[sssForm]

Security Advisory

HTTP – Request Smuggling
Published: Thursday, March 19th, 2020
Last Update: Friday, July 23rd, 2021
Summary

Web application security scans have indicated a potential security weakness when ACOS ADCs are used with some backend web servers. Referred to as HTTP request smuggling, this weakness is described in CWE-444 [1] and is addressed in this document.

About HTTP Request Smuggling

A deployed ADC configuration, which includes the back-end server, can be exposed to HTTP request smuggling. CWE-444 provides 2 examples of how this weakness can be exploited. In Example 1, a malformed HTTP request is sent to a website that includes a proxy server and a web server with the intent of poisoning the cache to associate one webpage with another malicious webpage.

In Example 2, a malformed HTTP request is sent to a website that includes a web server with a firewall with the intent of bypassing the web server firewall to smuggle malicious code into the system.

Affected Releases

This is not a vulnerability in ACOS. A deployed configuration which includes the back-end server and any intermediate HTTP proxying function, can be exposed to HTTP request smuggling. This issue can be mitigated for ACOS 4.1.1, 4.1.4-GR1 and 5.1 release families as indicated below. Older deployments should upgrade to an ACOS release family that supports mitigations for this weakness.

Releases Affected Releases Resolved or Unaffected
N/A N/A
Workarounds and Mitigations

The HTTP request smuggling can be mitigated by enabling the ACOS WAF (Web Application Firewall) feature and adding an ACOS aFlex rule.

Example 1 is mitigated by using the WAF http-check or http-protocol-check feature which verifies the length information and drops requests with multiple Content-Length headers. The Example 2 is mitigated by using the aFlex rule below to drop POST requests without Content-Type header present.

Although other companies suggest disabling connection-reuse to mitigate this HTTP Request Smuggling issue, A10 Networks’s view is that this can help in some cases but does not fully mitigate the issue and will impact performance.

NOTE: Enabling the ACOS WAF function with default settings could impact the web service being protected. Please refer to the ACOS Web Application Firewall guide to ensure appropriate configuration and settings to ensure the desire operations of the web service.

Mitigations using ACOS 4.1.1 and 4.1.4-GR1

For deployments with ACOS 4.1.1 or 4.1.4-GR1 release families, this issue can be mitigated using the following procedure.
1. Add the following aFlex rules.

aflex create post-no-content-type

when HTTP_REQUEST {

  if { [HTTP::method] equals "POST" } {

        if { not [HTTP::header exists "Content-Type"] }  {

            HTTP::respond 403 content "<html><head><title>Invalid request</title></head><body>Invalid request<p></body></html>"

        }

  }

}

.

2. Configure WAF to perform HTTP checking.

waf template wafcheck
  http-check

3. Configure the virtual server to use the WAF template and the aFlex rule.

slb virtual-server vs-11-1 10.1.11.1
  port 80 http
    aflex post-no-content-type
    aflex multiple-content-length-check
    source-nat pool test
    service-group sg-http
    template waf wafcheck
Mitigations using ACOS 5.1

For deployments with the ACOS 5.1 release family, this issue can be mitigated using the following procedure.

1. Add the following aFlex rule.

aflex create post-no-content-type

when HTTP_REQUEST {

  if { [HTTP::method] equals "POST" } {

        if { not [HTTP::header exists "Content-Type"] }  {

            HTTP::respond 403 content "<html><head><title>Invalid request</title></head><body>Invalid request<p></body></html>"

        }

  }

}

.

2. Configure WAF to perform HTTP checking.

waf template wafcheck
       http-protocol-check
       multiple-content-length

3. Configure the virtual server to use the WAF template and the aFlex rule.

slb virtual-server vs-11-1 10.1.11.1
     port 80 http
       aflex post-no-content-type
       source-nat pool test
       service-group sg-http
       template waf wafcheck
MITIGATIONS USING ACOS 5.2.X

For deployments with the ACOS 5.2.x release family, this issue can be mitigated using the following procedure.

1. Configure WAF to perform HTTP checking.

waf template wafcheck
     http-protocol-check
       post-without-content-type 
       body-without-content-type
       multiple-content-length

2. Configure the virtual server to use the WAF template

slb virtual-server vs-11-1 10.1.11.1
port 80 http
source-nat pool test
service-group sg-http
template waf wafcheck

Software Updates

Software updates that address these vulnerabilities are or will be published at the following URL:
http://www.a10networks.com/support/axseries/software-downloads

Vulnerability Details

The following table shares brief descriptions for the vulnerabilities addressed in this document.

Vulnerability ID Vulnerability Description
A10-2020-0001

When malformed or abnormal HTTP requests are interpreted by one or more entities in the data flow between the user and the web server, such as a proxy or firewall, they can be interpreted inconsistently, allowing the attacker to "smuggle" a request to one device without the other device being aware of it.

Acknowledgements

None

Modification History
Revision Date Description
1.0 Thursday, March 19th, 2020

Initial Publication

2.0 Friday, July 23rd, 2021

Add mitigation for 5.2.x release families


© Copyright 2020 A10 Networks, Inc. All Rights Reserved.

This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability, non-infringement or fitness for a particular use. Your use of the information in this document or materials linked from this document is at your own risk. A10 Networks, Inc. reserves the right to change or update the information in this document at any time.