Cisco CSS Content Services Switch and ACE Application Control Engine HTTP SSL Header Spoofing Vulnerability

Cisco CSS Content Services Switch (CSS), SSL Services Module (SSLM), and ACE Application Control Engine (ACE) contain a vulnerability that could allow an authenticated, remote attacker to insert spoofed SSL headers into HTTP requests.

The vulnerability exists because the affected products weakly enforce authority in HTTP certificate headers when performing SSL session termination. An authenticated, remote attacker could exploit this vulnerability by inserting spoofed SSL certificate headers into requests that are passed to the affected products for SSL termination. If successful, an attacker might be able to perform man-in-the-middle attacks, gaining access to sensitive information.

Cisco has confirmed this vulnerability in software release notes and released updated software.

This vulnerability could affect any CSS or SSLM installation, but could have a greater impact on installations configured to perform client certificate validation through the following configuration statement on the CSS: ssl-server < CONTEXT >http-header client-cert and the following ssl-proxy policy http-header configuration statement on the SSLM: client-cert.

Ultimately, the impact of this vulnerability will depend on the applications behind an affected CSS device and how those devices handle the presence of multiple SSL headers throughout HTTP requests. If the applications process the last headers that appear in the request, they will receive those added by the CSS, but any other handling of SSL headers could result in the processing of the wrong headers.