Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title CGI web servers assign Proxy header values from client requests to internal HTTP_PROXY environment variables
Informations
Name VU#797896 First vendor Publication 2016-07-18
Vendor VU-CERT Last vendor Modification 2016-07-19
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:P)
Cvss Base Score 6.8 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#797896

CGI web servers assign Proxy header values from client requests to internal HTTP_PROXY environment variables

Original Release date: 18 Jul 2016 | Last revised: 19 Jul 2016

Overview

Web servers running in a CGI or CGI-like context may assign client request Proxy header values to internal HTTP_PROXY environment variables. This vulnerability can be leveraged to conduct man-in-the-middle (MITM) attacks on internal subrequests or to direct the server to initiate connections to arbitrary hosts.

Description

CWE-807: Reliance on Untrusted Inputs in a Security Decision, CWE-454: External Initialization of Trusted Variables or Data Stores

Web servers running in a CGI or CGI-like context may assign client request Proxy header values to internal HTTP_PROXY environment variables. The vulnerable behavior is the result of a naming convention for meta-variables, defined in RFC 3876, which leads to a name collision: "The HTTP header field name is converted to upper case, has all occurrences of "-" replaced with "_" and has "HTTP_" prepended to give the meta-variable name."

According to the researchers, a web server is vulnerable if:

  1. A web server, programming language or framework (and in some limited situations the application itself) sets the environmental variable HTTP_PROXY from the user supplied Proxy header in the web request, or sets a similarly used variable (essentially when the request header turns from harmless data into a potentially harmful environmental variable).
  2. A web application makes use of HTTP_PROXY or similar variable unsafely (e.g. fails to check the request type) resulting in an attacker controlled proxy being used (essentially when HTTP_PROXY is actually used unsafely).

By sending a specially crafted request to a vulnerable server, a remote, unauthenticated attacker may be able to conduct MITM attacks on internal server subrequests or direct the server to initiate connections to arbitrary hosts. For more information, refer to httpoxy.org.

Impact

A remote, unauthenticated attacker may be able to conduct MITM attacks on internal server subrequests or direct the server to initiate connections to arbitrary hosts.

Solution

Apply an update

Where applicable, affected products and components should be updated to address this vulnerability. Check with vendors for information about patching.

Where patches are unavailable or updating is not an option, consider the following workarounds.

Filter Proxy request headers

The researchers and community have identified several filtering strategies that are product-dependent:

    Apache/CGI

    In this configuration, any language may be vulnerable (the HTTP_PROXY env var is "real"). If you are using mod_headers , you can unset the "Proxy" header with this directive:

        RequestHeader unset Proxy

    If you are using mod_security, you can use a rule like (vary the action to taste):

        SecRuleEngine On
        SecRule &REQUEST_HEADERS:Proxy "@gt 0"
        "id:1000005,log,deny,msg:'httpoxy denied'"

    Refer to Apache's response for more information.

    HAProxy

        httprequest delheader Proxy
    lighttpd <= 1.4.40 (reject requests containing "Proxy" header)

    Create "/path/to/deny-proxy.lua", read-only to lighttpd, with content:

        if (lighty.request["Proxy"] == nil) then return 0 else return 403 end

    Modify lighttpd.conf to load mod_magnet and run lua code

        server.modules += ( "mod_magnet" )
       magnet.attract-raw-url-to = ( "/path/to/deny-proxy.lua" )


    lighttpd2 (development) (strip "Proxy" header from request)

    Add to lighttpd.conf:

        req_header.remove "Proxy";
    Nginx/FastCGI

    Use this to block the Proxy header from being passed on to PHPFPM, PHPPM, etc.

        fastcgi_param HTTP_PROXY "";
    Nginx with proxy_pass

    The following setting should work for people who are using "proxy_pass" with nginx:

        proxy_set_header Proxy "";


Microsoft has provided the following guidance for IIS servers utilizing affected third-party frameworks:
    Microsoft IIS Mitigation steps:

    Update apphost.config with the following rule:

    <system.webServer>


       <rewrite>

            <rules>

                <rule name=3D"Erase HTTP_PROXY" patternSyntax=3D"Wildcard">

                    <match url=3D"*.*" />

                    <serverVariables>

                        <set name=3D"HTTP_PROXY" value=3D"" />

                    </serverVariables>

                    <action type=3D"None" />

                </rule>

            </rules>

        </rewrite>

    </system.webServer>

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Apache HTTP Server ProjectAffected12 Jul 201618 Jul 2016
Go Programming LanguageAffected-18 Jul 2016
HAProxyAffected-13 Jul 2016
HHVMAffected-18 Jul 2016
lighttpdAffected-19 Jul 2016
Microsoft CorporationAffected12 Jul 201613 Jul 2016
nginxAffected-13 Jul 2016
PythonAffected-18 Jul 2016
The PHP GroupAffected-18 Jul 2016
EfficientIP SASNot Affected12 Jul 201612 Jul 2016
ACCESSUnknown12 Jul 201612 Jul 2016
Alcatel-LucentUnknown12 Jul 201612 Jul 2016
AppleUnknown12 Jul 201612 Jul 2016
Arista Networks, Inc.Unknown12 Jul 201612 Jul 2016
ARRISUnknown12 Jul 201612 Jul 2016
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

GroupScoreVector
Base5.1AV:N/AC:H/Au:N/C:P/I:P/A:P
Temporal4.6E:POC/RL:ND/RC:C
Environmental1.1CDP:ND/TD:L/CR:ND/IR:ND/AR:ND

References

  • https://tools.ietf.org/html/rfc3875
  • https://httpoxy.org
  • https://www.apache.org/security/asf-httpoxy-response.txt
  • https://cwe.mitre.org/data/definitions/807.html
  • https://cwe.mitre.org/data/definitions/454.html

Credit

Thanks to Dominic Scheirlinck and Scott Geary of Vend for reporting this vulnerability.

This document was written by Joel Land.

Other Information

  • CVE IDs:CVE-2016-5385CVE-2016-5386CVE-2016-5387CVE-2016-5388CVE-2016-1000109CVE-2016-1000110
  • Date Public:18 Jul 2016
  • Date First Published:18 Jul 2016
  • Date Last Updated:19 Jul 2016
  • Document Revision:65

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/797896

CWE : Common Weakness Enumeration

% Id Name
67 % CWE-284 Access Control (Authorization) Issues
33 % CWE-601 URL Redirection to Untrusted Site ('Open Redirect') (CWE/SANS Top 25)

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 237
Application 370
Application 302
Application 54
Application 96
Application 4
Application 2
Application 707
Os 4
Os 1
Os 2
Os 1
Os 1
Os 5
Os 1
Os 2
Os 6
Os 2
Os 1
Os 2
Os 5
Os 1
Os 4
Os 2

Snort® IPS/IDS

Date Description
2016-07-28 HttpOxy CGI application vulnerability potential man-in-the-middle attempt
RuleID : 39737-community - Revision : 2 - Type : SERVER-WEBAPP
2016-08-31 HttpOxy CGI application vulnerability potential man-in-the-middle attempt
RuleID : 39737 - Revision : 2 - Type : SERVER-WEBAPP

Nessus® Vulnerability Scanner

Date Description
2017-11-03 Name : The remote host is missing a macOS or Mac OS X security update that fixes mul...
File : macosx_SecUpd2017-004.nasl - Type : ACT_GATHER_INFO
2017-10-03 Name : The remote host is missing a macOS update that fixes multiple security vulner...
File : macos_10_13.nasl - Type : ACT_GATHER_INFO
2017-07-20 Name : An enterprise management application installed on the remote host is affected...
File : oracle_enterprise_manager_jul_2017_cpu.nasl - Type : ACT_GATHER_INFO
2017-06-26 Name : The Tenable SecurityCenter application on the remote host contains a web serv...
File : securitycenter_apache_2_4_25.nasl - Type : ACT_GATHER_INFO
2017-05-01 Name : The remote EulerOS host is missing multiple security updates.
File : EulerOS_SA-2016-1049.nasl - Type : ACT_GATHER_INFO
2017-05-01 Name : The remote EulerOS host is missing a security update.
File : EulerOS_SA-2016-1030.nasl - Type : ACT_GATHER_INFO
2017-03-31 Name : The remote host is missing a macOS update that fixes multiple security vulner...
File : macos_10_12_4.nasl - Type : ACT_GATHER_INFO
2017-03-14 Name : An application installed on the remote host is affected by multiple vulnerabi...
File : securitycenter_5_4_3_tns_2017_04.nasl - Type : ACT_GATHER_INFO
2017-02-03 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-3177-2.nasl - Type : ACT_GATHER_INFO
2017-01-24 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-3177-1.nasl - Type : ACT_GATHER_INFO
2017-01-16 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201701-36.nasl - Type : ACT_GATHER_INFO
2017-01-12 Name : The remote web server is affected by multiple vulnerabilities.
File : apache_2_4_25.nasl - Type : ACT_GATHER_INFO
2017-01-12 Name : The remote web server is affected by multiple vulnerabilities.
File : apache_2_2_32.nasl - Type : ACT_GATHER_INFO
2016-12-27 Name : The remote Slackware host is missing a security update.
File : Slackware_SSA_2016-358-01.nasl - Type : ACT_GATHER_INFO
2016-12-21 Name : The remote FreeBSD host is missing a security-related update.
File : freebsd_pkg_862d6ab3c75e11e69f9820cf30e32f6d.nasl - Type : ACT_GATHER_INFO
2016-12-20 Name : The remote Debian host is missing a security update.
File : debian_DLA-749.nasl - Type : ACT_GATHER_INFO
2016-12-20 Name : The remote Debian host is missing a security update.
File : debian_DLA-749.nasl - Type : ACT_GATHER_INFO
2016-12-13 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2016-1440.nasl - Type : ACT_GATHER_INFO
2016-12-01 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201611-22.nasl - Type : ACT_GATHER_INFO
2016-11-21 Name : The remote Fedora host is missing a security update.
File : fedora_2016-38e5b05260.nasl - Type : ACT_GATHER_INFO
2016-11-14 Name : The remote Fedora host is missing a security update.
File : fedora_2016-c1b01b9278.nasl - Type : ACT_GATHER_INFO
2016-11-14 Name : The remote Fedora host is missing a security update.
File : fedora_2016-4094bd4ad6.nasl - Type : ACT_GATHER_INFO
2016-11-09 Name : The remote web server is affected by multiple vulnerabilities.
File : hpsmh_7_6.nasl - Type : ACT_GATHER_INFO
2016-10-12 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20161010_tomcat_on_SL7_x.nasl - Type : ACT_GATHER_INFO
2016-10-12 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20161010_tomcat6_on_SL6_x.nasl - Type : ACT_GATHER_INFO
2016-10-12 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2016-2046.nasl - Type : ACT_GATHER_INFO
2016-10-12 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2016-2045.nasl - Type : ACT_GATHER_INFO
2016-10-11 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2016-2046.nasl - Type : ACT_GATHER_INFO
2016-10-11 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2016-2045.nasl - Type : ACT_GATHER_INFO
2016-10-11 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2016-2046.nasl - Type : ACT_GATHER_INFO
2016-10-11 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2016-2045.nasl - Type : ACT_GATHER_INFO
2016-09-15 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2016-1851.nasl - Type : ACT_GATHER_INFO
2016-09-08 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2016-1056.nasl - Type : ACT_GATHER_INFO
2016-09-02 Name : The remote SUSE host is missing one or more security updates.
File : suse_SU-2016-2090-1.nasl - Type : ACT_GATHER_INFO
2016-08-26 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2016-1649.nasl - Type : ACT_GATHER_INFO
2016-08-26 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2016-1648.nasl - Type : ACT_GATHER_INFO
2016-08-22 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2016-1005.nasl - Type : ACT_GATHER_INFO
2016-08-19 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2016-1636.nasl - Type : ACT_GATHER_INFO
2016-08-19 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2016-1635.nasl - Type : ACT_GATHER_INFO
2016-08-18 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2016-731.nasl - Type : ACT_GATHER_INFO
2016-08-17 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20160811_php_on_SL7_x.nasl - Type : ACT_GATHER_INFO
2016-08-15 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20160811_php_on_SL6_x.nasl - Type : ACT_GATHER_INFO
2016-08-15 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2016-1613.nasl - Type : ACT_GATHER_INFO
2016-08-12 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2016-1613.nasl - Type : ACT_GATHER_INFO
2016-08-12 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2016-1613.nasl - Type : ACT_GATHER_INFO
2016-08-12 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2016-1609.nasl - Type : ACT_GATHER_INFO
2016-08-12 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2016-1609.nasl - Type : ACT_GATHER_INFO
2016-08-12 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2016-979.nasl - Type : ACT_GATHER_INFO
2016-08-12 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2016-1609.nasl - Type : ACT_GATHER_INFO
2016-08-09 Name : The remote Fedora host is missing a security update.
File : fedora_2016-a29c65b00f.nasl - Type : ACT_GATHER_INFO
2016-08-09 Name : The remote Fedora host is missing a security update.
File : fedora_2016-683d0b257b.nasl - Type : ACT_GATHER_INFO
2016-08-04 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20160803_golang_on_SL7_x.nasl - Type : ACT_GATHER_INFO
2016-08-04 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2016-921.nasl - Type : ACT_GATHER_INFO
2016-08-03 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2016-1538.nasl - Type : ACT_GATHER_INFO
2016-08-03 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2016-1538.nasl - Type : ACT_GATHER_INFO
2016-08-03 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2016-1538.nasl - Type : ACT_GATHER_INFO
2016-08-03 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-3045-1.nasl - Type : ACT_GATHER_INFO
2016-08-02 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2016-728.nasl - Type : ACT_GATHER_INFO
2016-08-01 Name : The remote Fedora host is missing a security update.
File : fedora_2016-cd2bd0800f.nasl - Type : ACT_GATHER_INFO
2016-08-01 Name : The remote Fedora host is missing a security update.
File : fedora_2016-8eb11666aa.nasl - Type : ACT_GATHER_INFO
2016-08-01 Name : The remote Debian host is missing a security update.
File : debian_DLA-568.nasl - Type : ACT_GATHER_INFO
2016-07-29 Name : The remote Fedora host is missing a security update.
File : fedora_2016-ea5e284d34.nasl - Type : ACT_GATHER_INFO
2016-07-29 Name : The remote Fedora host is missing a security update.
File : fedora_2016-e2c8f5f95a.nasl - Type : ACT_GATHER_INFO
2016-07-29 Name : The remote Fedora host is missing a security update.
File : fedora_2016-aef8a45afe.nasl - Type : ACT_GATHER_INFO
2016-07-29 Name : The remote Fedora host is missing a security update.
File : fedora_2016-9c8cf5912c.nasl - Type : ACT_GATHER_INFO
2016-07-29 Name : The remote Fedora host is missing a security update.
File : fedora_2016-4e7db3d437.nasl - Type : ACT_GATHER_INFO
2016-07-29 Name : The remote Fedora host is missing a security update.
File : fedora_2016-340e361b90.nasl - Type : ACT_GATHER_INFO
2016-07-28 Name : The remote Fedora host is missing a security update.
File : fedora_2016-df0726ae26.nasl - Type : ACT_GATHER_INFO
2016-07-27 Name : The remote FreeBSD host is missing one or more security-related updates.
File : freebsd_pkg_b6402385533b11e6a7bd14dae9d210b8.nasl - Type : ACT_GATHER_INFO
2016-07-27 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-3631.nasl - Type : ACT_GATHER_INFO
2016-07-26 Name : The version of PHP running on the remote web server is affected by multiple v...
File : php_7_0_9.nasl - Type : ACT_GATHER_INFO
2016-07-26 Name : The version of PHP running on the remote web server is affected by multiple v...
File : php_5_6_24.nasl - Type : ACT_GATHER_INFO
2016-07-26 Name : The version of PHP running on the remote web server is affected by multiple v...
File : php_5_5_38.nasl - Type : ACT_GATHER_INFO
2016-07-25 Name : The remote web application is affected by a man-in-the-middle vulnerability.
File : http_httpoxy.nasl - Type : ACT_ATTACK
2016-07-25 Name : The remote Fedora host is missing a security update.
File : fedora_2016-9fd9bfab9e.nasl - Type : ACT_GATHER_INFO
2016-07-22 Name : The remote Slackware host is missing a security update.
File : Slackware_SSA_2016-203-02.nasl - Type : ACT_GATHER_INFO
2016-07-21 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2016-725.nasl - Type : ACT_GATHER_INFO
2016-07-21 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2016-722.nasl - Type : ACT_GATHER_INFO
2016-07-21 Name : The remote Debian host is missing a security update.
File : debian_DLA-553.nasl - Type : ACT_GATHER_INFO
2016-07-21 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-3623.nasl - Type : ACT_GATHER_INFO
2016-07-21 Name : A PHP application running on the remote web server is affected by a man-in-th...
File : drupal_8_1_7.nasl - Type : ACT_GATHER_INFO
2016-07-20 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2016-880.nasl - Type : ACT_GATHER_INFO
2016-07-19 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2016-1421.nasl - Type : ACT_GATHER_INFO
2016-07-19 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2016-1422.nasl - Type : ACT_GATHER_INFO
2016-07-19 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2016-1421.nasl - Type : ACT_GATHER_INFO
2016-07-19 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2016-1422.nasl - Type : ACT_GATHER_INFO
2016-07-19 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20160718_httpd_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2016-07-19 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20160718_httpd_on_SL7_x.nasl - Type : ACT_GATHER_INFO
2016-07-19 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2016-1422.nasl - Type : ACT_GATHER_INFO
2016-07-19 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2016-1421.nasl - Type : ACT_GATHER_INFO
2016-07-19 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-3038-1.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
7
8
9
10
11
12
13
Date Informations
2017-07-21 13:24:50
  • Multiple Updates
2017-06-27 13:23:21
  • Multiple Updates
2017-04-01 13:25:06
  • Multiple Updates
2017-03-15 13:22:41
  • Multiple Updates
2017-01-13 13:24:47
  • Multiple Updates
2016-11-10 13:24:18
  • Multiple Updates
2016-09-28 21:26:02
  • Multiple Updates
2016-07-27 13:25:31
  • Multiple Updates
2016-07-26 13:25:55
  • Multiple Updates
2016-07-22 13:38:25
  • Multiple Updates
2016-07-20 01:01:51
  • Multiple Updates
2016-07-19 21:37:32
  • Multiple Updates
2016-07-19 12:03:59
  • Multiple Updates
2016-07-18 17:22:25
  • First insertion