CVE-2024-7347 Overview
CVE-2024-7347 is an out-of-bounds read vulnerability affecting NGINX Open Source and NGINX Plus in the ngx_http_mp4_module. This vulnerability allows an attacker to over-read NGINX worker memory, resulting in worker process termination through a denial of service condition. The attack requires a specially crafted MP4 file to trigger the vulnerability.
Critical Impact
Successful exploitation can cause NGINX worker processes to terminate, leading to service disruption for web applications and services relying on NGINX for content delivery.
Affected Products
- F5 NGINX Open Source versions 1.5.13 through 1.26.2 and 1.27.0
- F5 NGINX Plus R27 through R32
- F5 NGINX Plus R31 P1
Discovery Timeline
- 2024-08-14 - CVE-2024-7347 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2024-7347
Vulnerability Analysis
This vulnerability is classified as an out-of-bounds read (CWE-125, CWE-126) in the ngx_http_mp4_module component of NGINX. The vulnerability occurs when NGINX processes specially crafted MP4 files, causing the worker process to read beyond allocated memory boundaries.
The issue only manifests under specific conditions: NGINX must be compiled with the ngx_http_mp4_module enabled, and the mp4 directive must be configured in the NGINX configuration file. This module is commonly used for pseudo-streaming of MP4 video files, allowing clients to seek to specific positions within the video without downloading the entire file.
When an attacker can trigger the processing of a malicious MP4 file, the ngx_http_mp4_module fails to properly validate boundaries when parsing MP4 metadata structures, leading to memory over-read conditions that crash the worker process.
Root Cause
The root cause stems from insufficient boundary checking in the ngx_http_mp4_module when parsing MP4 file structures. The module does not adequately validate the size and offset values in MP4 atom/box structures before reading memory, allowing crafted files with malformed metadata to trigger out-of-bounds read operations in the NGINX worker memory space.
Attack Vector
The attack vector is local in nature, requiring the attacker to trigger processing of a specially crafted MP4 file through the vulnerable module. This typically requires:
- The attacker must have a way to upload or cause NGINX to process a malicious MP4 file
- The target NGINX server must have ngx_http_mp4_module enabled and the mp4 directive configured
- The malicious file must be served through a location block with MP4 streaming enabled
The vulnerability manifests during MP4 metadata parsing within the ngx_http_mp4_module. When the module processes the crafted file, it attempts to read memory beyond allocated buffer boundaries, causing the NGINX worker process to crash. For detailed technical information, refer to the F5 Knowledge Base Article.
Detection Methods for CVE-2024-7347
Indicators of Compromise
- Unexpected NGINX worker process crashes in error logs with references to ngx_http_mp4_module
- Presence of suspicious or unusually structured MP4 files in web-accessible directories
- Repeated segmentation faults or memory access violations in NGINX worker processes
- Multiple worker process restarts within short time periods
Detection Strategies
- Monitor NGINX error logs for worker process termination events and segmentation faults
- Implement file integrity monitoring for MP4 files served through NGINX
- Use intrusion detection systems to identify anomalous MP4 file uploads
- Deploy application-layer firewalls to inspect uploaded media files for malformed structures
Monitoring Recommendations
- Enable detailed NGINX error logging and centralize log collection for analysis
- Set up alerting for abnormal worker process restart patterns
- Monitor system logs for NGINX-related memory access violations
- Implement real-time monitoring of NGINX process stability metrics
How to Mitigate CVE-2024-7347
Immediate Actions Required
- Upgrade NGINX Open Source to version 1.26.2 or 1.27.1 or later
- Upgrade NGINX Plus to R32 P1 or later
- If immediate patching is not possible, disable the ngx_http_mp4_module or remove mp4 directives from configuration
- Restrict upload capabilities for MP4 files to trusted users only
Patch Information
F5 has released security patches addressing this vulnerability. Affected users should consult the F5 Knowledge Base Article for specific upgrade instructions and patch availability. Additional information is available through the Openwall OSS Security Message.
For Debian-based systems, refer to the Debian LTS Announcement for distribution-specific updates.
Workarounds
- Disable the ngx_http_mp4_module by removing or commenting out mp4 directives in NGINX configuration
- Implement access controls to restrict who can upload MP4 files to the server
- Use a reverse proxy or CDN in front of NGINX to filter potentially malicious requests
- Limit MP4 streaming functionality to internal or trusted networks only
# Configuration example - Disable mp4 module in affected locations
# Comment out or remove mp4 directive from location blocks
# Before (vulnerable):
# location /videos/ {
# mp4;
# mp4_buffer_size 1m;
# }
# After (mitigated):
location /videos/ {
# mp4 directive removed to mitigate CVE-2024-7347
alias /var/www/videos/;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
