SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips
 

Vulnerability Note VU#546483

Multiple networking devices fail to set the "Secure" attribute of a cookie

Overview

Multiple vendors' networking devices fail to set the "Secure" cookie attribute and could disclose sensitive information about a user's HTTP session.

I. Description

Many networking devices provide a built-in web server, which may support the HTTPS protocol. When a user logs into the device with a username/password via HTTP, a cookie may be stored for that session by the web application. When storing this cookie, the "Secure" attribute should be set so that the user-agent only sends this cookie over secure connections (i.e., HTTPS).

Section 4.2.2 of RFC2109 describes the syntax for the "Set-Cookie" response header. The "Secure" property is described in RFC 2109 as follows:

    The Secure attribute (with no value) directs the user agent to use only (unspecified) secure means to contact the origin server whenever it sends back this cookie.

    The user agent (possibly under the user's control) may determine what level of security it considers appropriate for "secure" cookies. The Secure attribute should be considered security advice from the server to the user agent, indicating that it is in the session's interest to protect the cookie contents.
As stated in the RFC, the "Secure" attribute is optional.

There is a vulnerability in the way some networking devices store cookies on a user's system. If the "Secure" attribute is not set, the user-agent would have no indication that the contents of that cookie may contain sensitive information. If a cookie was created using a session over HTTPS and was subsequently used for an HTTP session, it would be possible for the contents of the cookie to be transmitted in plaintext. This may potentially reveal sensitive information to intruders capable of sniffing packets on that network segment.

To determine if your device sets the "Secure" attribute, you can do the following:
  1. Configure the device so that it requires a user to log in through the web interface using a username and password.
  2. In the web browser settings, make sure that you are prompted when a cookie is about to be stored on your system.
  3. Log in to the device via "https://....".
  4. When prompted that a cookie will be saved to your system, confirm if the "Secure" attribute is set on the dialog for confirming cookies.

II. Impact

An attacker capable of sniffing packets on the same network segment as the vulnerable device could obtain sensitive information about the user's HTTP session. This could lead to inappropriate access to vulnerable network devices.

III. Solution

Patch or Upgrade

Apply a patch or upgrade from your vendor. For information about a specific vendor, check the "Systems Affected" section of this document or contact your vendor directly.

Systems Affected

VendorStatusDate NotifiedDate Updated
F5 Networks, Inc.Unknown4-Feb-2005
Nortel Networks, Inc.Unknown8-Oct-2004

References


http://www.ietf.org/rfc/rfc2109.txt

Credit

Our thanks to Hiromitsu Takagi of the National Institute of Advanced Industrial Science and Technology (AIST) Japan for discovering the vulnerability. We also thank JPCERT/CC for brining this vulnerability to our attention.

This document was written by Damon Morda.

Other Information

Date Public:2004-10-12
Date First Published:2004-10-12
Date Last Updated:2007-09-07
CERT Advisory: 
CVE-ID(s):CVE-2004-0462
NVD-ID(s):CVE-2004-0462
US-CERT Technical Alerts: 
Metric:4.75
Document Revision:27

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2004 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader