search menu icon-carat-right cmu-wordmark

CERT Coordination Center


CGI web servers assign Proxy header values from client requests to internal HTTP_PROXY environment variables

Vulnerability Note VU#797896

Original Release Date: 2016-07-18 | Last Revised: 2016-07-19

Overview

Web servers running in a CGI or CGI-like context may assign client request Proxy header values to internal HTTP_PROXY environment variables. This vulnerability can be leveraged to conduct man-in-the-middle (MITM) attacks on internal subrequests or to direct the server to initiate connections to arbitrary hosts.

Description

CWE-807: Reliance on Untrusted Inputs in a Security Decision, CWE-454: External Initialization of Trusted Variables or Data Stores

Web servers running in a CGI or CGI-like context may assign client request Proxy header values to internal HTTP_PROXY environment variables. The vulnerable behavior is the result of a naming convention for meta-variables, defined in RFC 3876, which leads to a name collision: "The HTTP header field name is converted to upper case, has all occurrences of "-" replaced with "_" and has "HTTP_" prepended to give the meta-variable name."

According to the researchers, a web server is vulnerable if:

    1. A web server, programming language or framework (and in some limited situations the application itself) sets the environmental variable HTTP_PROXY from the user supplied Proxy header in the web request, or sets a similarly used variable (essentially when the request header turns from harmless data into a potentially harmful environmental variable).
    2. A web application makes use of HTTP_PROXY or similar variable unsafely (e.g. fails to check the request type) resulting in an attacker controlled proxy being used (essentially when HTTP_PROXY is actually used unsafely).

    By sending a specially crafted request to a vulnerable server, a remote, unauthenticated attacker may be able to conduct MITM attacks on internal server subrequests or direct the server to initiate connections to arbitrary hosts. For more information, refer to httpoxy.org.

    Impact

    A remote, unauthenticated attacker may be able to conduct MITM attacks on internal server subrequests or direct the server to initiate connections to arbitrary hosts.

    Solution

    Apply an update

    Where applicable, affected products and components should be updated to address this vulnerability. Check with vendors for information about patching.

    Where patches are unavailable or updating is not an option, consider the following workarounds.

    Filter Proxy request headers

    The researchers and community have identified several filtering strategies that are product-dependent:

    Apache/CGI

    In this configuration, any language may be vulnerable (the HTTP_PROXY env var is "real"). If you are using mod_headers , you can unset the "Proxy" header with this directive:

          RequestHeader unset Proxy

    If you are using mod_security, you can use a rule like (vary the action to taste):
          SecRuleEngine On
          SecRule &REQUEST_HEADERS:Proxy "@gt 0"
          "id:1000005,log,deny,msg:'httpoxy denied'"

    Refer to Apache's response for more information.

    HAProxy

          httprequest delheader Proxy

    lighttpd <= 1.4.40 (reject requests containing "Proxy" header)

    Create "/path/to/deny-proxy.lua", read-only to lighttpd, with content:
          if (lighty.request["Proxy"] == nil) then return 0 else return 403 end
    Modify lighttpd.conf to load mod_magnet and run lua code
          server.modules += ( "mod_magnet" )
         magnet.attract-raw-url-to = ( "/path/to/deny-proxy.lua" )

    lighttpd2 (development) (strip "Proxy" header from request)

    Add to lighttpd.conf:
          req_header.remove "Proxy";

    Nginx/FastCGI

    Use this to block the Proxy header from being passed on to PHPFPM, PHPPM, etc.
          fastcgi_param HTTP_PROXY ;

    Nginx with proxy_pass

    The following setting should work for people who are using "proxy_pass" with nginx:

          proxy_set_header Proxy ;


    Microsoft has provided the following guidance for IIS servers utilizing affected third-party frameworks:

    Microsoft IIS Mitigation steps:

    Update apphost.config with the following rule:

      <system.webServer>


         <rewrite>

              <rules>

                  <rule name=3D"Erase HTTP_PROXY" patternSyntax=3D"Wildcard">

                      <match url=3D"*.*" />

                      <serverVariables>

                          <set name=3D"HTTP_PROXY" value=3D />

                      </serverVariables>

                      <action type=3D"None" />

                  </rule>

              </rules>

          </rewrite>

      </system.webServer>

    Vendor Information

    797896
    Expand all

    Apache HTTP Server Project

    Notified:  July 12, 2016 Updated:  July 18, 2016

    Statement Date:   July 14, 2016

    Status

      Affected

    Vendor Statement

    The Apache Software Foundation has discovered no examples of condition 2 described in the [redacted] report, and has determined there is no "vulnerability" per se in ASF software, which conform to both RFC822 (circa 1982) and CGI/1.1 defacto standard (circa 1995, superseded by CGI/1.1 IANA spec RFC 3875).

    Several ASF projects participate in HTTP requests in the manners described under condition 1. The list of projects that will offer one or more mitigations include but are not limited to;

    Apache HTTP Server (httpd) (Tracked as CVE-2016-5387)
    Apache Tomcat Server (Tracked as CVE-2016-5388)
    Apache Traffic Server (ATS) (Tracking is not applicable)

    Projects and subprojects impacted by the Apache HTTP Server mitigations will include mod_fcgid (Apache HTTP Project) and mod_perl (Apache Perl Project), as well as external projects such as mod_wsgi, all hopefully under CVE-2016-5387.

    Note specifically that any CVE related to mod_fcgi[d] must be ignored, as it duplicates CVE-2016-5387. We have not reached a conclusion on separate tracking that might be unique to mod_perl itself (thus far, it also appears to duplicate -5387.)

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Vendor References

    http://www.apache.org/security/asf-httpoxy-response.txt

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Go Programming Language

    Updated:  July 18, 2016

    Status

      Affected

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    CVE-2016-5386

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    HAProxy

    Updated:  July 13, 2016

    Status

      Affected

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    HHVM

    Updated:  July 18, 2016

    Status

      Affected

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    CVE-2016-1000109

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Microsoft Corporation

    Notified:  July 12, 2016 Updated:  July 13, 2016

    Status

      Affected

    Vendor Statement

    If you have installed PHP or any other third party framework on top of IIS, we recommend applying mitigation steps to protect from malicious Redirection or MiM attacks.

    Mitigation:

    Update apphost.config with the following rule:

    <system.webServer>

    <rewrite>

    <rules>

    <rule name=3D"Erase HTTP_PROXY" patternSyntax=3D"Wildcard">

    <match url=3D"*.*" />

    <serverVariables>

    <set name=3D"HTTP_PROXY" value=3D />

    </serverVariables>

    <action type=3D"None" />

    </rule>

    </rules>

    </rewrite>

    </system.webServer>

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Python

    Updated:  July 18, 2016

    Status

      Affected

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    CVE-2016-1000110

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    The PHP Group

    Updated:  July 18, 2016

    Status

      Affected

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    CVE-2016-5385

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    lighttpd

    Updated:  July 19, 2016

    Statement Date:   July 19, 2016

    Status

      Affected

    Vendor Statement

    Mitigation of httpoxy is available in lighttpd.


    Mitigation:

    lighttpd <= 1.4.40 (reject requests containing "Proxy" header)


    * Create "/path/to/deny-proxy.lua", read-only to lighttpd, with content:
    if (lighty.request["Proxy"] == nil) then return 0 else return 403 end

    * Modify lighttpd.conf to load mod_magnet and run lua code
    server.modules += ( "mod_magnet" )
    magnet.attract-raw-url-to = ( "/path/to/deny-proxy.lua" )

    lighttpd2 (development) (strip "Proxy" header from request)
    * Add to lighttpd.conf: req_header.remove "Proxy";


    Reference:

    * lighttpd 1.4 repo contains fix on git master branch to strip "Proxy" header and the commit message below contains the above mitigation steps for lighttpd 1.4.x https://redmine.lighttpd.net/projects/lighttpd/repository/revisions/779c133c16f9af168b004dce7a2a64f16c1cb3a4

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Vendor References

    https://redmine.lighttpd.net/projects/lighttpd/repository/revisions/779c133c16f9af168b004dce7a2a64f16c1cb3a4

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    nginx

    Updated:  July 13, 2016

    Status

      Affected

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    EfficientIP SAS

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Statement Date:   July 12, 2016

    Status

      Not Affected

    Vendor Statement

    Please find the EfficientIP’s status about VU#797896:

    Vendor: EfficientIP
    Status: Not Affected
    Statement: No version of our software is affected by VU#797896

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    ACCESS

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    ARRIS

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    AT&T

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Alcatel-Lucent

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Apple

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Arista Networks, Inc.

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Aruba Networks

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Avaya, Inc.

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Belkin, Inc.

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Blue Coat Systems

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    CA Technologies

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    CentOS

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Check Point Software Technologies

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Cisco

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    CoreOS

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    D-Link Systems, Inc.

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Debian GNU/Linux

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    DesktopBSD

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    DragonFly BSD Project

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    EMC Corporation

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Enterasys Networks

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Ericsson

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Extreme Networks

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    F5 Networks, Inc.

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Fedora Project

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Force10 Networks

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    FreeBSD Project

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Gentoo Linux

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Google

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Hardened BSD

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Hewlett Packard Enterprise

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Hitachi

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Huawei Technologies

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    IBM Corporation

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Infoblox

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Intel Corporation

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Internet Systems Consortium

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Internet Systems Consortium - DHCP

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Juniper Networks

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Lenovo

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    McAfee

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    NEC Corporation

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    National Center for Supercomputing Applications

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    NetBSD

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Nokia

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Nominum

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    OmniTI

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    OpenBSD

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    OpenDNS

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Openwall GNU/*/Linux

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Oracle Corporation

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Peplink

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Polycom

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Q1 Labs

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    QNX Software Systems Inc.

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Red Hat, Inc.

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Ricoh Company Ltd.

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Rockwell Automation

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Ruby

    Updated:  July 18, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    SUSE Linux

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    SafeNet

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Secure64 Software Corporation

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Slackware Linux Inc.

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    SmoothWall

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Snort

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Sony Corporation

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Sourcefire

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Symantec

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    TippingPoint Technologies Inc.

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Turbolinux

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Ubuntu

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Unisys

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    VMware

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Wind River

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    dnsmasq

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    m0n0wall

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    openSUSE project

    Notified:  July 12, 2016 Updated:  July 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.


    CVSS Metrics

    Group Score Vector
    Base 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P
    Temporal 4.6 E:POC/RL:ND/RC:C
    Environmental 1.1 CDP:ND/TD:L/CR:ND/IR:ND/AR:ND

    References

    Credit

    Thanks to Dominic Scheirlinck and Scott Geary of Vend for reporting this vulnerability.

    This document was written by Joel Land.

    Other Information

    CVE IDs: CVE-2016-5385, CVE-2016-5386, CVE-2016-5387, CVE-2016-5388, CVE-2016-1000109, CVE-2016-1000110
    Date Public: 2016-07-18
    Date First Published: 2016-07-18
    Date Last Updated: 2016-07-19 17:04 UTC
    Document Revision: 65

    Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.