On April 14, Microsoft issued a vulnerability alert – now tracked as CVE-2015-1635 – about an issue that might permit remote code execution if an attacker sends a specially crafted HTTP request to an affected Windows system. If patching your production Windows servers immediately is not an option, then NGINX and NGINX Plus can help protect you from attacks.
The specific details of the vulnerability have not been released as of this writing, but attackers are reportedly trying to find vulnerable systems by sending HTTP requests with very large Range requests, which can trigger a buffer overflow and cause a crash in the Windows system.
Users are strongly advised to apply Microsoft’s patch to address this vulnerability. However, if you are not able to apply the patch to all of your production systems and are using NGINX or NGINX Plus to load balance or proxy traffic to them, a simple configuration change is enough to intercept and fix the special requests sent to vulnerable systems.
Identifying and Handling Reconnaissance Traffic
Mattias Geniar has analysed the attack traffic and reports that HTTP requests with a large byte range in the Range
header trigger the crash:
GET / HTTP/1.1rn
Host: stuffrn
Range: bytes=0-18446744073709551615rn
rn
The simplest fix is to use the proxy_set_header
directive to set the Range
header to ""
(the empty string), which effectively deletes the header before the HTTP request is forwarded to the Windows server named by the proxy_pass
directive:
server {
listen 80;
location / {
proxy_set_header Range "";
proxy_pass http://windowsserver:80;
}
}
If your application requires byte‑range support, you can use the map
directive to replace any string that resembles a large integer with the empty string, before using the proxy_set_header
directive to set the Range
header:
map $http_range $saferange {
"~d{10,}" ""; # if it matches a string of 10 or more integers, remove it
default $http_range;
}
server {
listen 80;
location / {
proxy_set_header Range $saferange;
proxy_pass http://windowsserver:80;
}
}
Alternatively, you can return HTTP code 444
when the value in the Range
header resembles a large integer. Code 444
instructs NGINX and NGINX Plus to close the client connection immediately without returning anything.
server {
listen 80;
if ($http_range ~ "d{9,}") {
return 444;
}
location / {
proxy_pass http://windowsserver:80;
}
}
Keep safe and apply the patch, but if you can’t do that immediately, NGINX and NGINX Plus can help close the potential hole over.
To try NGINX Plus, start your free 30-day trial today or contact us for a demo.