A Vulnerability Discovered in CGI Web Servers Could Allow for Man-In-The-Middle Attacks VU#797896

ITS Advisory Number: 
2016-120 (UPDATED)
Date(s) Issued: 
Wednesday, July 20, 2016
Date Updated: 
Thursday, July 21, 2016
Subject: 
A Vulnerability Discovered in CGI Web Servers Could Allow for Man-In-The-Middle Attacks VU#797896
Overview: 

Web servers running in a CGI or CGI-like context may assign client request Proxy header values to internal HTTP_PROXY environment variables. This vulnerability can be leveraged to conduct man-in-the-middle (MITM) attacks on internal subrequests or to direct the server to initiate connections to arbitrary hosts.

July 21, 2016 - UPDATED OVERVIEW:

A vulnerability has been discovered in a wide variety of Common Gateway Interface (CGI) based web products, which could allow for unauthorized redirection of traffic. This vulnerability exists due to a flaw in the use of the HTTP Proxy environment variable. This vulnerability can be exploited to perform remote man in the middle attacks, cause Denial of Service (DoS) conditions on the affected server, or leverage the affected server to perform Distributed Denial of Service (DDoS) attacks on a third party target.

Systems Affected: 

 

  • Apache HTTP Server (httpd) version prior to 2.4.23 (CVE-2016-5387)

  • Apache Tomcat Server version prior to 8.5.4 (CVE-2016-5388)

  • Apache Traffic Server (ATS)

July 21, 2016 - UPDATED SYSTEMS AFFECTED:

  • Apache
  • Drupal
  • Go
  • IIS
  • NGINX
  • PHP
  • Python
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
Medium
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
Low
Additional Notes: 
Home users risk updated from N/A to Low
Description: 

Web servers running in a CGI or CGI-like context may assign client request Proxy header values to internal HTTP_PROXY environment variables. The vulnerable behavior is the result of a naming convention for meta-variables, defined in RFC 3876, which leads to a name collision: "The HTTP header field name is converted to upper case, has all occurrences of "-" replaced with "_" and has "HTTP_" prepended to give the meta-variable name."

 

According to the researchers, a web server is vulnerable if:

  • A web server, programming language or framework (and in some limited situations the application itself) sets the environmental variable HTTP_PROXY from the user supplied Proxy header in the web request, or sets a similarly used variable (essentially when the request header turns from harmless data into a potentially harmful environmental variable).

  • A web application makes use of HTTP_PROXY or similar variable unsafely (e.g. fails to check the request type) resulting in an attacker controlled proxy being used (essentially when HTTP_PROXY is actually used unsafely).

 

A remote, unauthenticated attacker may be able to conduct MITM attacks on internal server subrequests or direct the server to initiate connections to arbitrary hosts.

July 21, 2016 - UPDATED DESCRIPTION:

A vulnerability has been discovered in a wide variety of CGI-based web products, which could allow for unauthorized redirection of traffic. This vulnerability exists due to a flaw in the use of the HTTP Proxy environment variable. This vulnerability can be exploited when application code is running on CGI or a CGI-like server. HTTP request headers are merged into a specific variable under keys beginning with HTTP. This information is what getenv reads from. When a user submits a request that contains a Proxy header, the header appears to the application as getenv('HTTP_PROXY'). Some common application libraries are trusting this value, even when run in a CGI/SAPI environment.

Actions: 
  • After appropriate testing, apply applicable patches provided by vendor to vulnerable systems.

  • Filter or block any "Proxy:" header arriving from an upstream proxy server or the origin user-agent.

  • July 21, 2016 - UPDATED ACTIONS:

  • Block the Proxy header for applications running PHP or CGI.
  • After appropriate testing, apply applicable patches provided by vendor to vulnerable systems.
  • Verify no unauthorized system modifications have occurred on system before applying the patch.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Apply the principle of Least Privilege to all systems and services.