The development team behind the popular Nginx open-source Web server software released security updates on Tuesday to address a highly critical vulnerability that could be exploited by remote attackers to execute arbitrary code on susceptible servers.
Identified as CVE-2013-2028, the vulnerability is a stack-based buffer overflow and was first introduced in the Nginx 1.3.9 development version back in November 2012. The flaw is also present in the 1.4.0 stable version released last month.
[ Also on InfoWorld: Stealthy malware spreading among popular Web servers. | Learn how to install Apache on Linux in InfoWorld Test Center's step-by-step guide. | Get your websites up to speed with HTML5 today using the techniques in InfoWorld's HTML5 Deep Dive PDF how-to report. ]
The bug, which has been rated as highly critical by vulnerability management firm Secunia, was fixed in the new Nginx 1.4.1 stable version and Nginx 1.5.0 development version. The vulnerability can be exploited by malicious attackers by sending specially crafted HTTP chunks to an exposed Nginx server.
Successful exploitation can lead to arbitrary code execution and system compromise, Secunia said in its advisory.
Nginx is developed with performance and low memory usage in mind and can be used as an HTTP server, as a reverse proxy server and as a load balancer. This makes it appealing to websites that receive a considerable amount of traffic.
Nginx is the third most widely used Web server software on the Internet after Apache and Microsoft IIS with a market share of over 15 percent, according to a recent Web server survey by Internet services firm Netcraft.
The software's growing popularity has, however, also attracted the attention of cybercriminals. On Tuesday, researchers from security vendor Eset reported the discovery of a sophisticated backdoor program designed specifically for Nginx servers. The existence of this malicious program is evidence that cyber criminals are no longer only targeting the most popular software.