[sssForm]

Security Advisory

HTTP – Request Smuggling
Published: Thursday, March 19th, 2020
Last Update: Thursday, March 19th, 2020
Summary

Web application security scans have indicated a potential security weakness when ACOS ADCs are used with some backend web servers. Referred to as HTTP request smuggling, this weakness is described in CWE-444 [1] and is addressed in this document.

About HTTP Request Smuggling

A deployed ADC configuration, which includes the back-end server, can be exposed to HTTP request smuggling. CWE-444 provides 2 examples of how this weakness can be exploited. In Example 1, a malformed HTTP request is sent to a website that includes a proxy server and a web server with the intent of poisoning the cache to associate one webpage with another malicious webpage.

In Example 2, a malformed HTTP request is sent to a website that includes a web server with a firewall with the intent of bypassing the web server firewall to smuggle malicious code into the system.

Affected Releases

This is not a vulnerability in ACOS. A deployed configuration which includes the back-end server and any intermediate HTTP proxying function, can be exposed to HTTP request smuggling. This issue can be mitigated for ACOS 4.1.1, 4.1.4-GR1 and 5.1 release families as indicated below. Older deployments should upgrade to an ACOS release family that supports mitigations for this weakness.

Releases Affected Releases Resolved or Unaffected
N/A N/A
Workarounds and Mitigations

The HTTP request smuggling can be mitigated by enabling the ACOS WAF (Web Application Firewall) feature and adding an ACOS aFlex rule.

Example 1 is mitigated by using the WAF http-check or http-protocol-check feature which verifies the length information and drops requests with multiple Content-Length headers. The Example 2 is mitigated by using the aFlex rule below to drop POST requests without Content-Type header present.

Mitigations using ACOS 4.1.1 and 4.1.4-GR1

For deployments with ACOS 4.1.1 or 4.1.4-GR1 release families, this issue can be mitigated using the following procedure.
1. Add the following aFlex rule.

aflex create post-no-content-type

when HTTP_REQUEST {

  if { [HTTP::method] equals "POST" } {

        if { not [HTTP::header exists "Content-Type"] }  {

            HTTP::respond 403 content "<html><head><title>Invalid request</title></head><body>Invalid request<p></body></html>"

        }

  }

}

.

2. Configure WAF to perform HTTP checking.

waf template test
  http-check

3. Configure the virtual server to use the WAF template and the aFlex rule.

slb virtual-server vs-11-1 10.1.11.1
  port 80 http
    aflex post-no-content-type
    source-nat pool test
    service-group sg-http
    template waf test
Mitigations using ACOS 5.1

For deployments with the ACOS 5.1 release family, this issue can be mitigated using the following procedure.

1. Add the following aFlex rule.

aflex create post-no-content-type

when HTTP_REQUEST {

  if { [HTTP::method] equals "POST" } {

        if { not [HTTP::header exists "Content-Type"] }  {

            HTTP::respond 403 content "<html><head><title>Invalid request</title></head><body>Invalid request<p></body></html>"

        }

  }

}

.

2. Configure WAF to perform HTTP checking.

waf template test
       http-protocol-check
       multiple-content-length

3. Configure the virtual server to use the WAF template and the aFlex rule.

slb virtual-server vs-11-1 10.1.11.1
     port 80 http
       aflex post-no-content-type
       source-nat pool test
       service-group sg-http
       template waf test
Software Updates

Software updates that address these vulnerabilities are or will be published at the following URL:
http://www.a10networks.com/support/axseries/software-downloads

Vulnerability Details

The following table shares brief descriptions for the vulnerabilities addressed in this document.

Vulnerability ID Vulnerability Description
A10-2020-0001

When malformed or abnormal HTTP requests are interpreted by one or more entities in the data flow between the user and the web server, such as a proxy or firewall, they can be interpreted inconsistently, allowing the attacker to "smuggle" a request to one device without the other device being aware of it.

Acknowledgements

None

Modification History
Revision Date Description
1.0 Thursday, March 19th, 2020

Initial Publication


© Copyright 2020 A10 Networks, Inc. All Rights Reserved.

This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability, non-infringement or fitness for a particular use. Your use of the information in this document or materials linked from this document is at your own risk. A10 Networks, Inc. reserves the right to change or update the information in this document at any time.