A vulnerability exists in NGINX OSS and NGINX Plus when configured to proxy to upstream Transport Layer Security (TLS) servers. An attacker with a man-in-the-middle (MITM) position on the upstream server side—along with conditions beyond the attacker's control—may be able to inject plain text data into the response from an upstream proxied server. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
NGINX OSS and NGINX Plus are vulnerable to a man-in-the-middle (MITM) attack when proxying traffic to upstream TLS servers. An attacker can inject plaintext data into responses, potentially leading to sensitive data exposure or application compromise. This vulnerability requires specific conditions on the upstream server side, but the impact can be severe.
Step 1: MITM Setup: The attacker establishes a man-in-the-middle position between the vulnerable NGINX instance and the upstream TLS server. This could involve network sniffing, DNS poisoning, or other techniques.
Step 2: TLS Interception: The attacker intercepts the TLS handshake between NGINX and the upstream server, potentially attempting to downgrade the TLS version or cipher suite to facilitate exploitation.
Step 3: Data Injection: The attacker, leveraging conditions beyond their control on the upstream server side, injects plaintext data into the response stream from the upstream server. This could involve exploiting a vulnerability on the upstream server or manipulating the TLS connection in a specific way.
Step 4: NGINX Processing: NGINX receives the modified response from the upstream server, which now contains the injected plaintext data.
Step 5: Response Delivery: NGINX, due to the vulnerability, fails to properly validate or sanitize the injected data and forwards the corrupted response to the client.
The vulnerability stems from a flaw in how NGINX handles TLS termination and proxying to upstream servers. The root cause likely involves a combination of factors, including improper handling of TLS session resumption, potential issues with buffer management during data transfer, and a lack of robust validation of upstream server responses. Specifically, the flaw allows an attacker in a MITM position to inject plaintext data into the response stream. This could be due to a failure to properly verify the integrity of the upstream server's response after TLS decryption or a vulnerability in how NGINX reassembles the response before sending it to the client. The exact function or logic flaw is not explicitly stated in the CVE, but it involves the interaction between NGINX's TLS proxying and the upstream server's TLS implementation, potentially allowing for the injection of malicious data.