CVE-2024-22197 – This vulnerability in nginx-ui allows authentic... (How to Fix)

Q: What is the severity of CVE-2024-22197?

CVE-2024-22197 has a CVSS score of 7.7 (HIGH). This vulnerability in nginx-ui allows authenticated users to modify critical nginx configuration commands via API endpoints that should be restricted, potentially leading to remote code execution, privilege escalation, and information disclosure. It affects all nginx-ui installations prior to version 2.0.0.beta.9 where the web interface is accessible.

📋 TL;DR

This vulnerability in nginx-ui allows authenticated users to modify critical nginx configuration commands via API endpoints that should be restricted, potentially leading to remote code execution, privilege escalation, and information disclosure. It affects all nginx-ui installations prior to version 2.0.0.beta.9 where the web interface is accessible.

💻 Affected Systems

Products:

nginx-ui

Versions: All versions before 2.0.0.beta.9

Operating Systems: All platforms running nginx-ui

Default Config Vulnerable: ⚠️ Yes

Notes: Requires nginx-ui web interface to be accessible and attacker to have valid authentication credentials.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Authenticated attacker gains root-level remote code execution on the nginx server, leading to complete system compromise, data theft, and lateral movement.

🟠

Likely Case

Authenticated user modifies nginx commands to execute arbitrary code with nginx process privileges, potentially escalating to root access.

🟢

If Mitigated

Attack is prevented by proper authentication controls and network segmentation, limiting impact to configuration changes only.

🌐 Internet-Facing: HIGH - Web interface exposed to internet allows authenticated attackers to exploit this vulnerability remotely.

🏢 Internal Only: MEDIUM - Internal attackers with valid credentials can exploit, but requires network access and authentication.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access to the nginx-ui web interface and knowledge of API endpoints.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.0.0.beta.9

Vendor Advisory: https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-pxmr-q2x3-9x9m

Restart Required: Yes

Instructions:

1. Stop nginx-ui service. 2. Backup current installation. 3. Update to version 2.0.0.beta.9 or later. 4. Restart nginx-ui service. 5. Verify functionality.

🔧 Temporary Workarounds

Restrict API Access

all

Block access to vulnerable API endpoints using web server configuration or firewall rules.

# Example nginx config to block specific endpoints
location ~ ^/api/(test_config_cmd|reload_cmd|restart_cmd) {
    deny all;
    return 403;
}

Network Segmentation

linux

Restrict access to nginx-ui interface to trusted networks only.

# Example iptables rule
sudo iptables -A INPUT -p tcp --dport [nginx-ui-port] -s [trusted-network] -j ACCEPT
sudo iptables -A INPUT -p tcp --dport [nginx-ui-port] -j DROP

🧯 If You Can't Patch

Disable nginx-ui web interface entirely and use alternative monitoring solutions.
Implement strict network access controls to limit nginx-ui access to essential personnel only.

🔍 How to Verify

Check if Vulnerable:

Check nginx-ui version via web interface or by examining installed package version. Versions before 2.0.0.beta.9 are vulnerable.

Check Version:

curl -s http://localhost:[port]/api/settings | grep version

Verify Fix Applied:

Verify version is 2.0.0.beta.9 or later and test that API endpoints no longer accept unauthorized modifications.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /api/settings endpoint
Modifications to nginx configuration commands via API
Failed authentication attempts followed by API access

Network Indicators:

HTTP requests to /api/settings with command modification parameters
Unusual outbound connections from nginx server following API access

SIEM Query:

source="nginx-ui" AND (uri_path="/api/settings" AND http_method="POST")

📊 Metadata

CVE ID: CVE-2024-22197

CVSS v3 Score: 7.7 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L

CWE: CWE-77

Published: January 11, 2024

Last Updated: November 21, 2024

🔗 References

https://github.com/0xJacky/nginx-ui/commit/827e76c46e63c52114a62a899f61313039c754e3 Patch
https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-pxmr-q2x3-9x9m Exploit,Vendor Advisory
https://github.com/0xJacky/nginx-ui/commit/827e76c46e63c52114a62a899f61313039c754e3 Patch
https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-pxmr-q2x3-9x9m Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-22197, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Nginx Ui by Nginxui

Nginx Ui by Nginxui

Nginx Ui by Nginxui

Nginx Ui by Nginxui

Nginx Ui by Nginxui

Nginx Ui by Nginxui

Nginx Ui by Nginxui

Nginx Ui by Nginxui

Nginx Ui by Nginxui

Nginx Ui by Nginxui

Nginx Ui by Nginxui

Nginx Ui by Nginxui

Nginx Ui by Nginxui

Nginx Ui by Nginxui

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict API Access

Network Segmentation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities