Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2016.1764
CGI web servers assign Proxy header values from client
requests to internal HTTP_PROXY environment variables
19 July 2016
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Web Server products running CGI
Publisher: US-CERT
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Provide Misleading Information -- Remote/Unauthenticated
Unauthorised Access -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2016-1000110 CVE-2016-1000109 CVE-2016-5388
CVE-2016-5387 CVE-2016-5386 CVE-2016-5385
Original Bulletin:
https://www.kb.cert.org/vuls/id/797896
Comment: Where applicable, patches should be applied to correct this issue.
Where patches have not yet been released, mitigations have been
provided in this bulletin for a number of products. For products where
mitigations have not yet been provided, contact the product vendor
for more information.
- --------------------------BEGIN INCLUDED TEXT--------------------
Vulnerability Note VU#797896
CGI web servers assign Proxy header values from client requests to internal
HTTP_PROXY environment variables
Original Release date: 18 Jul 2016 | Last revised: 18 Jul 2016
Overview
Web servers running in a CGI or CGI-like context may assign client request
Proxy header values to internal HTTP_PROXY environment variables. This
vulnerability can be leveraged to conduct man-in-the-middle (MITM) attacks on
internal subrequests or to direct the server to initiate connections to
arbitrary hosts.
Description
CWE-807: Reliance on Untrusted Inputs in a Security Decision, CWE-454:
External Initialization of Trusted Variables or Data Stores
Web servers running in a CGI or CGI-like context may assign client request
Proxy header values to internal HTTP_PROXY environment variables. The
vulnerable behavior is the result of a naming convention for meta-variables,
defined in RFC 3876, which leads to a name collision: "The HTTP header field
name is converted to upper case, has all occurrences of "-" replaced with "_"
and has "HTTP_" prepended to give the meta-variable name."
According to the researchers, a web server is vulnerable if:
1. A web server, programming language or framework (and in some limited
situations the application itself) sets the environmental variable HTTP_PROXY
from the user supplied Proxy header in the web request, or sets a similarly
used variable (essentially when the request header turns from harmless data
into a potentially harmful environmental variable).
2. A web application makes use of HTTP_PROXY or similar variable unsafely
(e.g. fails to check the request type) resulting in an attacker controlled
proxy being used (essentially when HTTP_PROXY is actually used unsafely).
By sending a specially crafted request to a vulnerable server, a remote,
unauthenticated attacker may be able to conduct MITM attacks on internal
server subrequests or direct the server to initiate connections to arbitrary
hosts. For more information, refer to httpoxy.org.
Impact
A remote, unauthenticated attacker may be able to conduct MITM attacks on
internal server subrequests or direct the server to initiate connections to
arbitrary hosts.
Solution
Apply an update
Where applicable, affected products and components should be updated to
address this vulnerability. Check with vendors for information about patching.
Where patches are unavailable or updating is not an option, consider the
following workarounds.
Filter Proxy request headers
The researchers and community have identified several filtering strategies
that are product-dependent:
Apache/CGI
In this configuration, any language may be vulnerable (the HTTP_PROXY env
var is "real"). If you are using mod_headers , you can unset the "Proxy"
header with this directive:
RequestHeader unset Proxy
If you are using mod_security, you can use a rule like (vary the action to
taste):
SecRuleEngine On
SecRule &REQUEST_HEADERS:Proxy "@gt 0"
"id:1000005,log,deny,msg:'httpoxy denied'"
Refer to Apache's response for more information.
HAProxy
httprequest delheader Proxy
Nginx/FastCGI
Use this to block the Proxy header from being passed on to PHPFPM, PHPPM,
etc.
fastcgi_param HTTP_PROXY "";
Nginx with proxy_pass
The following setting should work for people who are using "proxy_pass"
with nginx:
proxy_set_header Proxy "";
Microsoft has provided the following guidance for IIS servers utilizing
affected third-party frameworks:
Mitigation steps:
Update apphost.config with the following rule:
<system.webServer>
<rewrite>
<rules>
<rule name=3D"Erase HTTP_PROXY" patternSyntax=3D"Wildcard">
<match url=3D"*.*" />
<serverVariables>
<set name=3D"HTTP_PROXY" value=3D"" />
</serverVariables>
<action type=3D"None" />
</rule>
</rules>
</rewrite>
</system.webServer>
Vendor Information (Learn More)
Vendor Status Date Notified Date Updated
Apache HTTP Server Project Affected 12 Jul 2016 18 Jul 2016
Go Programming Language Affected - 18 Jul 2016
HAProxy Affected - 13 Jul 2016
HHVM Affected - 18 Jul 2016
Microsoft Corporation Affected 12 Jul 2016 13 Jul 2016
nginx Affected - 13 Jul 2016
Python Affected - 18 Jul 2016
The PHP Group Affected - 18 Jul 2016
EfficientIP SAS Not Affected 12 Jul 2016 12 Jul 2016
ACCESS Unknown 12 Jul 2016 12 Jul 2016
Alcatel-Lucent Unknown 12 Jul 2016 12 Jul 2016
Apple Unknown 12 Jul 2016 12 Jul 2016
Arista Networks, Inc. Unknown 12 Jul 2016 12 Jul 2016
ARRIS Unknown 12 Jul 2016 12 Jul 2016
Aruba Networks Unknown 12 Jul 2016 12 Jul 2016
If you are a vendor and your product is affected, let us know.
CVSS Metrics (Learn More)
Group Score Vector
Base 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P
Temporal 4.6 E:POC/RL:ND/RC:C
Environmental 1.1 CDP:ND/TD:L/CR:ND/IR:ND/AR:ND
References
https://tools.ietf.org/html/rfc3875
https://httpoxy.org
https://www.apache.org/security/asf-httpoxy-response.txt
https://cwe.mitre.org/data/definitions/807.html
https://cwe.mitre.org/data/definitions/454.html
Credit
Thanks to Dominic Scheirlinck and Scott Geary of Vend for reporting this
vulnerability.
This document was written by Joel Land.
Other Information
CVE IDs: CVE-2016-5385 CVE-2016-5386 CVE-2016-5387 CVE-2016-5388
CVE-2016-1000109 CVE-2016-1000110
Date Public: 18 Jul 2016
Date First Published: 18 Jul 2016
Date Last Updated: 18 Jul 2016
Document Revision: 59
Feedback
If you have feedback, comments, or additional information about this
vulnerability, please send us email.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBV41zQYx+lLeg9Ub1AQh0FhAAkKwETMxCJWfhQbiPf9g7J+IeAjwGfyQg
lKwba1O8DjcsUAB13gEFDAa1vUr/95whoQDhKI5Hj2FdnO9ZIeY7ur1w5NxfRsY+
VrN2cH1Bo8SFnFqfaELJxvGEyt8eIYdFcmdLeL7GDGOlaJ/aGOJcLYcgf6EQXpmn
c8mYj2+pHBcTIYpuNOVx0FNlSssP/1BrfxNJ+aWopOQUbALlkAx5gBkVfMUvn/QV
mu/D9zx/86Rqm95M4LmBsT55cEb5TB26wcCHre3wE0SBErueablu3YHNsy29J1J5
u6DCIfsdhWvnsZZXvjqs63DsEmrI7XfQwVnZmNPtt1agdRNDA9aFn5uYU3lOWfke
xXdjSPyvm7wG6ND/MuJTCB8rps7mgXw/hW2GUkose3tAVVMHnqCi122PfNOpJ0P3
XeOos9aHrmPfZDWJLgmuuA4zaotuQUXwRlPHkOCR48ibEKZusWTeEXpyX4AXIXzb
9Htme80TQFXzHiN4he8YdSwrh2DDW1gpPyrXY6dB5s0F6MqfOmmOr54dUpqLYLTn
6JhvshylVeerGBF1Hp7ONXvzfhpp+cmaMKlTf/ltekqd3HSVTMcR+oKyoLYgQqvv
0dGL0NKIb2SyJn95Yps7AVr9vhjgPb964imzidG943Bj39d6T62ZzotRheg5pBMu
bicpdqSyVro=
=BFbj
-----END PGP SIGNATURE-----