search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Multiple networking devices fail to set the "Secure" attribute of a cookie

Vulnerability Note VU#546483

Original Release Date: 2004-10-12 | Last Revised: 2007-09-07

Overview

Multiple vendors' networking devices fail to set the "Secure" cookie attribute and could disclose sensitive information about a user's HTTP session.

Description

Many networking devices provide a built-in web server, which may support the HTTPS protocol. When a user logs into the device with a username/password via HTTP, a cookie may be stored for that session by the web application. When storing this cookie, the "Secure" attribute should be set so that the user-agent only sends this cookie over secure connections (i.e., HTTPS).

Section 4.2.2 of RFC2109 describes the syntax for the "Set-Cookie" response header. The "Secure" property is described in RFC 2109 as follows:

The Secure attribute (with no value) directs the user agent to use only (unspecified) secure means to contact the origin server whenever it sends back this cookie.

The user agent (possibly under the user's control) may determine what level of security it considers appropriate for "secure" cookies. The Secure attribute should be considered security advice from the server to the user agent, indicating that it is in the session's interest to protect the cookie contents.

As stated in the RFC, the "Secure" attribute is optional.

There is a vulnerability in the way some networking devices store cookies on a user's system. If the "Secure" attribute is not set, the user-agent would have no indication that the contents of that cookie may contain sensitive information. If a cookie was created using a session over HTTPS and was subsequently used for an HTTP session, it would be possible for the contents of the cookie to be transmitted in plaintext. This may potentially reveal sensitive information to intruders capable of sniffing packets on that network segment.

To determine if your device sets the "Secure" attribute, you can do the following:

    1. Configure the device so that it requires a user to log in through the web interface using a username and password.
    2. In the web browser settings, make sure that you are prompted when a cookie is about to be stored on your system.
    3. Log in to the device via "https://....".
    4. When prompted that a cookie will be saved to your system, confirm if the "Secure" attribute is set on the dialog for confirming cookies.

    Impact

    An attacker capable of sniffing packets on the same network segment as the vulnerable device could obtain sensitive information about the user's HTTP session. This could lead to inappropriate access to vulnerable network devices.

    Solution

    Patch or UpgradeApply a patch or upgrade from your vendor. For information about a specific vendor, check the "Systems Affected" section of this document or contact your vendor directly.

    Vendor Information

    546483
     
    Affected   Unknown   Unaffected

    F5 Networks, Inc.

    Notified:  September 02, 2004 Updated:  February 04, 2005

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    CERT/CC has received the following unverified message from F5 Networks concerning this issue:


      F5 has released a patch for BIG-IP v4.6.2 to address this issue.

      If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Nortel Networks, Inc.

    Updated:  October 08, 2004

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.


    CVSS Metrics

    Group Score Vector
    Base N/A N/A
    Temporal N/A N/A
    Environmental N/A

    References

    Acknowledgements

    Our thanks to Hiromitsu Takagi of the National Institute of Advanced Industrial Science and Technology (AIST) Japan for discovering the vulnerability. We also thank JPCERT/CC for brining this vulnerability to our attention.

    This document was written by Damon Morda.

    Other Information

    CVE IDs: CVE-2004-0462
    Severity Metric: 4.75
    Date Public: 2004-10-12
    Date First Published: 2004-10-12
    Date Last Updated: 2007-09-07 20:36 UTC
    Document Revision: 27

    Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.