Date: 10 March 2009
References: AU-2009.0011
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2009.0164 -- [Win][UNIX/Linux][Appliance]
Intercepting proxy servers may incorrectly rely on HTTP
headers to make connections
10 March 2009
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: BlueCoat ProxySG
Qbik WinGate
SmoothWall SmoothGuardian
Squid
Ziproxy 2.6.0
Publisher: US-CERT
Operating System: Network Appliance
UNIX variants (UNIX, Linux, OSX)
Windows
Impact: Inappropriate Access
Access: Remote/Unauthenticated
CVE Names: CVE-2009-0801 CVE-2009-0802 CVE-2009-0803
CVE-2009-0804
Ref: AU-2009.0011
Original Bulletin: http://www.kb.cert.org/vuls/id/435052
Revision History: March 10 2009: Added CVE Names and information on
products/operating systems.
February 24 2009: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
Vulnerability Note VU#435052
Intercepting proxy servers may incorrectly rely on HTTP headers to make
connections
Overview
Proxy servers running in transparent interception mode that make
connection decisions based on HTTP host-header values may be used by an
attacker to relay connections.
I. Description
HTTP Host Headers are defined in RFC 2616 and are often used to by
webservers to allow multiple websites to share a single IP address.
- From RFC 2616:
A "host" without any trailing port information implies the default
port for the service requested (e.g., "80" for an HTTP URL). For
example, a request on the origin server for
<http://www.w3.org/pub/WWW/> would properly include:
GET /pub/WWW/ HTTP/1.1
Host: www.w3.org
A client MUST include a Host header field in all HTTP/1.1 request
messages . If the requested URI does not include an Internet host
name for the service being requested, then the Host header field
MUST be given with an empty value. An HTTP/1.1 proxy MUST ensure
that any request message it forwards does contain an appropriate
Host header field that identifies the service being requested by
the proxy. All Internet-based HTTP/1.1 servers MUST respond with a
400 (Bad Request) status code to any HTTP/1.1 request message which
lacks a Host header field.
Transparent proxy servers intercept and redirect network connections
without user interaction or browser configuration. Some transparent
intercepting proxy implementations make connection decisions based on the
HTTP host-header value. Browser plugins (Flash, Java, etc) may enforce
access controls on active content by limiting communication to the site or
domain that the content originated from. An attacker may be able to forge
host header values via active content. A proxy server running in
transparent interception mode that makes connection decisions based on
host header values instead of source and destination IP addreses is
vulnerable due the ability of a remote attacker to forge host-header
values.
To successfully exploit this issue, an attacker would need to either
convince a user to visit a web page with malicious active content or be
able to load the active content in an otherwise trusted site. Note that
this vulnerability appears to only affect proxy servers that run in
transparent mode and browser same origin policies should prevent attackers
from re-using authentication credentials (cookies, etc) to obtain further
access. This issue does not apply to proxy servers running in reverse mode.
II. Impact
An attacker may be able to make full connections to any website or resource
that the proxy can connect to. These sites may include internal resources
such as intranet sites that would not usually be exposed to the Internet.
III. Solution
Update
When possible, administrators are recommended to obtain updated software.
See the systems affected section of this document for a partial list of
affected vendors. Until updates are able to be applied, the below
workarounds will mitigate this vulnerability.
Workarounds for Administrators
It is possible to limit the impact of this vulnerability by restricting
access in several ways:
* Internal services that use an authentication scheme (such as a
username/password) are not as likely to be affected by this issue.
* Network designs that have limited connectivity between the proxy and
internal services will prevent an attacker from obtaining direct
access to these services via the proxy. Administrators should
consider using access control lists or firewall rules to prevent
direct connections between internal servers and proxy servers.
* Administrators should configure the proxy to use the only the
protocols and ports which are required for normal operation. In
particular, administrators should limit the CONNECT method to only
the minimum required portrange (usually 443/tcp).
* When possible, router or switch access control lists should be
configured to prevent HTTP proxy servers from connecting to servers
using ports or protocols that they should normally use. HTTP proxy
servers do not usually need to communicate with well known ports
other than 80/tcp and 443/tcp.
Workarounds for specific vendors are in the systems affected section of
this document.
Workarounds for users
* To exploit this issue an attacker needs to execute active content
(Java, Flash, Silverlight, etc) in the context of a web browser.
Mozilla Firefox users should consider using the NoScript plugin to
whitelist sites that can execute dynamic content. See the Securing
Your Web Browser document for more information about secure browser
configurations.
Workarounds for proxy server vendors
Although these workarounds will not address the underlying issue, vendors
who distribute HTTP proxy servers are encouraged to implement them to
mitigate future vulnerabilities.
* In default configurations, the proxy server should only be able to
connect to a limited number of well known ports.
* The CONNECT method should only be allowed for traffic that uses
desitnation port 443/tcp, unless the proxy is desgined to act as a
TCP tunnel on all ports.
Systems Affected
Vendor Status Date Notified Date Updated
3com, Inc. Unknown 2008-12-09 2008-12-09
ACCESS Unknown 2008-12-09 2008-12-09
Alcatel-Lucent Unknown 2008-12-09 2008-12-09
Apple Computer, Inc. Not Vulnerable 2008-12-09 2008-12-11
AT&T Unknown 2008-12-09 2008-12-09
Avaya, Inc. Unknown 2008-12-09 2008-12-09
AvertLabs Unknown 2008-12-10 2008-12-10
Barracuda Networks Unknown 2008-12-09 2008-12-09
Belkin, Inc. Unknown 2008-12-09 2008-12-09
Blue Coat Systems Unknown 2009-01-02 2009-01-02
Borderware Technologies Not Vulnerable 2008-12-09 2009-02-03
Bro Unknown 2008-12-09 2008-12-09
Charlotte's Web Network Unknown 2008-12-09 2008-12-09
Check Point Software Technologies
Not Vulnerable 2008-12-09 2009-02-20
CIAC Unknown 2008-12-09 2008-12-09
Cisco Systems, Inc. Unknown 2008-12-09 2009-02-02
Clavister Unknown 2008-12-09 2008-12-09
Computer Associates Unknown 2008-12-09 2008-12-09
Computer Associates eTrust Security Management
Unknown 2008-12-09 2008-12-09
Conectiva Inc. Unknown 2008-12-09 2008-12-09
Cray Inc. Not Vulnerable 2008-12-09 2008-12-17
Data Connection, Ltd. Unknown 2008-12-09 2008-12-09
Debian GNU/Linux Not Vulnerable 2008-12-09 2009-02-20
DragonFly BSD Project Unknown 2008-12-09 2008-12-09
EMC Corporation Unknown 2008-12-09 2008-12-09
Engarde Secure Linux Unknown 2008-12-09 2008-12-09
Enterasys Networks Unknown 2008-12-09 2008-12-09
Ericsson Unknown 2008-12-09 2008-12-09
eSoft, Inc. Unknown 2008-12-09 2008-12-09
Extreme Networks Unknown 2008-12-09 2008-12-09
F5 Networks, Inc. Unknown 2008-12-09 2008-12-09
Fedora Project Unknown 2008-12-09 2008-12-09
Force10 Networks, Inc. Not Vulnerable 2008-12-09 2009-02-04
Fortinet, Inc. Not Vulnerable 2008-12-09 2008-12-10
Foundry Networks, Inc. Not Vulnerable 2008-12-09 2008-12-11
FreeBSD, Inc. Unknown 2008-12-09 2008-12-09
Fujitsu Unknown 2008-12-09 2008-12-09
Gentoo Linux Unknown 2008-12-09 2008-12-09
Global Technology Associates
Unknown 2008-12-09 2008-12-09
Google Unknown 2009-01-08 2009-01-08
Hewlett-Packard Company Unknown 2008-12-09 2008-12-09
Hitachi Unknown 2008-12-09 2008-12-09
IBM Corporation Unknown 2008-12-09 2008-12-09
IBM Corporation (zseries)
Unknown 2008-12-09 2008-12-09
IBM eServer Unknown 2008-12-09 2008-12-09
Ingrian Networks, Inc. Unknown 2008-12-09 2008-12-09
Intel Corporation Not Vulnerable 2008-12-09 2009-01-07
Internet Security Systems, Inc.
Unknown 2008-12-09 2008-12-09
Intoto Unknown 2008-12-09 2008-12-09
IP Filter Not Vulnerable 2008-12-09 2009-01-08
Juniper Networks, Inc. Unknown 2008-12-09 2008-12-09
Luminous Networks Unknown 2008-12-09 2008-12-09
m0n0wall Unknown 2008-12-09 2008-12-09
Mandriva, Inc. Unknown 2008-12-09 2008-12-09
McAfee Unknown 2008-12-09 2008-12-09
Microsoft Corporation Unknown 2008-12-09 2008-12-09
Microsoft Vulnerability Research
Unknown 2009-02-09 2009-02-09
MontaVista Software, Inc.
Unknown 2008-12-09 2008-12-09
Multitech, Inc. Unknown 2008-12-09 2008-12-09
NEC Corporation Unknown 2008-12-09 2008-12-09
NetApp Unknown 2008-12-09 2008-12-09
NetBSD Unknown 2008-12-09 2008-12-09
netfilter Unknown 2008-12-09 2008-12-09
Nokia Unknown 2008-12-09 2008-12-09
Nortel Networks, Inc. Unknown 2008-12-09 2008-12-09
Novell, Inc. Not Vulnerable 2008-12-09 2008-12-18
OpenBSD Unknown 2008-12-09 2008-12-09
OpenSSH Unknown 2009-01-06 2009-01-06
PayPal Unknown 2008-11-11 2008-11-11
PePLink Not Vulnerable 2008-12-09 2009-01-02
Privoxy Unknown 2009-01-06 2009-01-06
Process Software Unknown 2008-12-09 2008-12-09
Q1 Labs Unknown 2008-12-09 2008-12-09
QBIK New Zealand Limited
Vulnerable 2009-01-15 2009-01-21
QNX, Software Systems, Inc.
Unknown 2008-12-09 2008-12-09
Quagga Unknown 2008-12-09 2008-12-09
RadWare, Inc. Not Vulnerable 2008-12-09 2008-12-17
Red Hat, Inc. Unknown 2008-12-09 2008-12-09
Redback Networks, Inc. Unknown 2008-12-09 2008-12-09
Secure Computing Network Security Division
Unknown 2008-12-09 2008-12-09
Secureworx, Inc. Unknown 2008-12-09 2008-12-09
Silicon Graphics, Inc. Unknown 2008-12-09 2008-12-09
Slackware Linux Inc. Unknown 2008-12-09 2008-12-09
SmoothWall Vulnerable 2008-12-09 2009-02-20
Snort Unknown 2008-12-09 2008-12-09
Soapstone Networks Unknown 2008-12-09 2008-12-09
Sony Corporation Unknown 2008-12-09 2008-12-09
Sourcefire Unknown 2008-12-09 2008-12-09
Squid Vulnerable 2009-01-02 2009-02-23
Stonesoft Unknown 2008-12-09 2008-12-09
Sun Microsystems, Inc. Unknown 2008-12-09 2008-12-09
SUSE Linux Unknown 2008-12-09 2008-12-09
Symantec, Inc. Unknown 2008-12-09 2008-12-09
The SCO Group Unknown 2008-12-09 2008-12-09
TippingPoint, Technologies, Inc.
Not Vulnerable 2008-12-09 2009-01-13
Turbolinux Unknown 2008-12-09 2008-12-09
U4EA Technologies, Inc. Unknown 2008-12-09 2008-12-09
Ubuntu Unknown 2008-12-09 2008-12-09
Unisys Unknown 2008-12-09 2008-12-09
Vyatta Unknown 2008-12-09 2008-12-09
Watchguard Technologies, Inc.
Unknown 2008-12-09 2008-12-09
Wind River Systems, Inc.
Unknown 2008-12-09 2008-12-09
Ziproxy Vulnerable 2009-01-13 2009-02-23
ZyXEL Unknown 2008-12-09 2008-12-09
References
http://www.ietf.org/rfc/rfc2616.txt
http://www.webappsec.org/lists/websecurity/archive/2008-06/msg00073.html
http://www.us-cert.gov/reading_room/securing_browser/
http://kb.adobe.com/selfservice/viewContent.do?externalId=tn_14213
http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html
http://www.owasp.org/index.php/Testing_for_HTTP_Methods_and_XST_(OWASP-CM-008)#Black_Box_testing_and_example
http://en.wikipedia.org/w/index.php?title=List_of_TCP_and_UDP_port_numbers&oldid=266934839
Credit
Thanks to Robert Auger from the PayPal Information Risk Management team for
reporting this issue as well as providing technical information.
This document was written by Ryan Giobbi.
Other Information
Date Public: 2008-11-10
Date First Published: 2009-02-23
Date Last Updated: 2009-02-23
CERT Advisory:
CVE-ID(s):
NVD-ID(s):
US-CERT Technical Alerts:
Metric: 1.10
Document Revision: 102
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFJteM0NVH5XJJInbgRAtMsAJ9Xrlz0WnhubEbjjYCUOxZuhA86owCcCnoG
6yeAmuQ7tVxRF0ixpa0oBi0=
=PqFq
-----END PGP SIGNATURE-----
|