Lucene search

K
certCERTVU:797896
HistoryJul 18, 2016 - 12:00 a.m.

CGI web servers assign Proxy header values from client requests to internal HTTP_PROXY environment variables

2016-07-1800:00:00
www.kb.cert.org
98

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.948

Percentile

99.3%

Overview

Web servers running in a CGI or CGI-like context may assign client request Proxy header values to internal HTTP_PROXY environment variables. This vulnerability can be leveraged to conduct man-in-the-middle (MITM) attacks on internal subrequests or to direct the server to initiate connections to arbitrary hosts.

Description

CWE-807: Reliance on Untrusted Inputs in a Security Decision,CWE-454: External Initialization of Trusted Variables or Data Stores

Web servers running in a CGI or CGI-like context may assign client request Proxy header values to internal HTTP_PROXY environment variables. The vulnerable behavior is the result of a naming convention for meta-variables, defined in RFC 3876, which leads to a name collision: “The HTTP header field name is converted to upper case, has all occurrences of “-” replaced with “" and has "HTTP” prepended to give the meta-variable name.”

According to the researchers, a web server is vulnerable if:

  1. A web server, programming language or framework (and in some limited situations the application itself) sets the environmental variable HTTP_PROXY from the user supplied Proxy header in the web request, or sets a similarly used variable (essentially when the request header turns from harmless data into a potentially harmful environmental variable).
  2. A web application makes use of HTTP_PROXY or similar variable unsafely (e.g. fails to check the request type) resulting in an attacker controlled proxy being used (essentially when HTTP_PROXY is actually used unsafely).

By sending a specially crafted request to a vulnerable server, a remote, unauthenticated attacker may be able to conduct MITM attacks on internal server subrequests or direct the server to initiate connections to arbitrary hosts. For more information, refer to httpoxy.org.

Impact

A remote, unauthenticated attacker may be able to conduct MITM attacks on internal server subrequests or direct the server to initiate connections to arbitrary hosts.


Solution

Apply an update

Where applicable, affected products and components should be updated to address this vulnerability. Check with vendors for information about patching.

Where patches are unavailable or updating is not an option, consider the following workarounds.


Filter**Proxy**** request headers**

The researchers and community have identified several filtering strategies that are product-dependent:

Apache/CGI

In this configuration, any language may be vulnerable (the HTTP_PROXY env var is “real”). If you are using mod_headers , you can unset the “Proxy” header with this directive:

RequestHeader unset Proxy
If you are using mod_security, you can use a rule like (vary the action to taste):

SecRuleEngine On
SecRule &REQUEST_HEADERS:Proxy "@gt 0"
"id:1000005,log,deny,msg:'httpoxy denied'"
Refer to Apache’s response for more information.

HAProxy

httprequest delheader Proxy
lighttpd <= 1.4.40 (reject requests containing “Proxy” header)

Create “/path/to/deny-proxy.lua”, read-only to lighttpd, with content:

if (lighty.request["Proxy"] == nil) then return 0 else return 403 end
Modify lighttpd.conf to load mod_magnet and run lua code

server.modules += ( "mod_magnet" ) magnet.attract-raw-url-to = ( "/path/to/deny-proxy.lua" )
lighttpd2 (development) (strip “Proxy” header from request)

Add to lighttpd.conf:

req_header.remove "Proxy";
Nginx/FastCGI

Use this to block the Proxy header from being passed on to PHPFPM, PHPPM, etc.

fastcgi_param HTTP_PROXY ;
Nginx with proxy_pass

The following setting should work for people who are using “proxy_pass” with nginx:

``proxy_set_header Proxy ;

Microsoft has provided the following guidance for IIS servers utilizing affected third-party frameworks:

Microsoft IIS Mitigation steps:
Update apphost.config with the following rule:

&lt;system.webServer&gt;
&lt;rewrite&gt;
&lt;rules&gt;
&lt;rule name=3D"Erase HTTP_PROXY" patternSyntax=3D"Wildcard"&gt;
&lt;match url=3D"*.*" /&gt;
&lt;serverVariables&gt;
&lt;set name=3D"HTTP_PROXY" value=3D /&gt;
&lt;/serverVariables&gt;
&lt;action type=3D"None" /&gt;
&lt;/rule&gt;
&lt;/rules&gt;
&lt;/rewrite&gt;
&lt;/system.webServer&gt;

Vendor Information

797896

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Apache HTTP Server Project __ Affected

Notified: July 12, 2016 Updated: July 18, 2016

Statement Date: July 14, 2016

Status

Affected

Vendor Statement

The Apache Software Foundation has discovered no examples of condition 2 described in the [redacted] report, and has determined there is no “vulnerability” per se in ASF software, which conform to both RFC822 (circa 1982) and CGI/1.1 defacto standard (circa 1995, superseded by CGI/1.1 IANA spec RFC 3875).

Several ASF projects participate in HTTP requests in the manners described under condition 1. The list of projects that will offer one or more mitigations include but are not limited to;

Apache HTTP Server (httpd) (Tracked as CVE-2016-5387)
Apache Tomcat Server (Tracked as CVE-2016-5388)
Apache Traffic Server (ATS) (Tracking is not applicable)

Projects and subprojects impacted by the Apache HTTP Server mitigations will include mod_fcgid (Apache HTTP Project) and mod_perl (Apache Perl Project), as well as external projects such as mod_wsgi, all hopefully under CVE-2016-5387.

Note specifically that any CVE related to mod_fcgi[d] must be ignored, as it duplicates CVE-2016-5387. We have not reached a conclusion on separate tracking that might be unique to mod_perl itself (thus far, it also appears to duplicate -5387.)

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Go Programming Language __ Affected

Updated: July 18, 2016

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

CVE-2016-5386

HAProxy Affected

Updated: July 13, 2016

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

HHVM __ Affected

Updated: July 18, 2016

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

CVE-2016-1000109

Microsoft Corporation __ Affected

Notified: July 12, 2016 Updated: July 13, 2016

Status

Affected

Vendor Statement

If you have installed PHP or any other third party framework on top of IIS, we recommend applying mitigation steps to protect from malicious Redirection or MiM attacks.

Mitigation:

Update apphost.config with the following rule:

<system.webServer>

<rewrite>

<rules>

<rule name=3D"Erase HTTP_PROXY" patternSyntax=3D"Wildcard">

<match url=3D"." />

<serverVariables>

<set name=3D"HTTP_PROXY" value=3D />

</serverVariables>

<action type=3D"None" />

</rule>

</rules>

</rewrite>

</system.webServer>

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Python __ Affected

Updated: July 18, 2016

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

CVE-2016-1000110

The PHP Group __ Affected

Updated: July 18, 2016

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

CVE-2016-5385

lighttpd __ Affected

Updated: July 19, 2016

Statement Date: July 19, 2016

Status

Affected

Vendor Statement

Mitigation of httpoxy is available in lighttpd.

Mitigation:

lighttpd <= 1.4.40 (reject requests containing “Proxy” header)

  • Create “/path/to/deny-proxy.lua”, read-only to lighttpd, with content:
    if (lighty.request[“Proxy”] == nil) then return 0 else return 403 end

  • Modify lighttpd.conf to load mod_magnet and run lua code
    server.modules += ( “mod_magnet” )
    magnet.attract-raw-url-to = ( “/path/to/deny-proxy.lua” )

lighttpd2 (development) (strip “Proxy” header from request)

  • Add to lighttpd.conf: req_header.remove “Proxy”;

Reference:

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

nginx Affected

Updated: July 13, 2016

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

EfficientIP SAS __ Not Affected

Notified: July 12, 2016 Updated: July 12, 2016

Statement Date: July 12, 2016

Status

Not Affected

Vendor Statement

Please find the EfficientIP’s status about VU#797896:

Vendor: EfficientIP
Status: Not Affected
Statement: No version of our software is affected by VU#797896

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

ACCESS Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

ARRIS Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

AT&T Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Alcatel-Lucent Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Apple Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Arista Networks, Inc. Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Aruba Networks Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Avaya, Inc. Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Belkin, Inc. Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Blue Coat Systems Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

CA Technologies Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

CentOS Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Check Point Software Technologies Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Cisco Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

CoreOS Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

D-Link Systems, Inc. Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Debian GNU/Linux Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

DesktopBSD Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

DragonFly BSD Project Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

EMC Corporation Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Enterasys Networks Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Ericsson Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Extreme Networks Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

F5 Networks, Inc. Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Fedora Project Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Force10 Networks Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

FreeBSD Project Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Gentoo Linux Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Google Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Hardened BSD Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Hewlett Packard Enterprise Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Hitachi Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Huawei Technologies Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

IBM Corporation Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Infoblox Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Intel Corporation Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Internet Systems Consortium Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Internet Systems Consortium - DHCP Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Juniper Networks Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Lenovo Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

McAfee Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

NEC Corporation Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

National Center for Supercomputing Applications Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

NetBSD Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Nokia Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Nominum Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

OmniTI Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

OpenBSD Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

OpenDNS Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Openwall GNU/*/Linux Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Oracle Corporation Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Peplink Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Polycom Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Q1 Labs Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

QNX Software Systems Inc. Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Red Hat, Inc. Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Ricoh Company Ltd. Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Rockwell Automation Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Ruby Unknown

Updated: July 18, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

SUSE Linux Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

SafeNet Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Secure64 Software Corporation Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Slackware Linux Inc. Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

SmoothWall Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Snort Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Sony Corporation Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Sourcefire Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Symantec Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

TippingPoint Technologies Inc. Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Turbolinux Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Ubuntu Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Unisys Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

VMware Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Wind River Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

dnsmasq Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

m0n0wall Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

openSUSE project Unknown

Notified: July 12, 2016 Updated: July 12, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

View all 87 vendors __View less vendors __

CVSS Metrics

Group Score Vector
Base 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P
Temporal 4.6 E:POC/RL:ND/RC:C
Environmental 1.1 CDP:ND/TD:L/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to Dominic Scheirlinck and Scott Geary of Vend for reporting this vulnerability.

This document was written by Joel Land.

Other Information

CVE IDs: CVE-2016-5385, CVE-2016-5386, CVE-2016-5387, CVE-2016-5388, CVE-2016-1000109, CVE-2016-1000110
Date Public: 2016-07-18 Date First Published:

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.948

Percentile

99.3%