CVE-2022-41742 Overview
CVE-2022-41742 is a memory corruption vulnerability affecting the ngx_http_mp4_module in NGINX Open Source, NGINX Open Source Subscription, and NGINX Plus. This vulnerability allows a local attacker to trigger a worker process crash (Denial of Service) or potentially disclose worker process memory contents by exploiting improper handling of specially crafted audio or video files processed by the MP4 streaming module.
The vulnerability is classified as CWE-787 (Out-of-Bounds Write), indicating that the flaw involves writing data past the boundaries of allocated memory buffers during MP4 file parsing operations. Exploitation requires that NGINX be compiled with the ngx_http_mp4_module and that the mp4 directive be enabled in the configuration.
Critical Impact
Local attackers can crash NGINX worker processes causing service disruption, or extract sensitive information from worker process memory through specially crafted media files.
Affected Products
- F5 NGINX Open Source versions before 1.23.2 and 1.22.1
- F5 NGINX Open Source Subscription versions before R2 P1 and R1 P1
- F5 NGINX Plus versions before R27 P1 and R26 P1
- F5 NGINX Ingress Controller (various versions)
- Fedora 35, 36, and 37
- Debian Linux 10.0 and 11.0
Discovery Timeline
- October 19, 2022 - CVE-2022-41742 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2022-41742
Vulnerability Analysis
The vulnerability resides in the ngx_http_mp4_module, which provides pseudo-streaming server-side support for MP4 media files. This module is an optional component that must be explicitly compiled into NGINX and enabled through the mp4 directive in the configuration file.
When processing specially crafted audio or video files, the module fails to properly validate or handle certain boundary conditions during MP4 atom/box parsing. This results in an out-of-bounds write condition where data can be written beyond the boundaries of allocated memory buffers.
The exploitation requires local access to upload or place a malicious media file that will be processed by the vulnerable module. Upon processing, the vulnerability can manifest in two ways: immediate worker process crash leading to denial of service, or memory disclosure where contents of the worker process memory may be exposed to the attacker.
Root Cause
The root cause is an out-of-bounds write vulnerability (CWE-787) in the MP4 file parsing logic within ngx_http_mp4_module. The module does not adequately validate the structure and metadata of MP4 files before processing, allowing malformed media files to trigger memory corruption during atom traversal and data extraction operations. This improper bounds checking enables writes to memory locations outside the intended buffer, corrupting adjacent memory structures or exposing sensitive data.
Attack Vector
The attack requires local access to the system and the ability to trigger NGINX to process a malicious MP4 file. The attack scenario involves:
- An attacker with local access to the system crafts a specially malformed MP4 file with corrupted atom structures or manipulated metadata fields
- The malicious file is placed in a location where NGINX's ngx_http_mp4_module will process it (e.g., through file upload functionality or direct file system access)
- When a client requests the media file with streaming parameters (such as ?start=X), the module parses the file structure
- During parsing, the malformed atoms trigger the out-of-bounds write, causing either a worker process crash or memory disclosure
The attack is limited by the requirement for both local access and the need for the target NGINX instance to have the MP4 module compiled and enabled. This reduces the attack surface compared to remotely exploitable vulnerabilities.
Detection Methods for CVE-2022-41742
Indicators of Compromise
- Unexpected NGINX worker process crashes or restarts in system logs
- Error log entries related to MP4 file processing failures or memory allocation errors
- Unusual MP4 files with malformed atom structures appearing in media directories
- Segmentation fault signals (SIGSEGV) in NGINX worker processes
Detection Strategies
- Monitor NGINX error logs for entries containing ngx_http_mp4_module errors or segmentation faults
- Implement file integrity monitoring on directories containing MP4 content served by NGINX
- Use application performance monitoring to detect abnormal worker process restart patterns
- Deploy intrusion detection rules to identify requests with unusual MP4 streaming parameters
Monitoring Recommendations
- Configure alerting for NGINX worker process crash events using process monitoring tools
- Enable detailed error logging for the MP4 module to capture parsing failures
- Monitor for requests to MP4 files with unusual start parameter values that may indicate exploitation attempts
- Track system memory usage anomalies that could indicate memory disclosure exploitation
How to Mitigate CVE-2022-41742
Immediate Actions Required
- Update NGINX Open Source to version 1.23.2 or 1.22.1 or later
- Update NGINX Plus to version R27 P1, R26 P1, or later
- Update NGINX Open Source Subscription to version R2 P1, R1 P1, or later
- If immediate patching is not possible, disable the ngx_http_mp4_module by removing the mp4 directive from configuration files
Patch Information
F5 has released security patches addressing this vulnerability. Refer to the F5 Support Article K28112382 for official patch information and upgrade guidance. Linux distributions have also issued updates:
- Debian: Security advisory DSA-5281 provides patched packages for Debian 10.0 and 11.0
- Fedora: Updates available for Fedora 35, 36, and 37 through standard package repositories
- NetApp: Advisory NTAP-20230120-0005 for affected NetApp products
Workarounds
- Disable the MP4 streaming module by removing mp4 directives from NGINX configuration if the feature is not required
- Restrict file upload capabilities to prevent untrusted users from uploading media files
- Implement strict access controls on directories containing MP4 content
- Use a web application firewall to filter requests with suspicious MP4 streaming parameters
# Disable MP4 module by removing or commenting out mp4 directives
# In nginx.conf or site configuration files:
# Before (vulnerable configuration):
# location /videos/ {
# mp4;
# mp4_buffer_size 1m;
# mp4_max_buffer_size 5m;
# }
# After (mitigated configuration):
location /videos/ {
# mp4 directive removed - streaming disabled
# Serve files as static content only
}
# Verify configuration and reload
nginx -t && systemctl reload nginx
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
