CVE-2023-1550: F5 NGINX Agent information disclosure

A new security vulnerability, CVE-2023-1550, has been discovered in F5 NGINX Agent. Rated with a CVSS score of 5.5, it poses a moderate threat to your system’s security.

The Vulnerability Explained

CVE-2023-1550 affects NGINX Agent version 2.0 before 2.23.3, which is included with NGINX Instance Manager and used in conjunction with NGINX API Connectivity Manager, and NGINX Management Suite Security Monitoring. The vulnerability stems from the fact that the agent inserts sensitive information, such as private keys, into log files when non-default trace level logging is enabled. If an authenticated attacker with local access gains access to these log files, they can exploit this information to carry out further attacks against your system.

The Risks

This information disclosure vulnerability allows a remote authenticated attacker to obtain sensitive information by exploiting the insertion of private keys into log files. The attacker can use this information to launch additional attacks against the affected system. With access to private keys, an attacker could potentially compromise the security and integrity of your system, leading to unauthorized access, data leakage, and other malicious activities.

Recommended Actions

To eliminate this vulnerability, follow these steps:

1. Upgrade: If you are running NGINX Agent version 2.0 before 2.23.3, update to version 2.23.3 or later. If no update candidate exists for your branch, F5 recommends upgrading to a version with the fix.
2. Verify: If you are running a version with the fix, ensure that your version has the fix by checking the “Fixes introduced in” column in the relevant tables.

Mitigation

To mitigate the risks associated with CVE-2023-1550, adhere to these best practices:

1. Log Level Configuration: Avoid setting the log level to “trace” in the NGINX Agent configuration file. The default log level is “info.”
2. Review Configuration: To determine if you have set the log level to “trace,” review the configuration options in the “Configuring the NGINX Agent” section of the NGINX Management Suite documentation.
3. Access Control: If it is necessary to set the log level to “trace” in your environment, ensure that only trusted users have access to the log files to minimize the risk of unauthorized access.