> About Author
Hi, I'm Sharon, a product manager at Chaitin Tech. We build SafeLine, an open-source Web Application Firewall built for real-world threats. While SafeLine focuses on HTTP-layer protection, our emergency response center monitors and responds to RCE and authentication vulnerabilities across the stack to help developers stay safe.
Recently, Chaitin Security Research Lab discovered a Remote Code Execution (RCE) vulnerability in nginxWebUI, a graphical management tool for configuring Nginx. This tool is popular for managing Nginx's various functions like HTTP/TCP forwarding, reverse proxying, load balancing, SSL management, and more.
The vulnerability allows attackers to execute arbitrary commands on the backend system, potentially compromising the server. Despite the vendor releasing a patch, many systems are still exposed, and the vulnerability remains unpatched in numerous public-facing instances.
In this post, weβll walk through:
- The nature of the vulnerability
- Detection tools
- Mitigation options
- How to secure your nginxWebUI installation
Vulnerability Description
nginxWebUI exposes an interface to execute Nginx-related commands. However, due to a lack of input sanitization, attackers can inject arbitrary commands, leading to remote code execution. Additionally, improper privilege checks allow unauthorized access to this functionality from the frontend.
The vulnerability allows attackers to bypass permissions and execute commands directly through the user interface, which can lead to full system compromise.
Vulnerability Summary:
- Type: Command Injection
- Vulnerable Versions: nginxWebUI <= 3.5.0
- Impact: Remote Code Execution, Privilege Escalation
Detection Tools
To assist with identifying this vulnerability, weβve developed two tools that are available for public use:
X-POC Remote Detection Tool
Detection Command:
xpoc -r 106 -t [TARGET_URL]
Download from GitHub or Chaitin Security Stack.
CloudWalker Local Detection Tool
Detection Command:
./nginx_webui_runcmd_rce_scanner_linux_amd64
Download from Chaitin Security Stack.
Affected Versions
- nginxWebUI <= 3.5.0
Solution and Mitigation
Temporary Mitigation
As this vulnerability is related to command injection, using a Web Application Firewall (WAF) like SafeLine can help block exploit attempts. However, because the underlying issue involves improper privilege checks, a WAF alone cannot mitigate the privilege bypass aspect.
Recommendation:
- Limit public exposure: If possible, avoid exposing nginxWebUI to the public internet.
Official Fix
The vendor has released a patch that addresses the privilege bypass issue and introduces input sanitization to reduce the risk of command execution. However, due to the patchβs incomplete filtering mechanisms, some residual risks may remain.
Recommendation:
- Update to the latest version to fix the privilege escalation vulnerability and reduce the risk of remote code execution.
Security Products Supporting Detection
- Yuntu: Supports fingerprint detection for nginxWebUI and PoC-based detection.
- SafeLine: Automatically detects exploitation attempts targeting this vulnerability.
- Dongjian: Supports detection with the latest engine and vulnerability database.
- CloudWalker: Supports detection via the latest vulnerability intelligence package for platforms 23.05.001 and above.
- Quanxi: Has released a rule update that detects exploitation attempts for this issue.
Timeline
- May 19: Official release of a patch addressing the vulnerability
- May 22: Chaitin Security Lab receives vulnerability information
- May 22: Scanning products begin to support detection
- May 26: Details of the vulnerability publicly disclosed
- June 27: Chaitin releases official vulnerability advisory
Conclusion
The nginxWebUI remote code execution vulnerability poses a serious security risk, especially for systems exposed to the internet. Although the vendor has patched the privilege bypass and implemented input sanitization, the issue isn't entirely fixed, and further precautions are necessary.
We recommend using strong access control, WAF protection, and updating to the latest version to safeguard against potential exploits.
For more details, refer to the official nginxWebUI site.
Stay Safe β Protect your systems from vulnerabilities like this one with the help of modern security tools such as SafeLine WAF.
References:
Join the SafeLine Community
If you continue to experience issues, feel free to contact SafeLine support for further assistance.
Top comments (0)