Cisco has provided additional information and safeguards for the Cisco CSS Content Services Switch and ACE Application Control Engine HTTP SSL header spoofing vulnerability.
This vulnerability could affect any CSS or SSLM installation, but could have a greater impact on installations configured to perform client certificate validation through the following configuration statement on the CSS: ssl-server < CONTEXT >http-header client-certand the following ssl-proxy policy http-header configuration statement on the SSLM: client-cert.
Ultimately, the impact of this vulnerability will depend on the applications behind an affected CSS device and how those devices handle the presence of multiple SSL headers throughout HTTP requests. If the applications process the last headers that appear in the request, they will receive those added by the CSS, but any other handling of SSL headers could result in the processing of the wrong headers.
The CSS behavior is documented in Cisco bug ID CSCsz04690
Cisco thanks Virtual Security Research, LLC, George D. Gal researcher for reporting this issue.
Version 2, July 14, 2010, 12:51 PM: Cisco has confirmed that the SSL Services Module is also affected by this vulnerability. CVSS scoring details have been updated to correctly reflect the vulnerability details.
Version 1, July 2, 2010, 10:15 AM: Cisco Content Services Switch and Application Control Engine contain a vulnerability that could allow an unauthenticated, remote attacker to insert spoofed SSL headers into HTTP requests. Updates are available.
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM
THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products
Cisco Multivendor Vulnerability Alerts respond to vulnerabilities identified in third-party vendors' products. These alerts contain information compiled from diverse sources and provide comprehensive technical descriptions, objective analytical assessments, workarounds and practical safeguards, and links to vendor advisories and patches.