Security Issue Alert

Cisco CSS Content Services Switch Software and Cisco ACE Application Control Engine Module HTTP Request Validation Issue

 
Threat Type:IntelliShield: Security Issue Alert
IntelliShield ID:20808
Version:2
First Published:2010 July 02 14:19 GMT
Last Published:2010 July 14 16:41 GMT
Port: Not available
CVE:CVE-2010-1576
Urgency:Unlikely Use
Credibility:Confirmed
Severity:Mild Damage
 
Version Summary:

Vulnerability details have been clarified to indicate that an attacker must be authenticated in order to take advantage of this security issue.

 
 
Description

Cisco CSS Content Services Switch Software and Cisco ACE Application Control Engine Module contain a security issue that could allow malicious HTTP requests to reach backend devices.  An authenticated, remote attacker could construct a malicious HTTP request with RFC noncompliant linefeeds and submit it to web services that reside behind affected devices.

This issue exists because the affected devices only insert client certificate header information when an HTTP header terminator uses carriage return/line feed (CRLF) per RFC 2612.  Some web servers may allow various permutations of this end-of-line terminator.  If an unrecognized end-of-line terminator is detected, client certificate header information insertion may fail.

Cisco CSS Content Services Switch Software releases 8.20.4.02, 8.20.3.9S, 8.10.6.02, and 8.10.5.09S will accept the additional terminator of line feed/line feed (LFLF) if the separator follows the HTTP/1.x in a single line feed.  If CRLF is detected, the client certificate header information insertion will occur when CRLF is detected as the terminator.  Insertion will not accept the two permutations together.

Even though a defect was filed for the Cisco CSS Content Services Switch and the software was modified to expand the recognition of additional HTTP header termination formats, Cisco's position is that both products comply with RFC specifications.  Further enhancements to adhere to all possible non-RFC permutations would not be sustainable.

Cisco has confirmed that the SSL Services Module (SSLM) is not affected by this issue.

Cisco has confirmed this vulnerability in software release notes and released updated software.  The behavior is documented in Cisco bug ID CSCta04885.

Cisco thanks Virtual Security Research, LLC and the researcher George D. Gal for reporting this issue.

 
Patches/Software

Cisco customers can obtain upgrades by contacting the Cisco Technical Assistance Center at 1-800-553-2447 or 1-408-526-7209 or via e-mail at tac@cisco.com.

 
Impact

An authenticated, remote attacker could perform HTTP request smuggling or other attacks that leverage HTTP header processing that depends upon linefeed sequences.

 
Safeguards

Administrators may consider upgrading to Cisco CSS Content Services Switch Software releases 8.20.4.02, 8.20.3.9S, 8.10.6.02, or?8.10.5.09S to gain additional linefeed processing capabilities.

Cisco ACE Application Control Engine Module allows the configuration of a layer 7 class map that will prevent unknown end-of-line terminators.? Configuration of layer 7 class maps is documented in the Application Control Engine Module Server Load-Balancing Configuration Guide (Software Version A2(3.0))

Administrators may consider performing additional validation to protect against RFC noncompliant header information on the backend devices?or elsewhere as appropriate.

 
Alert History
 

Version 1, July 2, 2010, 10:19 AM: Cisco CSS Content Services Switch Software and Cisco ACE Application Control Engine Module contain a security issue that could allow malicious HTTP requests to reach backend devices.



Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
CiscoCisco ACE 4700 Series Application Control Engine Appliances A3 2.3, 2.4, 2.5, 2.6
CiscoCisco Content Services Switch (CSS) 11501 7.50.1.03, 7.50.2.05, 7.50.3.03, 8.10.1.06, 8.10.2.05, 8.10.3.01, 8.10.4.01, 8.10.5.03, 8.10.6.02, 8.20.1.01, 8.20.2.01, 8.20.3.03, 8.20.4.02 | 11503 7.50.1.03, 7.50.2.05, 7.50.3.03, 8.10.1.06, 8.10.2.05, 8.10.3.01, 8.10.4.01, 8.10.5.03, 8.10.6.02, 8.20.1.01, 8.20.2.01, 8.20.3.03, 8.20.4.02 | 11506 7.50.1.03, 7.50.2.05, 7.50.3.03, 8.10.1.06, 8.10.2.05, 8.10.3.01, 8.10.4.01, 8.10.5.03, 8.10.6.02, 8.20.1.01, 8.20.2.01, 8.20.3.03, 8.20.4.02

Associated Products:
N/A




Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service. This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.


LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield