Cisco CSS Content Services Switch Software and Cisco ACE Application Control Engine Module HTTP Request Validation Issue
IntelliShield: Security Issue Alert
2010 July 02 14:19 GMT
2010 July 14 16:41 GMT
Vulnerability details have been clarified to indicate that an attacker must be authenticated in order to take advantage of this security issue.
Cisco CSS Content Services Switch Software and Cisco ACE Application Control Engine Module contain a security issue that could allow malicious HTTP requests to reach backend devices. An authenticated, remote attacker could construct a malicious HTTP request with RFC noncompliant linefeeds and submit it to web services that reside behind affected devices.
This issue exists because the affected devices only insert client certificate header information when an HTTP header terminator uses carriage return/line feed (CRLF) per RFC 2612. Some web servers may allow various permutations of this end-of-line terminator. If an unrecognized end-of-line terminator is detected, client certificate header information insertion may fail.
Cisco CSS Content Services Switch Software releases 8.20.4.02, 126.96.36.199S, 8.10.6.02, and 8.10.5.09S will accept the additional terminator of line feed/line feed (LFLF) if the separator follows the HTTP/1.x in a single line feed. If CRLF is detected, the client certificate header information insertion will occur when CRLF is detected as the terminator. Insertion will not accept the two permutations together.
Even though a defect was filed for the Cisco CSS Content Services Switch and the software was modified to expand the recognition of additional HTTP header termination formats, Cisco's position is that both products comply with RFC specifications. Further enhancements to adhere to all possible non-RFC permutations would not be sustainable.
Cisco has confirmed that the SSL Services Module (SSLM) is not affected by this issue.
Cisco has confirmed this vulnerability in software release notes and released updated software. The behavior is documented in Cisco bug ID CSCta04885.
Cisco thanks Virtual Security Research, LLC and the researcher George D. Gal for reporting this issue.
Cisco customers can obtain upgrades by contacting the Cisco Technical Assistance Center at 1-800-553-2447 or 1-408-526-7209 or via e-mail at firstname.lastname@example.org.
An authenticated, remote attacker could perform HTTP request smuggling or other attacks that leverage HTTP header processing that depends upon linefeed sequences.
Administrators may consider upgrading to Cisco CSS Content Services Switch Software releases 8.20.4.02, 188.8.131.52S, 8.10.6.02, or?8.10.5.09S to gain additional linefeed processing capabilities.
Administrators may consider performing additional validation to protect against RFC noncompliant header information on the backend devices?or elsewhere as appropriate.
Version 1, July 2, 2010, 10:19 AM: Cisco CSS Content Services Switch Software and Cisco ACE Application Control Engine Module contain a security issue that could allow malicious HTTP requests to reach backend devices.
Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the
Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service.
This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.