Executive Summary

Summary
Title Microsoft Outlook Web Access may not use the no-store HTTP directive
Informations
Name VU#829876 First vendor Publication 2008-05-09
Vendor VU-CERT Last vendor Modification 2008-05-09
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:M/Au:N/C:P/I:N/A:N)
Cvss Base Score 1.9 Attack Range Local
Cvss Impact Score 2.9 Attack Complexity Medium
Cvss Expoit Score 3.4 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#829876

Microsoft Outlook Web Access may not use the no-store HTTP directive

Overview

Some versions of Outlook Web Access (OWA) may use the no-cache instead of the no-store HTTP 1.1 directive. This results in web browsers caching sensitive information.

I. Description

Some versions of Outlook Web Access may use the Cache-Control: no-cache HTTP 1.1 directive.

From RFC 2616:

    If the no-cache directive does not specify a field-name, then a cache MUST NOT use the response to satisfy a subsequent request without successful revalidation with the origin server. This allows an origin server to prevent caching even by caches that have been configured to return stale responses to client requests.
    If the no-cache directive does specify one or more field-names, then a cache MAY use the response to satisfy a subsequent request, subject to any other restrictions on caching. However, the specified field-name(s) MUST NOT be sent in the response to a subsequent request without successful revalidation with the origin server. This allows an origin server to prevent the re-use of certain header fields in a response, while still allowing caching of the rest of the response.
Using the no-cache instead of the no-store directive may cause web browsers that closely follow RFC 2616 to store potentially sensitive information.

II. Impact

Sensitive information that is viewed during an Outlook Web Access session may be stored to disk.

III. Solution

We are unware of a solution for this problem.

Clear browser caches

Clearing browser caches frequently may mitigate this vulnerability by deleting data that was inadvertantly cached.

  • In Internet Explorer 7, click on Tools, Internet Options, Delete (under the Browsing history section), then Delete all.
  • For Firefox 2 and 3 see the Firefox Options window support page for information on how to automatically remove cached browser files.
  • In Safari 3.0, click Safari then Reset Safari.
  • In recent of versions of Opera, go to Tools, Preferences, Advanced, History and set the cache to Empty on exit.
  • For recent versions of the Konqueror browser, use the KControl module called Cache, then click on the Clear cache button.
Administrators should also considering securely erasing deleting browser caches before re-deploying or disposing of hard drives.

Systems Affected

VendorStatusDate Updated
Microsoft CorporationVulnerable31-Mar-2008

References


http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9.2
http://support.mozilla.com/en-US/kb/Options+window#Private_Data
http://docs.info.apple.com/article.html?path=Safari/3.0/en/9300.html
http://www.opera.com/support/tutorials/security/shared/
http://en.wikipedia.org/wiki/Comparison_of_disk_encryption_software

Credit

Thanks to Bill Knox from MITRE reporting this vulnerability.

This document was written by Ryan Giobbi.

Other Information

Date Public05/09/2008
Date First Published05/09/2008 08:08:29 AM
Date Last Updated05/09/2008
CERT Advisory 
CVE Name 
US-CERT Technical Alerts 
Metric0.11
Document Revision22

Original Source

Url : http://www.kb.cert.org/vuls/id/829876

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1

Open Source Vulnerability Database (OSVDB)

Id Description
45218 Microsoft Outlook Web Access Cache-Control Directive Information Caching Pers...