Nginxí§Òâ´úÂëÖ´ÐÐÎó²î£¨CVE-2021-23017£©

Ðû²¼Ê±¼ä 2021-05-27

0x00 Îó²î¸ÅÊö

CVE  ID

CVE-2021-23017

ʱ    ¼ä

2021-05-27

Àà   ÐÍ

´úÂëÖ´ÐÐ

µÈ    ¼¶

¸ßΣ

Ô¶³ÌʹÓÃ

ÊÇ

Ó°Ïì¹æÄ£

Nginx 0.6.18 - 1.20.0

PoC/EXP

δ¹ûÕæ

ÔÚҰʹÓÃ

·ñ

 

0x01 Îó²îÏêÇé

image.png

NginxÊÇÒ»¸ö¸ßÐÔÄܵÄHTTPºÍ·´ÏòÊðÀíwebЧÀÍÆ÷£¬£¬ £¬Í¬Ê±Ò²ÌṩÁËIMAP/POP3/SMTPЧÀÍ£¬£¬ £¬ÓÉÓÚÆä¾ßÓÐÐí¶àÓÅÔ½µÄÌØÕ÷£¬£¬ £¬µ¼ÖÂÔÚÈ«Çò¹æÄ£ÄÚ±»ÆÕ±éʹÓᣡ£¡£¡£¡£

2021Äê05ÔÂ25ÈÕ£¬£¬ £¬Nginx¹Ù·½Ðû²¼Ç徲ͨ¸æ£¬£¬ £¬¹ûÕæÁËNginx DNS ResolverÖеÄÒ»¸öí§Òâ´úÂëÖ´ÐÐÎó²î£¨CVE-2021-23017£©¡£¡£¡£¡£¡£

ÓÉÓÚNginxÔÚ´¦Öóͷ£DNSÏìӦʱ±£´æÇå¾²ÎÊÌ⣬£¬ £¬µ±ÔÚÉèÖÃÎļþÖÐʹÓà ¡°resolver ¡±Ö¸Áîʱ£¬£¬ £¬Ô¶³Ì¹¥»÷Õß¿ÉÒÔͨ¹ýαÔìÀ´×ÔDNSЧÀÍÆ÷µÄUDPÊý¾Ý°ü£¬£¬ £¬½á¹¹DNSÏìÓ¦Ôì³É1-byteÄÚ´æÁýÕÖ£¬£¬ £¬´Ó¶øµ¼Ö¾ܾøÐ§ÀÍ»òí§Òâ´úÂëÖ´ÐС£¡£¡£¡£¡£

¸ÃÎó²î½öÔÚÉèÖÃÁËÒ»¸ö»ò¶à¸ö¡°resolver¡±Ö¸ÁîµÄÇéÐÎϱ£´æ£¬£¬ £¬¶øÄ¬ÈÏÇéÐÎÏÂûÓÐÉèÖᣡ£¡£¡£¡£

 

0x02 ´¦Öóͷ£½¨Òé

ÏÖÔÚ¸ÃÎó²îÒÑÔÚÒÔϰ汾ÖÐÐÞ¸´£¬£¬ £¬½¨Ò龡¿ì¾ÙÐÐÉý¼¶¸üУº

NGINX Open Source 1.20.1 (stable)

NGINX Open Source 1.21.0 (mainline)

NGINX Plus R23 P1

NGINX Plus R24 P1

ÒÔϰ汾µÄNGINX Ingress Controller°üÀ¨NGINX Open SourceºÍNGINX PlusµÄÐÞ¸´³ÌÐò°æ±¾£º

NGINX Ingress Controller 1.11.2 ¨C NGINX Plus R23 P1

NGINX Ingress Controller 1.11.3 ¨C NGINX Open Source 1.21.0 ºÍNGINX Plus R23 P1

 

ÏÂÔØÁ´½Ó£º

http://nginx.org/en/download.html

²¹¶¡Á´½Ó£º

http://nginx.org/download/patch.2021.resolver.txt

 

0x03 ²Î¿¼Á´½Ó

http://mailman.nginx.org/pipermail/nginx-announce/2021/000300.html

https://www.nginx.com/blog/updating-nginx-dns-resolver-vulnerability-cve-2021-23017/

https://support.f5.com/csp/article/K12331123

 

0x04 ʱ¼äÏß

2021-05-25  NginxÐû²¼Ç徲ͨ¸æ

2021-05-27  VSRCÐû²¼Ç徲ͨ¸æ

 

0x05 ¸½Â¼

 

CVSSÆÀ·Ö±ê×¼¹ÙÍø£ºhttp://www.first.org/cvss/

image.png