Cisco CSS Content Services Switch Software and Cisco ACE Application Control Engine Module contain a security issue that could allow malicious HTTP requests to reach backend devices. An authenticated, remote attacker could construct a malicious HTTP request with RFC noncompliant linefeeds and submit it to web services that reside behind affected devices.
This issue exists because the affected devices only insert client certificate header information when an HTTP header terminator uses carriage return/line feed (CRLF) per RFC 2612. Some web servers may allow various permutations of this end-of-line terminator. If an unrecognized end-of-line terminator is detected, client certificate header information insertion may fail.
Cisco CSS Content Services Switch Software releases 8.20.4.02, 184.108.40.206S, 8.10.6.02, and 8.10.5.09S will accept the additional terminator of line feed/line feed (LFLF) if the separator follows the HTTP/1.x in a single line feed. If CRLF is detected, the client certificate header information insertion will occur when CRLF is detected as the terminator. Insertion will not accept the two permutations together.
Even though a defect was filed for the Cisco CSS Content Services Switch and the software was modified to expand the recognition of additional HTTP header termination formats, Cisco's position is that both products comply with RFC specifications. Further enhancements to adhere to all possible non-RFC permutations would not be sustainable.
Cisco has confirmed that the SSL Services Module (SSLM) is not affected by this issue.
Cisco has confirmed this vulnerability in software release notes and released updated software. The behavior is documented in Cisco bug ID CSCta04885.
Cisco thanks Virtual Security Research, LLC and the researcher George D. Gal for reporting this issue.