Multiple vendors' networking devices fail to set the "Secure" cookie attribute and could disclose sensitive information about a user's HTTP session.
Many networking devices provide a built-in web server, which may support the HTTPS protocol. When a user logs into the device with a username/password via HTTP, a cookie may be stored for that session by the web application. When storing this cookie, the "Secure" attribute should be set so that the user-agent only sends this cookie over secure connections (i.e., HTTPS).
Section 4.2.2 of RFC2109 describes the syntax for the "Set-Cookie" response header. The "Secure" property is described in RFC 2109 as follows:
An attacker capable of sniffing packets on the same network segment as the vulnerable device could obtain sensitive information about the user's HTTP session. This could lead to inappropriate access to vulnerable network devices.
Patch or UpgradeApply a patch or upgrade from your vendor. For information about a specific vendor, check the "Systems Affected" section of this document or contact your vendor directly.
Our thanks to Hiromitsu Takagi of the National Institute of Advanced Industrial Science and Technology (AIST) Japan for discovering the vulnerability. We also thank JPCERT/CC for brining this vulnerability to our attention.
This document was written by Damon Morda.
|Date First Published:||2004-10-12|
|Date Last Updated:||2007-09-07 20:36 UTC|