CVE-2022-27007: Nginx njs .7.2 Use-After-Free Vulnerability in njs_function_frame_alloc() Function

A recent vulnerability, CVE-2022-27007, has been found in the popular web server and reverse proxy server software, Nginx, used by millions of websites worldwide. Specifically, it affects the Nginx JavaScript (njs) module in version .7.2. The vulnerability resides in the njs_function_frame_alloc() function, where a use-after-free issue exists when trying to invoke from a restored frame saved with njs_function_frame_save().

This post will discuss the technical details of this vulnerability, including the potential consequences, code snippets, and how to mitigate the risk. It will also offer links to original references for further information.

Vulnerability Details

The core issue exists in the njs_function_frame_alloc() function, which is used to allocate memory for Nginx JavaScript objects when executing NJS scripts. When this function tries to invoke an object from a frame that has been previously saved using njs_function_frame_save(), the vulnerability occurs.

A use-after-free vulnerability happens when a program continues to use a pointer after it has been freed, often leading to crashes or, in some cases, code execution. In the context of CVE-2022-27007, a malicious user can potentially exploit this vulnerability to execute arbitrary code or cause a denial of service (DoS) attack on the affected system.

The following code snippet demonstrates the issue in the njs_function_frame_alloc() function

njs_function_frame_t *
njs_function_frame_alloc(njs_thread_t *thread, size_t *size, njs_bool_t ext)
{
   ...
   size = size + njs_memcache_align_size(sizeof(njs_function_frame_t));

   if (ext) {
      size = size + NJS_FRAME_EXTENDED_SIZE;
   }

   frame = thread->runtime->mem_cache.alloc(njs_memcache_align_size(size));
   ...
}

In this code, the function attempts to allocate memory for the Nginx JavaScript object depending on a provided size variable. However, when the object is invoked from a restored frame saved with njs_function_frame_save(), the size variable is not correctly updated, resulting in the use-after-free issue.

Exploit

An attacker can exploit this vulnerability by crafting a malicious NJS script that purposely triggers the use-after-free issue in the njs_function_frame_alloc() function. This script can then be executed on an affected Nginx server, possibly causing a crash or allowing arbitrary code execution.

Mitigation

To address this vulnerability, users should upgrade to Nginx njs .7.3 or later, which includes a fix for the use-after-free issue. Additionally, administrators can protect their web servers by configuring your Nginx server to restrict running potentially malicious NJS scripts, ensuring up-to-date security patches, and monitoring for any suspicious activity.

References

1. https://nvd.nist.gov/vuln/detail/CVE-2022-27007
2. https://github.com/nginx/njs/commit/8e8e181710f5dcd4d2a734846e7a17f7fefda6d1

Conclusion

CVE-2022-27007 is a use-after-free vulnerability affecting the Nginx njs .7.2 module. By exploiting this flaw, an attacker could potentially execute arbitrary code or cause a denial of service on the affected system. Administrators should take the necessary steps to upgrade to a fixed version of the software and implement strong security measures to protect their web servers from potential attacks.

Timeline

Published on: 04/14/2022 15:15:00 UTC
Last modified on: 05/19/2022 20:15:00 UTC