Cisco CSS Content Services Switch and ACE Application Control Engine HTTP SSL Header Spoofing Vulnerability
Cisco-SA-20100702-CVE-2010-1575 · Medium · Published · Updated
Cisco CSS Content Services Switch (CSS), SSL Services Module (SSLM), and ACE Application Control Engine (ACE) contain a vulnerability that could allow an authenticated, remote attacker to insert spoofed SSL headers into HTTP requests. The vulnerability exists because the affected products weakly enforce authority in HTTP certificate headers when performing SSL session termination. An authenticated, remote attacker could exploit this vulnerability by inserting spoofed SSL certificate headers into requests that are passed to the affected products for SSL termination. If successful, an attacker might be able to perform man-in-the-middle attacks, gaining access to sensitive information. Cisco has confirmed this vulnerability in software release notes and released updated software. This vulnerability could affect any CSS or SSLM installation, but could have a greater impact on installations configured to perform client certificate validation through the following configuration statement on the CSS: ssl-server < CONTEXT >http-header client-cert and the following ssl-proxy policy http-header configuration statement on the SSLM: client-cert. Ultimately, the impact of this vulnerability will depend on the applications behind an affected CSS device and how those devices handle the presence of multiple SSL headers throughout HTTP requests. If the applications process the last headers that appear in the request, they will receive those added by the CSS, but any other handling of SSL headers could result in the processing of the wrong headers.
Workarounds
On the CSS, the ssl-server < CONTEXT >http-header prefix < RANDOM_PREFIX > command will further secure the headers from the spoofing exposure by allowing a server administrator to define a random header prefix that will be prepended to new client certificates.
Usage and configuration of this command for the CSS is documented in the CSS Command Referencehttp://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.20/command/reference/CmdSSLC.html#wp1172789 .
On the SSLM, the following ssl-proxy policy http-header configuration statement will insert a configured prefix that will be prepended to the SSLM-inserted headers: prefix
< prefix >. Also on the SSLM, the header names may be changed via the following ssl-proxy policy http-header configuration statement: alias < alias string > < header name >.
Use and configuration of this command for the SSLM are documented in the SSL Services Module Command Referencehttp://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ssl/2.1/command/reference/comref.html .
In addition, with CSS releases 8.20.4.03S and 8.10.6.03S, the following new command has been implemented: ssl pre-remove-http-hdr. This command will remove existing headers prior to inserting a new header. For example, if the software is configured for client certificate information, this command would cause existing client certificate headers to be removed and then the new headers would be inserted. Note that this functionality does not work with prefixes. The default behavior will continue to ignore headers before insertion. The no ssl pre-remove-http-hdr command reverts to default behavior. This command may impact CSS performance based on the number of headers present.
SSL header insertion was first implemented in the ACE module with version A2(3.0). SSL header insertion functionality does not exist in the ACE appliance.
The ACE module allows header deletion and rewrite as documented in the ACE Configuration Guide for software version A2(3.0)http://www.cisco.com/en/US/partner/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/slb/guide/classlb.html#wp1131850 .
| CVEs | CVE-2010-1575 |
|---|---|
| Cisco Bug IDs | NA |
| CVSS Score | Base 3.5 Base 3.5 AV:N/AC:M/Au:S/C:N/I:P/A:N/E:F/RL:W/RC:C/CDP:N/TD:N/CR:ND/IR:ND/AR:ND |
| Product Names From Source | Cisco Content Services Switch (CSS), Cisco SSL Services Module |
Related Products
| Product | CVE | Evidence |
|---|---|---|
| Cisco Content Services Switch (CSS) | CVE-2010-1575 | Cisco OpenVuln |
| Cisco SSL Services Module | CVE-2010-1575 | Cisco OpenVuln |