Cisco CSS Content Services Switch (CSS), SSL Services Module (SSLM), and ACE Application Control Engine (ACE) contain a vulnerability that could allow an authenticated, remote attacker to insert spoofed SSL headers into HTTP requests. The vulnerability exists because the affected products weakly enforce authority in HTTP certificate headers when performing SSL session termination. An authenticated, remote attacker could exploit this vulnerability by inserting spoofed SSL certificate headers into requests that are passed to the affected products for SSL termination. If successful, an attacker might be able to perform man-in-the-middle attacks, gaining access to sensitive information. Cisco has confirmed this vulnerability in software release notes and released updated software. This vulnerability could affect any CSS or SSLM installation, but could have a greater impact on installations configured to perform client certificate validation through the following configuration statement on the CSS: ssl-server < CONTEXT >http-header client-cert and the following ssl-proxy policy http-header configuration statement on the SSLM: client-cert. Ultimately, the impact of this vulnerability will depend on the applications behind an affected CSS device and how those devices handle the presence of multiple SSL headers throughout HTTP requests. If the applications process the last headers that appear in the request, they will receive those added by the CSS, but any other handling of SSL headers could result in the processing of the wrong headers.
Cisco CSS Content Services Switch (CSS), SSL Services Module (SSLM), and ACE Application Control Engine (ACE) contain a vulnerability that could allow an authenticated, remote attacker to insert spoofed SSL headers into HTTP requests.
The vulnerability exists because the affected products weakly enforce authority in HTTP certificate headers when performing SSL session termination. An authenticated, remote attacker could exploit this vulnerability by inserting spoofed SSL certificate headers into requests that are passed to the affected products for SSL termination. If successful, an attacker might be able to perform man-in-the-middle attacks, gaining access to sensitive information.
Cisco has confirmed this vulnerability in software release notes and released updated software.
This vulnerability could affect any CSS or SSLM installation, but could have a greater impact on installations configured to perform client certificate validation through the following configuration statement on the CSS: ssl-server < CONTEXT >http-header client-cert and the following ssl-proxy policy http-header configuration statement on the SSLM: client-cert.
Ultimately, the impact of this vulnerability will depend on the applications behind an affected CSS device and how those devices handle the presence of multiple SSL headers throughout HTTP requests. If the applications process the last headers that appear in the request, they will receive those added by the CSS, but any other handling of SSL headers could result in the processing of the wrong headers.
The CSS behavior is documented in Cisco bug ID CSCsz04690
Cisco thanks Virtual Security Research, LLC, George D. Gal researcher for reporting this issue.
This vulnerability affects Cisco CSS devices, SSLM, and ACE modules. SSL header insertion first appeared in version A2(3.0) for the ACE module; ACE appliances do not perform header insertion and are not affected.
CSS devices running version 8.10.6.03S or later, or 8.20.4.03S or later can be configured to first remove HTTP headers in requests before appending the CSS's own headers. The default configuration in these versions is not to remove these headers, but if configured with ssl pre-remove-http-hdr they are not affected.
On the CSS, the ssl-server < CONTEXT >http-header prefix < RANDOM_PREFIX > command will further secure the headers from the spoofing exposure by allowing a server administrator to define a random header prefix that will be prepended to new client certificates.
Usage and configuration of this command for the CSS is documented in the CSS Command Reference.
On the SSLM, the following ssl-proxy policy http-header configuration statement will insert a configured prefix that will be prepended to the SSLM-inserted headers: prefix
< prefix >. Also on the SSLM, the header names may be changed via the following ssl-proxy policy http-header configuration statement: alias < alias string > < header name >.
Use and configuration of this command for the SSLM are documented in the SSL Services Module Command Reference.
In addition, with CSS releases 8.20.4.03S and 8.10.6.03S, the following new command has been implemented: ssl pre-remove-http-hdr. This command will remove existing headers prior to inserting a new header. For example, if the software is configured for client certificate information, this command would cause existing client certificate headers to be removed and then the new headers would be inserted. Note that this functionality does not work with prefixes. The default behavior will continue to ignore headers before insertion. The no ssl pre-remove-http-hdr command reverts to default behavior. This command may impact CSS performance based on the number of headers present.
SSL header insertion was first implemented in the ACE module with version A2(3.0). SSL header insertion functionality does not exist in the ACE appliance.
The ACE module allows header deletion and rewrite as documented in the ACE Configuration Guide for software version A2(3.0).
Cisco customers can obtain upgrades by contacting the Cisco Technical Assistance Center at 1-800-553-2447 or 1-408-526-7209 or via e-mail at tac@cisco.com.
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
| Version | Description | Section | Status | Date |
| 1.0 | Initial Release | NA | Final | 2010-Jul-02 |
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.
Vulmon