CVE-2024-35200 – This vulnerability allows attackers to cause de... (How to Fix)

Q: What is the severity of CVE-2024-35200?

CVE-2024-35200 has a CVSS score of 5.3 (MEDIUM). This vulnerability allows attackers to cause denial of service by sending specially crafted HTTP/3 requests to NGINX servers configured with the QUIC module. When exploited, NGINX worker processes terminate, disrupting web services. This affects NGINX Plus and NGINX OSS deployments using HTTP/3 QUIC.

📋 TL;DR

This vulnerability allows attackers to cause denial of service by sending specially crafted HTTP/3 requests to NGINX servers configured with the QUIC module. When exploited, NGINX worker processes terminate, disrupting web services. This affects NGINX Plus and NGINX OSS deployments using HTTP/3 QUIC.

💻 Affected Systems

Products:

NGINX Plus
NGINX OSS

Versions: Versions configured with HTTP/3 QUIC module (specific version ranges not detailed in provided references)

Operating Systems: All operating systems running affected NGINX versions

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when HTTP/3 QUIC module is explicitly enabled in configuration. Default NGINX configurations are not affected.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption with NGINX worker processes repeatedly crashing, leading to extended downtime until manual intervention.

🟠

Likely Case

Intermittent service disruptions as worker processes crash and restart, causing degraded performance and potential request failures.

🟢

If Mitigated

Minimal impact if HTTP/3 QUIC module is disabled or if proper rate limiting and monitoring are in place.

🌐 Internet-Facing: HIGH - Internet-facing NGINX servers with HTTP/3 enabled are directly exposed to potential DoS attacks.

🏢 Internal Only: MEDIUM - Internal servers are less exposed but still vulnerable to internal threats or compromised internal systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending crafted HTTP/3 requests, which is straightforward for attackers with network access to vulnerable servers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor advisories for specific patched versions

Vendor Advisory: https://my.f5.com/manage/s/article/K000139612

Restart Required: Yes

Instructions:

1. Review F5 advisory for patched versions. 2. Update NGINX to patched version. 3. Restart NGINX service to apply changes.

🔧 Temporary Workarounds

Disable HTTP/3 QUIC module

all

Remove or comment out HTTP/3 QUIC configuration directives to disable vulnerable functionality

# Edit nginx.conf and remove 'listen 443 quic;' and 'listen [::]:443 quic;' directives
# Reload configuration: nginx -s reload

🧯 If You Can't Patch

Implement network-level filtering to block or rate limit HTTP/3 traffic to vulnerable servers
Deploy WAF rules to detect and block malicious HTTP/3 request patterns

🔍 How to Verify

Check if Vulnerable:

Check if NGINX configuration contains 'listen ... quic;' directives and verify NGINX version against patched versions in vendor advisory

Check Version:

nginx -v

Verify Fix Applied:

Confirm NGINX version is updated to patched version and HTTP/3 functionality remains stable under normal traffic

📡 Detection & Monitoring

Log Indicators:

NGINX worker process termination messages in error logs
Increased frequency of worker process restarts

Network Indicators:

Unusual HTTP/3 traffic patterns or spikes
Repeated connection attempts on HTTP/3 ports

SIEM Query:

source="nginx_error.log" AND "worker process" AND (terminated OR exited)

📊 Metadata

CVE ID: CVE-2024-35200

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE: CWE-476

Published: May 29, 2024

Last Updated: January 24, 2025

🔗 References

http://www.openwall.com/lists/oss-security/2024/05/30/4 Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MLAOKJWDALQZBIV3WKGPJ6T5Z56D3PRD/ Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R7RPLWC35WHEUFCGKNFG62ESNID25TEZ/ Third Party Advisory
https://my.f5.com/manage/s/article/K000139612 Vendor Advisory
http://www.openwall.com/lists/oss-security/2024/05/30/4 Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MLAOKJWDALQZBIV3WKGPJ6T5Z56D3PRD/ Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R7RPLWC35WHEUFCGKNFG62ESNID25TEZ/ Third Party Advisory
https://my.f5.com/manage/s/article/K000139612 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-35200, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Fedora by Fedoraproject

Fedora by Fedoraproject

Nginx Open Source by F5

Nginx Plus by F5

Nginx Plus by F5

Nginx Plus by F5

Nginx Plus by F5

Nginx Plus by F5

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable HTTP/3 QUIC module

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities