Using NGINX and NGINX Plus to Protect Against CVE-2015-1635

On April 14, Microsoft issued a vulnerability alert – now tracked as CVE-2015-1635 – about an issue that might permit remote code execution if an attacker sends a specially crafted HTTP request to an affected Windows system. If patching your production Windows servers immediately is not an option, then NGINX and NGINX Plus can help protect you from attacks.

The specific details of the vulnerability have not been released as of this writing, but attackers are reportedly trying to find vulnerable systems by sending HTTP requests with very large Range requests, which can trigger a buffer overflow and cause a crash in the Windows system.

Users are strongly advised to apply Microsoft’s patch to address this vulnerability. However, if you are not able to apply the patch to all of your production systems and are using NGINX or NGINX Plus to load balance or proxy traffic to them, a simple configuration change is enough to intercept and fix the special requests sent to vulnerable systems.

Identifying and Handling Reconnaissance Traffic

Mattias Geniar has analysed the attack traffic and reports that HTTP requests with a large byte range in the Range header trigger the crash:

GET / HTTP/1.1\r\n
Host: stuff\r\n
Range: bytes=0-18446744073709551615\r\n
\r\n

The simplest fix is to use the proxy_set_header directive to set the Range header to "" (the empty string), which effectively deletes the header before the HTTP request is forwarded to the Windows server named by the proxy_pass directive:

server {
listen 80;

location / {
proxy_set_header Range "";
proxy_pass http://windowsserver:80;
}
}

If your application requires byte‑range support, you can use the map directive to replace any string that resembles a large integer with the empty string, before using the proxy_set_header directive to set the Range header:

map $http_range $saferange {
"~\d{10,}" ""; # if it matches a string of 10 or more integers, remove it
default $http_range;
}

server {
listen 80;

location / {
proxy_set_header Range $saferange;
proxy_pass http://windowsserver:80;
}
}

Alternatively, you can return HTTP code 444 when the value in the Range header resembles a large integer. Code 444 instructs NGINX and NGINX Plus to close the client connection immediately without returning anything.

server {
listen 80;

if ($http_range ~ "\d{9,}") {
return 444;
}

location / {
proxy_pass http://windowsserver:80;
}
}

Keep safe and apply the patch, but if you can’t do that immediately, NGINX and NGINX Plus can help close the potential hole over.

To try NGINX Plus, start your free 30-day trial today or contact us for a demo.

Cover image
Are your applications secure?
Learn how to protect your apps with NGINX and NGINX Plus