5.4 - VU#435052

Executive Summary

Summary
Title	Intercepting proxy servers may incorrectly rely on HTTP headers to make connections

Informations
Name	VU#435052	First vendor Publication	2009-02-23
Vendor	VU-CERT	Last vendor Modification	2009-03-12
Severity (Vendor)	N/A	Revision	M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:H/Au:N/C:C/I:N/A:N)
Cvss Base Score	5.4	Attack Range	Network
Cvss Impact Score	6.9	Attack Complexity	High
Cvss Expoit Score	4.9	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#435052

Intercepting proxy servers may incorrectly rely on HTTP headers to make connections

Overview

Proxy servers running in interception mode ("transparent" proxies) that make connection decisions based on HTTP header values may be used by an attacker to relay connections.

I. Description

HTTP Host Headers are defined in RFC 2616 and are often used to by web servers to allow multiple websites to share a single IP address.

From RFC 2616:

A "host" without any trailing port information implies the default port for the service requested (e.g., "80" for an HTTP URL). For example, a request on the origin server for <

http://www.w3.org/pub/WWW/

> would properly include:

GET /pub/WWW/ HTTP/1.1

Host:

www.w3.org

A client MUST include a Host header field in all HTTP/1.1 request messages . If the requested URI does not include an Internet host name for the service being requested, then the Host header field MUST be given with an empty value. An HTTP/1.1 proxy MUST ensure that any request message it forwards does contain an appropriate Host header field that identifies the service being requested by the proxy. All Internet-based HTTP/1.1 servers MUST respond with a 400 (Bad Request) status code to any HTTP/1.1 request message which lacks a Host header field.

Transparent proxy servers intercept and redirect network connections without user interaction or browser configuration. Some transparent intercepting proxy implementations make connection decisions based on the HTTP host-header value. Browser plugins (Flash, Java, etc) may enforce access controls on active content by limiting communication to the site or domain that the content originated from. An attacker may be able to forge HTTP host-header (or other HTTP headers) via active content. A proxy server running in intercepting ("transparent") mode that makes connection decisions based on HTTP header values instead of source and destination IP addresses is vulnerable due the ability of a remote attacker to forge these values.

To successfully exploit this issue, an attacker would need to either convince a user to visit a web page with malicious active content or be able to load the active content in an otherwise trusted site. Note that this vulnerability appears to only affect proxy servers that run in transparent mode and browser same origin policies should prevent attackers from re-using authentication credentials (cookies, etc) to obtain further access. This issue does not apply to proxy servers running in reverse mode.

More information about this issue can be found in the Socket Capable Browser Plugins Result In Transparent Proxy Abusepaper.

II. Impact

An attacker may be able to make full connections to any website or resource that the proxy can connect to. These sites may include internal resources such as intranet sites that would not usually be exposed to the Internet.

III. Solution

Update

When possible, administrators are recommended to obtain updated software. See the systems affected section of this document for a partial list of affected vendors. Until updates are able to be applied, the below workarounds will mitigate this vulnerability.

Administrators who would like to check their proxy server to determine if it is vulnerable should see the "Reproduction Instructions" section of the Socket Capable Browser Plugins Result In Transparent Proxy Abusepaper.

Workarounds for Administrators

It is possible to limit the impact of this vulnerability by restricting access in several ways:

Internal services that use an authentication scheme (such as a username/password) are not as likely to be affected by this issue.
Network designs that have limited connectivity between the proxy and internal services will prevent an attacker from obtaining direct access to these services via the proxy. Administrators should consider using access control lists or firewall rules to prevent direct connections between internal servers and proxy servers.
Administrators should configure the proxy to use the only the protocols and ports which are required for normal operation. In particular, administrators should limit the CONNECT method to only the minimum required port range (usually 443/tcp).
When possible, router or switch access control lists should be configured to prevent HTTP proxy servers from connecting to servers using ports or protocols that they should normally use. HTTP proxy servers do not usually need to communicate with well known ports other than 80/tcp and 443/tcp.

Workarounds for specific vendors are in the systems affected section of this document.

Workarounds for users

To exploit this issue an attacker needs to execute active content (Java, Flash, Silverlight, etc) in the context of a web browser. Mozilla Firefox users should consider using the NoScript plugin to whitelist sites that can execute dynamic content. See the Securing Your Web Browser document for more information about secure browser configurations.

Workarounds for proxy server vendors

Although these workarounds will not address the underlying issue, vendors who distribute HTTP proxy servers are encouraged to implement them to mitigate future vulnerabilities.

In default configurations, the proxy server should only be able to connect to a limited number of well known ports.
The CONNECT method should only be allowed for traffic that uses desitnation port 443/tcp, unless the proxy is desgined to act as a TCP tunnel on all ports.

Systems Affected

Vendor	Status	Date Notified	Date Updated
3com, Inc.	Unknown	2008-12-09	2008-12-09
ACCESS	Unknown	2008-12-09	2008-12-09
Alcatel-Lucent	Unknown	2008-12-09	2008-12-09
Apple Computer, Inc.	Not Vulnerable	2008-12-09	2008-12-11
AT&T	Unknown	2008-12-09	2008-12-09
Avaya, Inc.	Unknown	2008-12-09	2008-12-09
AvertLabs	Unknown	2008-12-10	2008-12-10
Barracuda Networks	Unknown	2008-12-09	2008-12-09
Belkin, Inc.	Unknown	2008-12-09	2008-12-09
Blue Coat Systems	Vulnerable	2009-01-02	2009-03-04
Borderware Technologies	Not Vulnerable	2008-12-09	2009-02-03
Bro	Unknown	2008-12-09	2008-12-09
Charlotte's Web Networks	Unknown	2008-12-09	2008-12-09
Check Point Software Technologies	Not Vulnerable	2008-12-09	2009-02-20
CIAC	Unknown	2008-12-09	2008-12-09
Cisco Systems, Inc.	Not Vulnerable	2008-12-09	2009-03-12
Clavister	Unknown	2008-12-09	2008-12-09
Computer Associates	Unknown	2008-12-09	2008-12-09
Computer Associates eTrust Security Management	Unknown	2008-12-09	2008-12-09
Conectiva Inc.	Unknown	2008-12-09	2008-12-09
Cray Inc.	Not Vulnerable	2008-12-09	2008-12-17
Data Connection, Ltd.	Unknown	2008-12-09	2008-12-09
Debian GNU/Linux	Not Vulnerable	2008-12-09	2009-02-20
DragonFly BSD Project	Unknown	2008-12-09	2008-12-09
EMC Corporation	Unknown	2008-12-09	2008-12-09
Engarde Secure Linux	Unknown	2008-12-09	2008-12-09
Enterasys Networks	Unknown	2008-12-09	2008-12-09
Ericsson	Unknown	2008-12-09	2008-12-09
eSoft, Inc.	Unknown	2008-12-09	2008-12-09
Extreme Networks	Unknown	2008-12-09	2008-12-09
F5 Networks, Inc.	Unknown	2008-12-09	2008-12-09
Fedora Project	Unknown	2008-12-09	2008-12-09
Force10 Networks, Inc.	Not Vulnerable	2008-12-09	2009-02-04
Fortinet, Inc.	Not Vulnerable	2008-12-09	2008-12-10
Foundry Networks, Inc.	Not Vulnerable	2008-12-09	2008-12-11
FreeBSD, Inc.	Unknown	2008-12-09	2008-12-09
Fujitsu	Unknown	2008-12-09	2008-12-09
Gentoo Linux	Unknown	2008-12-09	2008-12-09
Global Technology Associates	Unknown	2008-12-09	2008-12-09
Google	Unknown	2009-01-08	2009-01-08
Hewlett-Packard Company	Unknown	2008-12-09	2008-12-09
Hitachi	Unknown	2008-12-09	2008-12-09
IBM Corporation	Unknown	2008-12-09	2008-12-09
IBM Corporation (zseries)	Unknown	2008-12-09	2008-12-09
IBM eServer	Unknown	2008-12-09	2008-12-09
Ingrian Networks, Inc.	Unknown	2008-12-09	2008-12-09
Intel Corporation	Not Vulnerable	2008-12-09	2009-01-07
Internet Initiative Japan	Not Vulnerable		2009-03-03
Internet Security Systems, Inc.	Unknown	2008-12-09	2008-12-09
Intoto	Unknown	2008-12-09	2008-12-09
IP Filter	Not Vulnerable	2008-12-09	2009-01-08
Juniper Networks, Inc.	Unknown	2008-12-09	2008-12-09
Luminous Networks	Unknown	2008-12-09	2008-12-09
m0n0wall	Unknown	2008-12-09	2008-12-09
Mandriva, Inc.	Unknown	2008-12-09	2008-12-09
McAfee	Unknown	2008-12-09	2008-12-09
Microsoft Corporation	Unknown	2008-12-09	2008-12-09
Microsoft Vulnerability Research	Unknown	2009-02-09	2009-02-09
MontaVista Software, Inc.	Unknown	2008-12-09	2008-12-09
Multitech, Inc.	Unknown	2008-12-09	2008-12-09
NEC Corporation	Unknown	2008-12-09	2008-12-09
NetApp	Unknown	2008-12-09	2008-12-09
NetBSD	Unknown	2008-12-09	2008-12-09
netfilter	Unknown	2008-12-09	2008-12-09
Nokia	Unknown	2008-12-09	2008-12-09
Nortel Networks, Inc.	Unknown	2008-12-09	2008-12-09
Novell, Inc.	Not Vulnerable	2008-12-09	2008-12-18
OpenBSD	Unknown	2008-12-09	2008-12-09
OpenSSH	Unknown	2009-01-06	2009-01-06
PayPal	Unknown	2008-11-11	2008-11-11
PePLink	Not Vulnerable	2008-12-09	2009-01-02
Privoxy	Unknown	2009-01-06	2009-01-06
Process Software	Unknown	2008-12-09	2008-12-09
Q1 Labs	Unknown	2008-12-09	2008-12-09
QBIK New Zealand Limited	Vulnerable	2009-01-15	2009-01-21
QNX, Software Systems, Inc.	Unknown	2008-12-09	2008-12-09
Quagga	Unknown	2008-12-09	2008-12-09
RadWare, Inc.	Not Vulnerable	2008-12-09	2008-12-17
Red Hat, Inc.	Unknown	2008-12-09	2008-12-09
Redback Networks, Inc.	Unknown	2008-12-09	2008-12-09
Secure Computing Network Security Division	Unknown	2008-12-09	2008-12-09
Secureworx, Inc.	Unknown	2008-12-09	2008-12-09
Silicon Graphics, Inc.	Unknown	2008-12-09	2008-12-09
Slackware Linux Inc.	Unknown	2008-12-09	2008-12-09
SmoothWall	Vulnerable	2008-12-09	2009-02-20
Snort	Unknown	2008-12-09	2008-12-09
Soapstone Networks	Unknown	2008-12-09	2008-12-09
Sony Corporation	Unknown	2008-12-09	2008-12-09
Sophos, Inc.	Unknown	2009-03-11	2009-03-11
Sourcefire	Unknown	2008-12-09	2008-12-09
Squid	Vulnerable	2009-01-02	2009-02-23
Stonesoft	Unknown	2008-12-09	2008-12-09
Sun Microsystems, Inc.	Unknown	2008-12-09	2008-12-09
SUSE Linux	Unknown	2008-12-09	2008-12-09
Symantec, Inc.	Unknown	2008-12-09	2008-12-09
The SCO Group	Unknown	2008-12-09	2008-12-09
TippingPoint, Technologies, Inc.	Not Vulnerable	2008-12-09	2009-01-13
Turbolinux	Unknown	2008-12-09	2008-12-09
U4EA Technologies, Inc.	Unknown	2008-12-09	2008-12-09
Ubuntu	Unknown	2008-12-09	2008-12-09
Unisys	Unknown	2008-12-09	2008-12-09
Vyatta	Unknown	2008-12-09	2008-12-09
Watchguard Technologies, Inc.	Unknown	2008-12-09	2008-12-09
Wind River Systems, Inc.	Not Vulnerable	2008-12-09	2009-03-04
Ziproxy	Vulnerable	2009-01-13	2009-02-23
ZyXEL	Unknown	2008-12-09	2008-12-09

Original Source

Url : http://www.kb.cert.org/vuls/id/435052

CWE : Common Weakness Enumeration

%	Id	Name
100 %	CWE-264	Permissions, Privileges, and Access Controls

CPE : Common Platform Enumeration

Type	Description	Count
Application	Qbik Wingate cpe:2.3:a:qbik:wingate:6.5.2:::::::* cpe:2.3:a:qbik:wingate:6.2.2:::::::* cpe:2.3:a:qbik:wingate:6.2.1:::::::* cpe:2.3:a:qbik:wingate:6.2:::::::* cpe:2.3:a:qbik:wingate:6.1.4:::::::* cpe:2.3:a:qbik:wingate:6.1.3:::::::* cpe:2.3:a:qbik:wingate:6.1.2:::::::* cpe:2.3:a:qbik:wingate:6.1.1.1077:::::::* cpe:2.3:a:qbik:wingate:6.1:::::::* cpe:2.3:a:qbik:wingate:6.0.3_build_1005:::::::* cpe:2.3:a:qbik:wingate:6.0.2_build_1001:::::::* cpe:2.3:a:qbik:wingate:6.0.2_build_1000:::::::* cpe:2.3:a:qbik:wingate:6.0.1_build_995:::::::* cpe:2.3:a:qbik:wingate:6.0.1_build_993:::::::* cpe:2.3:a:qbik:wingate:6.0.0:::::::*	15
Application	Smoothwall Networkguardian cpe:2.3:a:smoothwall:networkguardian:2008:::::::*	1
Application	Smoothwall Schoolguardian cpe:2.3:a:smoothwall:schoolguardian:2008:::::::*	1
Application	Smoothwall Smoothguardian cpe:2.3:a:smoothwall:smoothguardian:2008:::::::*	1
Application	Squid Squid Web Proxy Cache cpe:2.3:a:squid:squid_web_proxy_cache:3.0_stable7:::::::* cpe:2.3:a:squid:squid_web_proxy_cache:3.0_stable6:::::::* cpe:2.3:a:squid:squid_web_proxy_cache:3.0_stable5:::::::* cpe:2.3:a:squid:squid_web_proxy_cache:3.0_stable4:::::::* cpe:2.3:a:squid:squid_web_proxy_cache:3.0_stable3:::::::* cpe:2.3:a:squid:squid_web_proxy_cache:3.0_stable2:::::::* cpe:2.3:a:squid:squid_web_proxy_cache:3.0_stable13:::::::* cpe:2.3:a:squid:squid_web_proxy_cache:3.0_stable12:::::::* cpe:2.3:a:squid:squid_web_proxy_cache:3.0_stable1:::::::* cpe:2.3:a:squid:squid_web_proxy_cache:3.0_pre3:::::::* cpe:2.3:a:squid:squid_web_proxy_cache:3.0_pre2:::::::* cpe:2.3:a:squid:squid_web_proxy_cache:3.0_pre1:::::::* cpe:2.3:a:squid:squid_web_proxy_cache:3.0:::::::* cpe:2.3:a:squid:squid_web_proxy_cache:2.7.stable6:::::::* cpe:2.3:a:squid:squid_web_proxy_cache:2.7.stable5:::::::* cpe:2.3:a:squid:squid_web_proxy_cache:2.7:::::::*	16
Application	Ziproxy cpe:2.3:a:ziproxy:ziproxy:2.6.0:::::::*	1

OpenVAS Exploits

Date	Description
2009-04-20	Name : FreeBSD Ports: ziproxy File : nvt/freebsd_ziproxy.nasl
2009-03-26	Name : Qbik WinGate HTTP Proxy Server Access Controls Bypass Vulnerability File : nvt/secpod_wingate_http_proxy_serv_acl_bypass_vuln.nasl
2009-03-26	Name : Ziproxy Security Bypass Vulnerability File : nvt/secpod_ziproxy_sec_bypass_vuln.nasl

Open Source Vulnerability Database (OSVDB)

Id	Description
52412	Ziproxy Transparent Interception Mode HTTP Host Header Dependancy Media Acces...
52411	SmoothGuardian Transparent Interception Mode HTTP Host Header Dependancy Medi...
52410	WinGate Transparent Interception Mode HTTP Host Header Dependancy Media Acces...
52409	Squid Transparent Interception Mode HTTP Host Header Dependancy Media Access ...

Nessus® Vulnerability Scanner

Date	Description
2017-05-01	Name : The remote EulerOS host is missing multiple security updates. File : EulerOS_SA-2016-1025.nasl - Type : ACT_GATHER_INFO
2016-06-17	Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20160531_squid34_on_SL6_x.nasl - Type : ACT_GATHER_INFO
2016-06-08	Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20160531_squid_on_SL7_x.nasl - Type : ACT_GATHER_INFO
2016-06-01	Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2016-1139.nasl - Type : ACT_GATHER_INFO
2016-06-01	Name : The remote CentOS host is missing a security update. File : centos_RHSA-2016-1140.nasl - Type : ACT_GATHER_INFO
2016-06-01	Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2016-1139.nasl - Type : ACT_GATHER_INFO
2016-06-01	Name : The remote Oracle Linux host is missing a security update. File : oraclelinux_ELSA-2016-1140.nasl - Type : ACT_GATHER_INFO
2016-05-31	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2016-1139.nasl - Type : ACT_GATHER_INFO
2016-05-31	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2016-1140.nasl - Type : ACT_GATHER_INFO
2013-09-28	Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201309-22.nasl - Type : ACT_GATHER_INFO
2009-04-16	Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_872ae5be29c011debdeb0030843d3802.nasl - Type : ACT_GATHER_INFO

Global Informations

Type	Count
CWE ID(s)	4
CPE ID(s)	35
osvdb(s)	4
Openvas Exploit(s)	3
Nessus® Exploit(s)	11

	Related
5.4	CVE-2009-0804
5.4	CVE-2009-0803
5.4	CVE-2009-0802
5.4	CVE-2009-0801
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 4 more Alert(s)