Transparent mode vulnerability in proxy servers

This vulnerability only affects proxy servers configured in transparent mode. This mode is not usually used.

Reminder on proxy servers

 Proxy servers are servers which relay requests between the clients of a local network and servers outside the network. They can relay several protocols but essentially relay the exchanges based on the HTTP/HTTPS protocol (HTTP proxy) to allow users to connect to the Internet with the following features:

• memory caching of most frequently consulted web pages
• application filtering,
• logging queries,
• identification and authentication of users,
• ...

 A proxy server configured in transparent mode relays connections without user interaction or browsers configuration.

 A proxy server can also be used to enable Internet users to connect to internal servers. This is referred to as reverse-proxy server.

 
The "host" field in the HTTP headers

 The RFC 2616 defines the "host" field of HTTP headers in such a way to allow the requests to specify the HTTP server and port number of the requested resource.

This field is compulsory and its absence causes the rejection of the request with error code 400 (Bad Request).

 Note: If the port number is not defined then the default number of the requested service is used (e.g. 80 for HTTP).

 
Vulnerability

 This month, a vulnerability affecting various proxy servers, was reported by US-CERT. It is detailed in the Cert-IST FA-2009.0041 flaw under investigation.

 It only impacts transparent mode configured proxy servers, which make connection decisions related to the HTTP requests, based on the HTTP header "host" field instead of the source and destination IP addresses of the requests.

An attacker, who is able to craft HTTP requests, can indeed connect to all websites to which a vulnerable proxy server has access, by using a HTTP request with a crafted "host" field.

A remote attacker can exploit this vulnerability through web active content (JavaScript, Flash ...), to access internal sites, normally not accessible from the Internet. He needs to drop this active content on a malicious or compromised website and entices his victim to visit it. And when this victim browses the site through a transparent proxy, it downloads the active content, which can then fool the vulnerable proxy by modifying the "host" field of requests to access any site to which the proxy has access.

Note: This vulnerability does not impact proxy servers configured with "reverse" mode.

 
Solutions

Multiple proxy servers, including Squid and BlueCoat ProxySG, which are monitored by the Cert-IST, are vulnerable.

Up to now, patch has still not been released.

The Cert-IST will release a security advisory when official patches are released for proxy servers it monitors.

 In the meantime, it is possible for network administrators to reduce the level of risk associated with this vulnerability by:

• restricting access to internal services to authenticated persons,
• limiting connections between the proxy server and internal services,
• limiting the use of communication protocols and TCP ports.

 Users can however limit the use of active web content (JavaScript, Flash ...) to trusted sites only.

 
For more information:

• US-CERT Vulnerability Note: http://www.kb.cert.org/vuls/id/435052
• Definition of the "host" filed in the RFC2616: http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.23
• Cert-IST flaw under investigation: FA-2009.0041