SB2020070148 - Multiple vulnerabilities in NGINX Controller

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Improper Certificate Validation (CVE-ID: CVE-2020-5909)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.

2) Improper Authentication (CVE-ID: CVE-2020-5910)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.

3) Input validation error (CVE-ID: CVE-2020-5911)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.

4) Cross-site request forgery (CVE-ID: CVE-2020-5900)

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.

Remediation

Install update from vendor's website.

References

• https://support.f5.com/csp/article/K31150658
• https://support.f5.com/csp/article/K59209532
• https://support.f5.com/csp/article/K84084843
• https://support.f5.com/csp/article/K31044532