Access control bypass vulnerability on intercepting proxy servers
Affected: YES
Reported: 2009/04/09
Updated: 2009/06/02
Overview
If an intercepting transparent HTTP proxy is configured to relay connections to other proxy servers, access control features on browsers or the proxy servers may not work as intended. Malicious attackers can exploit this vulnerability if you use hand-off function of application-gateway.Affects on SEIL
YESAffected Products
| MODEL | Firmware Version |
|---|---|
| SEIL/B1 | 1.00 - 2.20 |
| SEIL/X | 1.00 - 2.20 |
| SEIL/Turbo | 1.83 - |
| SEIL/neu 2FE Plus | 1.83 - |
Impact on SEIL
If hand-off function of application-gateway is enabled on SEIL, the issue "intercepting proxy servers may incorrectly rely on HTTP headers" (described in VU#435052[1] and JVNVU#435052[2]) applies to SEIL. If an attacker crafts Host header field, they can bypass access controls to be enforced on browsers or upstream proxy servers and make connections to any web sites.Solution
"hostname verification" function has been added to firmware versions the following table shows| MODEL | Firmware Version |
|---|---|
| SEIL/B1 | 1.00 - 2.30 |
| SEIL/X | 1.00 - 2.30 |
| SEIL/Turbo | (*1) |
| SEIL/neu 2FE Plus | (*1) |
Workarounds
In case "hostname verification" function cannot be enabled on SEIL, the workarounds below will mitigate this vulnerability.1. disable hand-off function
Disable hand-off function if you are not required to use it.
2. implement workarounds on upstream proxy servers
Implement workarounds on upstream proxy servers as described
in VU#435052[1] and JVNVU#435052[2]
A countermeasure to this vulnerability will be implemented on
the next firmware updates.
Reference
[1] US-CERT Vulnerability Note VU#435052Intercepting proxy servers may incorrectly rely on HTTP headers to make connections
http://www.kb.cert.org/vuls/id/435052
[2] Japan Vulnerability Notes JVNVU#435052
Intercepting proxy servers may incorrectly rely on HTTP headers
to make connections
http://jvn.jp/cert/JVNVU435052 (Japanese)