NGINX.COM

On April 14, Microsoft issued a vulnerability alert – now tracked as CVE-2015-1635 – about an issue that might permit remote code execution if an attacker sends a specially crafted HTTP request to an affected Windows system. If patching your production Windows servers immediately is not an option, then NGINX and NGINX Plus can help protect you from attacks.

The specific details of the vulnerability have not been released as of this writing, but attackers are reportedly trying to find vulnerable systems by sending HTTP requests with very large Range requests, which can trigger a buffer overflow and cause a crash in the Windows system.

Users are strongly advised to apply Microsoft’s patch to address this vulnerability. However, if you are not able to apply the patch to all of your production systems and are using NGINX or NGINX Plus to load balance or proxy traffic to them, a simple configuration change is enough to intercept and fix the special requests sent to vulnerable systems.

Identifying and Handling Reconnaissance Traffic

Mattias Geniar has analysed the attack traffic and reports that HTTP requests with a large byte range in the Range header trigger the crash:

GET / HTTP/1.1rn
Host: stuffrn
Range: bytes=0-18446744073709551615rn
rn

The simplest fix is to use the proxy_set_header directive to set the Range header to "" (the empty string), which effectively deletes the header before the HTTP request is forwarded to the Windows server named by the proxy_pass directive:

server {
    listen 80;
 
    location / {
        proxy_set_header Range "";
        proxy_pass http://windowsserver:80;
    }
}

If your application requires byte‑range support, you can use the map directive to replace any string that resembles a large integer with the empty string, before using the proxy_set_header directive to set the Range header:

map $http_range $saferange {
    "~d{10,}" "";  # if it matches a string of 10 or more integers, remove it
    default $http_range;
}
 
server {
    listen 80;
 
    location / {
        proxy_set_header Range $saferange;
        proxy_pass http://windowsserver:80;
    }
}

Alternatively, you can return HTTP code 444 when the value in the Range header resembles a large integer. Code 444 instructs NGINX and NGINX Plus to close the client connection immediately without returning anything.

server {
    listen 80;
 
    if ($http_range ~ "d{9,}") {
        return 444;
    }
 
    location / {
        proxy_pass http://windowsserver:80;
    }
}

Keep safe and apply the patch, but if you can’t do that immediately, NGINX and NGINX Plus can help close the potential hole over.

To try NGINX Plus, start your free 30-day trial today or contact us for a demo.

Hero image
Are Your Applications Secure?

Learn how to protect your apps with NGINX and NGINX Plus

关于作者

Owen Garrett

产品管理高级总监

Owen is a senior member of the NGINX Product Management team, covering open source and commercial NGINX products. He holds a particular responsibility for microservices and Kubernetes‑centric solutions. He’s constantly amazed by the ingenuity of NGINX users and still learns of new ways to use NGINX with every discussion.

关于 F5 NGINX

F5, Inc. 是备受欢迎的开源软件 NGINX 背后的商业公司。我们为现代应用的开发和交付提供一整套技术。我们的联合解决方案弥合了 NetOps 和 DevOps 之间的横沟,提供从代码到用户的多云应用服务。访问 nginx-cn.net 了解更多相关信息。