Lucene search

K
certCERTVU:877625
HistoryAug 04, 2016 - 12:00 a.m.

Proxy auto-config (PAC) files have access to full HTTPS URLs

2016-08-0400:00:00
www.kb.cert.org
59

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.017 Low

EPSS

Percentile

87.4%

Overview

Web proxy auto-config (PAC) files are passed the full HTTPS URL in GET requests which may expose sensitive data.

Description

CWE-212**: Improper Cross-boundary Removal of Sensitive Data -**CVE-2016-5134 (Google), CVE-2016-1801 (Apple)

Web proxy auto-configuration files (proxy.pac) have access to the full URL including the path and parameters in HTTPS GET requests, which may expose sensitive data intended to be protected by HTTPS. This information is passed to the FindProxyForURL() function in the proxy.pac. The PAC file is often retrieved by the browser automatically using the WPAD protocol. An attacker in the position to conduct man-in-the-middle attacks may provide a malicious PAC file capable of exploiting the FindProxyForURL() function to exfiltrate sensitive data.


Impact

An attacker who can provide a specially crafted PAC file can read URLs, including the path and query string, which may contain sensitive information intended to be protected by HTTPS.


Solution

Apply an update.

Apply the latest updates to your browser, see Vendor Information section below.

Users who are unable to or do not wish to update their browsers should consider the following workaround.


Disable WPAD.

If proxy auto-configuration is not necessary, consider disabling WPAD functionality for your browser.


Vendor Information

This vendors listed below are suspected to be affected by the vulnerability. Other browser vendors not listed may be affected as well. The CERT/CC has no further evidence that any particular vendor is impacted unless marked Affected; vendors are encouraged to reach out to us to clarify their status.


877625

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Apple Affected

Notified: July 27, 2016 Updated: August 04, 2016

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Google Affected

Notified: July 27, 2016 Updated: August 04, 2016

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Mozilla Affected

Notified: July 27, 2016 Updated: August 04, 2016

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Opera Affected

Notified: July 27, 2016 Updated: August 04, 2016

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Microsoft Corporation __ Not Affected

Notified: July 27, 2016 Updated: July 11, 2017

Statement Date: August 17, 2016

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

Microsoft has informed CERT/CC that they are unaffected.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23877625 Feedback>).

CVSS Metrics

Group Score Vector
Base 2.9 AV:A/AC:M/Au:N/C:P/I:N/A:N
Temporal 2.3 E:POC/RL:OF/RC:C
Environmental 1.7 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to Bas Venis for reporting this vulnerability. We also would like to thank Itzik Kotler and Amit Klein for their presentation at Black Hat 2016, and Alex Chapman and Paul Stone for their presentation at DEF CON 24

This document was written by Trent Novelly.

Other Information

CVE IDs: CVE-2016-5134, CVE-2016-1801
Date Public: 2016-08-04 Date First Published:

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.017 Low

EPSS

Percentile

87.4%