alkdev/reverse-proxy
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
reverse-proxy/docs/research/threat-landscape.md
glm-5.1 8ee6284b62 Add architecture specification for Rust/axum reverse proxy 
Phase 1 architecture docs covering proxy handler, TLS termination (ACME +
manual), TOML config with static/dynamic split (ArcSwap), and operations
(rate limiting, logging, health check, systemd, graceful shutdown).

Nine ADRs documenting key decisions: Rust/axum, custom proxy handler,
TOML config, rustls-acme for cert management, tokio-rustls direct,
token bucket rate limiting, custom log format for fail2ban,
static/dynamic config split, and signal handling strategy.

Includes threat landscape research documenting the nginx CVEs motivating
this project.
2026-06-11 07:25:50 +00:00

86 lines
3.4 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Threat Landscape
## Active Nginx Vulnerabilities (May 2026)
All disclosed by DepthFirst's autonomous security analysis. Four related CVEs from a single audit, plus additional ones discovered separately.
### Critical
**CVE-2026-42945 (CVSS 9.2) — "NGINX Rift"**
- Heap buffer overflow in `ngx_http_rewrite_module`, present since 2008 (18 years)
- Unauthenticated RCE via `rewrite` + `set` directives
- Working PoC publicly released on GitHub
- **Actively exploited in the wild** within 3 days of disclosure
- Our config uses `rewrite`-equivalent logic (HTTP→HTTPS redirect)
- Affects 0.6.271.30.0, fixed in 1.31.0/1.30.1
- **We are vulnerable** (running 1.24.0)
### High
**CVE-2026-42946 (CVSS 8.3)**
- Buffer overread in `ngx_http_scgi_module` and `ngx_http_uwsgi_module`
- Worker crash or memory disclosure
- Excessive memory allocation attack (can trigger ~1TB allocation)
- Affects 0.8.421.30.0, fixed in 1.31.0/1.30.1
- **We are vulnerable** (running 1.24.0, though we don't use scgi/uwsgi)
### Medium
**CVE-2026-40701**
- Use-after-free in OCSP resolver
- Limited data modification or worker restart
- Affects 1.19.01.30.0, fixed in 1.31.0/1.30.1
- **We are vulnerable** (running 1.24.0)
**CVE-2026-9256**
- Buffer overflow in `ngx_http_rewrite_module` (separate from Rift)
- Affects 0.1.171.31.0, fixed in 1.31.1+
- **We are vulnerable** (running 1.24.0)
**CVE-2026-42926**
- HTTP/2 request injection in `ngx_http_proxy_module`
- Affects 1.29.41.30.0, fixed in 1.31.0/1.30.1
- We are not directly vulnerable (1.24.0 is outside range)
**CVE-2026-40460**
- HTTP/3 address spoofing
- Affects 1.25.01.30.0
- We are not directly vulnerable (1.24.0 is outside range)
### Low
**CVE-2026-42934**
- Buffer overread in `ngx_http_charset_module`
- Affects 0.3.501.30.0, fixed in 1.31.0/1.30.1
- **We are vulnerable** (running 1.24.0)
## Unreleased Vulnerabilities
Security researchers in relevant communities report at least 4 additional RCE vulnerabilities in nginx that have not yet been publicly disclosed. Researchers are expressing frustration with F5/nginx's slow response times and are considering public disclosure to force action.
This means the known CVEs above are likely just the tip of the iceberg.
## Risk Assessment
| Factor | Level | Notes |
|--------|-------|-------|
| Current exposure | **Critical** | Actively exploited RCE in our nginx version |
| Patch availability | **Available** | 1.30.1/1.31.0+ fix all known CVEs, but requires manual upgrade from Ubuntu default |
| Future risk | **High** | More undisclosed vulns likely; C codebase with systemic memory safety issues |
| Mitigation urgency | **Immediate** | RCE with public PoC and active exploitation |
## Why Rust Helps
- Memory safety by construction eliminates: buffer overflows, use-after-free, double-free, out-of-bounds reads/writes
- This is the **exact class of bugs** affecting nginx right now (6 out of 7 recent CVEs are memory corruption)
- rustls (pure Rust TLS) avoids OpenSSL dependency and its own CVE history
- Does NOT eliminate logic bugs — still need careful rate limiting, header injection, access control
- But provides a fundamentally safer baseline to build on
## Short-term Mitigation (While Developing Replacement)
1. Upgrade nginx to 1.30.1+ or 1.31.1+ immediately
2. Consider removing rewrite directives if possible
3. Ensure fail2ban is actively monitoring
4. Firewall restrictions on port 80/443 if feasible
5. Prioritize the Rust proxy project
Reference in New Issue View Git Blame Copy Permalink