controller API
SIEM Query:
source="nginx-controller" AND (event_type="authentication_failure" OR event_type="configuration_change")