Multiple networking devices fail to set the "Secure" attribute of a cookie
Vulnerability Note VU#546483
Original Release Date: 2004-10-12 | Last Revised: 2007-09-07
Multiple vendors' networking devices fail to set the "Secure" cookie attribute and could disclose sensitive information about a user's HTTP session.
Many networking devices provide a built-in web server, which may support the HTTPS protocol. When a user logs into the device with a username/password via HTTP, a cookie may be stored for that session by the web application. When storing this cookie, the "Secure" attribute should be set so that the user-agent only sends this cookie over secure connections (i.e., HTTPS).
Section 4.2.2 of RFC2109 describes the syntax for the "Set-Cookie" response header. The "Secure" property is described in RFC 2109 as follows:
The Secure attribute (with no value) directs the user agent to use only (unspecified) secure means to contact the origin server whenever it sends back this cookie. The user agent (possibly under the user's control) may determine what level of security it considers appropriate for "secure" cookies. The Secure attribute should be considered security advice from the server to the user agent, indicating that it is in the session's interest to protect the cookie contents. As stated in the RFC, the "Secure" attribute is optional.
There is a vulnerability in the way some networking devices store cookies on a user's system. If the "Secure" attribute is not set, the user-agent would have no indication that the contents of that cookie may contain sensitive information. If a cookie was created using a session over HTTPS and was subsequently used for an HTTP session, it would be possible for the contents of the cookie to be transmitted in plaintext. This may potentially reveal sensitive information to intruders capable of sniffing packets on that network segment.
To determine if your device sets the "Secure" attribute, you can do the following:
Configure the device so that it requires a user to log in through the web interface using a username and password.
In the web browser settings, make sure that you are prompted when a cookie is about to be stored on your system.
Log in to the device via "https://....".
When prompted that a cookie will be saved to your system, confirm if the "Secure" attribute is set on the dialog for confirming cookies.
An attacker capable of sniffing packets on the same network segment as the vulnerable device could obtain sensitive information about the user's HTTP session. This could lead to inappropriate access to vulnerable network devices.
Patch or UpgradeApply a patch or upgrade from your vendor. For information about a specific vendor, check the "Systems Affected" section of this document or contact your vendor directly.
Our thanks to Hiromitsu Takagi of the National Institute of Advanced Industrial Science and Technology (AIST) Japan for discovering the vulnerability. We also thank JPCERT/CC for brining this vulnerability to our attention.