CVE-2024-39935
📋 TL;DR
CVE-2024-39935 is an OS command injection vulnerability in jc21 NGINX Proxy Manager that allows authenticated users with certificate management privileges to execute arbitrary commands on the host system via DNS provider configuration input. This affects versions before 2.11.3 and requires the attacker to have valid credentials with specific administrative permissions.
💻 Affected Systems
- jc21 NGINX Proxy Manager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attacker to execute arbitrary commands with the privileges of the NGINX Proxy Manager process, potentially leading to data theft, lateral movement, or complete host takeover.
Likely Case
Authenticated attackers with certificate management access can execute commands to steal sensitive data, modify configurations, or deploy malware on the affected system.
If Mitigated
With proper access controls limiting certificate management privileges to trusted administrators only, impact is reduced to potential insider threat scenarios.
🎯 Exploit Status
Exploitation requires authenticated access with certificate management privileges. The vulnerability is in backend/internal/certificate.js where untrusted input is passed to OS commands.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.11.3
Vendor Advisory: https://github.com/NginxProxyManager/nginx-proxy-manager/commit/99cce7e2b0da2978411cedd7cac5fffbe15bc46
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Update to version 2.11.3 or later using your deployment method (Docker, manual install, etc.). 3. Restart the NGINX Proxy Manager service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Restrict Certificate Management Access
allLimit certificate management privileges to only essential administrators to reduce attack surface.
Network Segmentation
allIsolate NGINX Proxy Manager management interface from untrusted networks.
🧯 If You Can't Patch
- Implement strict access controls to limit certificate management privileges to minimal trusted personnel only.
- Monitor and audit all certificate management activities and command execution logs for suspicious patterns.
🔍 How to Verify
Check if Vulnerable:
Check the NGINX Proxy Manager version in the web interface or by examining the container/image version. If version is below 2.11.3, the system is vulnerable.Check Version:
docker exec nginx-proxy-manager cat /app/package.json | grep versionVerify Fix Applied:
Confirm version is 2.11.3 or higher in the web interface or via version check command. Test certificate management functionality to ensure it works without allowing command injection.📡 Detection & Monitoring
Log Indicators:
- Unusual certificate management activities
- Suspicious command execution patterns in system logs
- Multiple failed authentication attempts followed by certificate management actions
Network Indicators:
- Unexpected outbound connections from NGINX Proxy Manager host
- Unusual DNS queries from the management interface
SIEM Query:
source="nginx-proxy-manager" AND (event_type="certificate_management" OR command_execution) AND user NOT IN ["trusted_admin_list"]🔗 References
- https://github.com/NginxProxyManager/nginx-proxy-manager/commit/99cce7e2b0da2978411cedd7cac5fffbe15bc46
- https://github.com/NginxProxyManager/nginx-proxy-manager/compare/v2.11.2...v2.11.3
- https://github.com/NginxProxyManager/nginx-proxy-manager/issues/3662
- https://github.com/NginxProxyManager/nginx-proxy-manager/commit/99cce7e2b0da2978411cedd7cac5fffbe15bc46
- https://github.com/NginxProxyManager/nginx-proxy-manager/compare/v2.11.2...v2.11.3
- https://github.com/NginxProxyManager/nginx-proxy-manager/issues/3662
