The HTTP CONNECT method is described in an expired IETF Internet-Draft written in 1998 by Ari Luotonen. This document clearly explains the security risks associated with the HTTP CONNECT method:
The CERT/CC has received numerous reports of this technique being used to connect to SMTP services (25/tcp) to initiate the delivery of unsolicited bulk email (UCE/SPAM).
If a proxy service allows recursive connections, an attacker may be able to cause a denial-of-service condition by consuming resources by making repeated connections from the proxy service back to itself.
III. Solution
Apply Patch or Upgrade
Apply a patch or upgrade from your vendor. For information about a specific vendor, check the Systems Affected section of this document or contact your vendor directly.
Vendors listed as "Not Vulnerable" ship HTTP proxy services with reasonably secure default configurations, meaning that the proxy only allows connections to a limited number of TCP ports, or only listens on an internal or loopback interface, or requires further configuration before it will pass traffic. The vendor ships a secure or disabled proxy, and the responsibility of configuring the proxy is placed on the administrator. Note that almost any proxy service, including those from vendors listed as "Not Vulnerable," can be configured insecurely. Different distributions or packages may configure the same proxy application in different ways.
Secure Proxy Configuration
Check the configuration of your proxy services to determine if they allow connections to arbitrary TCP ports and whether they allow connections from untrusted networks such as the Internet. Configure your proxy services to only allow connections from trusted networks to reasonably safe TCP ports such as HTTP (80/tcp) and HTTPS (443/tcp). If possible, configure your proxy services not to allow recursive connections. For more information about specific products, check the Systems Affected section of this document, consult your product documentation, or contact your vendor.
Examine Tunneled Data
If possible, configure your HTTP proxy services to check the application layer contents of HTTP CONNECT method tunnels. Even if an HTTP proxy service is not able to decrypt HTTPS data, the proxy service could examine the initial stages of an HTTP CONNECT method connection to confirm that an SSL/TLS handshake is indeed being performed.
Systems Affected
Vendor | Status | Date Updated |
---|---|---|
3Com | Unknown | 23-May-2002 |
ACME Laboratories | Unknown | 23-Sep-2003 |
Aladdin Knowledge Systems | Unknown | 20-May-2002 |
Alcatel | Not Vulnerable | 20-Jun-2002 |
AnalogX | Vulnerable | 23-Sep-2003 |
Apache | Not Vulnerable | 16-Oct-2002 |
Apple Computer Inc. | Unknown | 20-May-2002 |
Astaro Security Linux | Vulnerable | 19-Jun-2003 |
AT&T | Unknown | 20-May-2002 |
CacheFlow Inc. | Vulnerable | 15-Sep-2003 |
CERN | Unknown | 19-Apr-2002 |
CGIProxy | Unknown | 23-Sep-2003 |
Check Point | Not Vulnerable | 23-Jul-2002 |
Cisco Systems Inc. | Vulnerable | 16-May-2002 |
Compaq Computer Corporation | Unknown | 20-May-2002 |
Computer Associates | Unknown | 20-May-2002 |
CyberSoft | Unknown | 20-May-2002 |
Data General | Unknown | 20-May-2002 |
Debian | Unknown | 20-May-2002 |
DeleGate | Unknown | 23-Sep-2003 |
Eolian | Unknown | 24-May-2002 |
F5 Networks | Not Vulnerable | 28-May-2002 |
Finjan Software | Unknown | 12-Apr-2002 |
Fujitsu | Unknown | 20-May-2002 |
Hewlett-Packard Company | Not Vulnerable | 29-May-2002 |
IBM | Vulnerable | 23-Sep-2003 |
IBM-zSeries | Unknown | 20-May-2002 |
Inktomi Corporation | Not Vulnerable | 23-May-2002 |
Juniper Networks | Not Vulnerable | 29-May-2002 |
Junkbusters | Not Vulnerable | 10-Feb-2003 |
Kerio | Vulnerable | 15-Oct-2002 |
Lotus Software | Not Vulnerable | 29-May-2002 |
Lucent Technologies | Unknown | 20-May-2002 |
Microsoft Corporation | Unknown | 20-May-2002 |
MultiNet | Not Vulnerable | 29-May-2002 |
Netscape Communications Corporation | Unknown | 20-May-2002 |
Network Appliance | Unknown | 20-May-2002 |
Network Associates | Unknown | 20-May-2002 |
Novell | Vulnerable | 19-Jun-2003 |
OpenBSD | Unknown | 20-May-2002 |
Oracle Corporation | Not Vulnerable | 29-May-2002 |
Proland Software | Unknown | 20-May-2002 |
RabbIT | Not Vulnerable | 23-May-2002 |
RhinoSoft | Unknown | 23-Sep-2003 |
SapporoWorks | Unknown | 23-Sep-2003 |
Sequent | Unknown | 20-May-2002 |
SGI | Unknown | 20-May-2002 |
Squid | Not Vulnerable | 16-Oct-2002 |
Stronghold | Unknown | 20-May-2002 |
Symantec Corporation | Vulnerable | 19-Jun-2003 |
The SCO Group (SCO Linux) | Unknown | 20-May-2002 |
The SCO Group (SCO UnixWare) | Unknown | 20-May-2002 |
Tiny Software | Vulnerable | 25-Jun-2002 |
TIS | Not Vulnerable | 16-Apr-2002 |
Trend Micro | Vulnerable | 10-Feb-2003 |
Trustix | Unknown | 15-Oct-2002 |
Unisys | Unknown | 20-May-2002 |
WebWasher | Vulnerable | 19-Jun-2003 |
Wind River Systems Inc. | Not Vulnerable | 29-May-2002 |
An instance of this vulnerability in Check Point FireWall-1 was reported by Volker Tanger in February 2002. The CERT/CC thanks Ronald Guilmette for information used in this document.
This document was written by Art Manion.
Other Information
Date Public | 02/19/2002 |
Date First Published | 05/17/2002 12:17:43 PM |
Date Last Updated | 09/23/2003 |
CERT Advisory | |
CVE Name | |
Metric | 89.50 |
Document Revision | 99 |