Vulnerability Note VU#150227

Multiple vendors' HTTP proxy default configurations allow arbitrary TCP connections

Overview

Multiple vendors' HTTP proxy services use insecure default configurations that could allow an attacker to make arbitrary TCP connections to internal hosts or to external third-party hosts.

I. Description

HTTP proxy services commonly support the HTTP CONNECT method, which is designed to create a TCP connection that bypasses the normal application layer functionality of the proxy service. Typically, the HTTP CONNECT method is used to tunnel HTTPS connections through an HTTP proxy. The proxy service does not decrypt the HTTPS traffic, as this would violate the end-to-end security model used by TLS/SSL.

The HTTP CONNECT method is described in an expired IETF Internet-Draft written in 1998 by Ari Luotonen. This document clearly explains the security risks associated with the HTTP CONNECT method:


Many vendors' HTTP proxy services are configured by default to listen on all network interfaces and to allow HTTP CONNECT method tunnels to any TCP port. A proxy may also allow the GET method with a crafted HTTP 1.1 Host request-header and the POST method to be used to create arbitrary TCP connections. Other HTTP methods (PUT) and FTP commands (USER/PASS, SITE, OPEN) can also be used to make arbitrary TCP connections through proxy services. SOCKS proxies suffer from similar insecure default configuration vulnerabilities, as to products that provide FTP proxy services.

Since most proxy services do not inspect application layer data in an HTTP CONNECT method tunneled connection, almost any TCP-based protocol may be forwarded through the proxy service. This creates an additional vulnerability in the case of HTTP anti-virus scanners and content filters that do not check the contents of an HTTP CONNECT method tunnel [VU#868219]. In addition, an attacker may be able to cause a denial of service by making recursive connections to a proxy service. Note that a wide variety of products including proxy servers, web servers, web caches, firewalls, and content/virus scanners provide HTTP proxy services.

Most products can be configured to specify which networks can access the HTTP proxy service and which destination TCP ports (and possibly IP addresses) are permitted. Products that provide a reasonably secure default configuration are noted as "Not Vulnerable" in the Systems Affected section of this document. It is important to note that any proxy service can be configured insecurely, potentially allowing access from any source to any destination IP address and TCP port.

II. Impact

The HTTP CONNECT method, as well as other HTTP methods and FTP commands, can be abused to establish arbitrary TCP connections through vulnerable proxy services. An attacker could use a vulnerable proxy service on one network as an intermediary to scan or connect to TCP services on another network. In a more severe case, an attacker may be able to establish a connection from a public network, such as the Internet, through a vulnerable proxy service to an internal network.

The CERT/CC has received numerous reports of this technique being used to connect to SMTP services (25/tcp) to initiate the delivery of unsolicited bulk email (UCE/SPAM).

If a proxy service allows recursive connections, an attacker may be able to cause a denial-of-service condition by consuming resources by making repeated connections from the proxy service back to itself.

III. Solution

Apply Patch or Upgrade

Apply a patch or upgrade from your vendor. For information about a specific vendor, check the Systems Affected section of this document or contact your vendor directly.

Vendors listed as "Not Vulnerable" ship HTTP proxy services with reasonably secure default configurations, meaning that the proxy only allows connections to a limited number of TCP ports, or only listens on an internal or loopback interface, or requires further configuration before it will pass traffic. The vendor ships a secure or disabled proxy, and the responsibility of configuring the proxy is placed on the administrator. Note that almost any proxy service, including those from vendors listed as "Not Vulnerable," can be configured insecurely. Different distributions or packages may configure the same proxy application in different ways.

Secure Proxy Configuration

Check the configuration of your proxy services to determine if they allow connections to arbitrary TCP ports and whether they allow connections from untrusted networks such as the Internet. Configure your proxy services to only allow connections from trusted networks to reasonably safe TCP ports such as HTTP (80/tcp) and HTTPS (443/tcp). If possible, configure your proxy services not to allow recursive connections. For more information about specific products, check the Systems Affected section of this document, consult your product documentation, or contact your vendor.

Examine Tunneled Data

If possible, configure your HTTP proxy services to check the application layer contents of HTTP CONNECT method tunnels. Even if an HTTP proxy service is not able to decrypt HTTPS data, the proxy service could examine the initial stages of an HTTP CONNECT method connection to confirm that an SSL/TLS handshake is indeed being performed.

Systems Affected

VendorStatusDate Updated
3ComUnknown23-May-2002
ACME LaboratoriesUnknown23-Sep-2003
Aladdin Knowledge SystemsUnknown20-May-2002
AlcatelNot Vulnerable20-Jun-2002
AnalogXVulnerable23-Sep-2003
ApacheNot Vulnerable16-Oct-2002
Apple Computer Inc.Unknown20-May-2002
Astaro Security LinuxVulnerable19-Jun-2003
AT&TUnknown20-May-2002
CacheFlow Inc.Vulnerable15-Sep-2003
CERNUnknown19-Apr-2002
CGIProxyUnknown23-Sep-2003
Check PointNot Vulnerable23-Jul-2002
Cisco Systems Inc.Vulnerable16-May-2002
Compaq Computer CorporationUnknown20-May-2002
Computer AssociatesUnknown20-May-2002
CyberSoftUnknown20-May-2002
Data GeneralUnknown20-May-2002
DebianUnknown20-May-2002
DeleGateUnknown23-Sep-2003
EolianUnknown24-May-2002
F5 NetworksNot Vulnerable28-May-2002
Finjan SoftwareUnknown12-Apr-2002
FujitsuUnknown20-May-2002
Hewlett-Packard CompanyNot Vulnerable29-May-2002
IBMVulnerable23-Sep-2003
IBM-zSeriesUnknown20-May-2002
Inktomi CorporationNot Vulnerable23-May-2002
Juniper NetworksNot Vulnerable29-May-2002
JunkbustersNot Vulnerable10-Feb-2003
KerioVulnerable15-Oct-2002
Lotus SoftwareNot Vulnerable29-May-2002
Lucent TechnologiesUnknown20-May-2002
Microsoft CorporationUnknown20-May-2002
MultiNetNot Vulnerable29-May-2002
Netscape Communications CorporationUnknown20-May-2002
Network ApplianceUnknown20-May-2002
Network AssociatesUnknown20-May-2002
NovellVulnerable19-Jun-2003
OpenBSDUnknown20-May-2002
Oracle CorporationNot Vulnerable29-May-2002
Proland SoftwareUnknown20-May-2002
RabbITNot Vulnerable23-May-2002
RhinoSoftUnknown23-Sep-2003
SapporoWorksUnknown23-Sep-2003
SequentUnknown20-May-2002
SGIUnknown20-May-2002
SquidNot Vulnerable16-Oct-2002
StrongholdUnknown20-May-2002
Symantec CorporationVulnerable19-Jun-2003
The SCO Group (SCO Linux)Unknown20-May-2002
The SCO Group (SCO UnixWare)Unknown20-May-2002
Tiny SoftwareVulnerable25-Jun-2002
TISNot Vulnerable16-Apr-2002
Trend MicroVulnerable10-Feb-2003
TrustixUnknown15-Oct-2002
UnisysUnknown20-May-2002
WebWasherVulnerable19-Jun-2003
Wind River Systems Inc.Not Vulnerable29-May-2002

References


VU#868219
http://www.ietf.org/rfc/rfc2068.txt
http://www.ietf.org/rfc/rfc2616.txt
http://www.ietf.org/rfc/rfc2817.txt
http://www.ietf.org/rfc/rfc2818.txt
http://www.web-cache.com/Writings/Internet-Drafts/draft-luotonen-web-proxy-tunneling-01.txt
http://www.squid-cache.org/Doc/FAQ/FAQ-1.html#ss1.12
http://www.squid-cache.org/Doc/FAQ/FAQ-25.html#ss25.2
http://www.aerasec.de/security/index.html?lang=en&id=ae-200202-051
http://online.securityfocus.com/bid/4131
http://online.securityfocus.com/bid/4143
http://www.kb.cert.org/vuls/id/868219
http://www.monkeys.com/security/proxies/

Credit

An instance of this vulnerability in Check Point FireWall-1 was reported by Volker Tanger in February 2002. The CERT/CC thanks Ronald Guilmette for information used in this document.

This document was written by Art Manion.

Other Information

Date Public02/19/2002
Date First Published05/17/2002 12:17:43 PM
Date Last Updated09/23/2003
CERT Advisory 
CVE Name 
Metric89.50
Document Revision99

CERT Copyright Material