search menu icon-carat-right cmu-wordmark

CERT Coordination Center

HTTP CONNECT and 407 Proxy Authentication Required messages are not integrity protected

Vulnerability Note VU#905344

Original Release Date: 2016-08-15 | Last Revised: 2018-04-04

Overview

HTTP CONNECT requests and 407 Proxy Authentication Required messages are not integrity protected and are susceptible to man-in-the-middle attacks. WebKit-based applications are additionally vulnerable to arbitrary HTML markup and JavaScript execution in the context of the originally requested domain.

Description

Web browsers and operating systems making a HTTPS request via a proxy server are vulnerable to man-in-the-middle (MITM) attacks against HTTP CONNECT requests and proxy response messages. HTTP CONNECT requests are made in clear text over HTTP, meaning an attacker in the position to modify proxy traffic may force the use of 407 Proxy Authentication Required responses to phish for credentials.

WebKit-based clients are vulnerable to additional vectors due to the fact that HTML markup and JavaScript are rendered by the client Document Object Model (DOM) in the context of the originally requested HTTPS domain.

For more information, refer to the FalseCONNECT website.

Impact

An attacker in the position to control HTTP CONNECT requests and proxy responses can conduct MITM attacks, which may include credential phishing and, where vulnerable WebKit-based clients are involved, arbitrary HTML and JavaScript injection.

Solution

Apply an update

Check with affected software vendors and apply an update, if available. Those unable or unwilling to apply an update should consider the following workarounds.

Avoid untrusted networks

Avoid using proxy-configured clients while connected to untrusted networks, including public WiFi. Using a proxy-configured client on an untrusted network increases the chance of falling victim to a MITM attack.

Disable proxy configuration settings

If use of proxy auto-configuration (PAC) or web proxy auto-discovery (WPAD) is not required, consider disabling them.

Vendor Information

905344
 
Affected   Unknown   Unaffected

Apple

Notified:  June 17, 2016 Updated:  April 04, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Addendum

WebKit and WebKit-based applications and browsers are affected. Apple has assigned CVE-2016-4642, CVE-2016-4643, and CVE-2016-4644, as described in the HT206905 security bulletin. CVE-2016-7579 is described in the HT207271 bulletin.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Microsoft Corporation

Notified:  June 17, 2016 Updated:  November 08, 2016

Status

  Affected

Vendor Statement

Please see the reference linked below.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Opera

Notified:  June 17, 2016 Updated:  August 11, 2016

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Oracle Corporation

Notified:  June 17, 2016 Updated:  October 21, 2016

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Oracle has notified the CERT/CC that the vulnerabilities are addressed in the October 2017 Critical Patch Update, linked below.

Vendor References

Addendum

Java SE is affected. Oracle has assigned CVE-2016-5597.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Lenovo

Notified:  June 17, 2016 Updated:  August 01, 2016

Statement Date:   July 28, 2016

Status

  Not Affected

Vendor Statement

Lenovo products are not affected by this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Arista Networks, Inc.

Notified:  June 17, 2016 Updated:  June 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor References

    Belkin, Inc.

    Notified:  July 28, 2016 Updated:  July 28, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor References

      CentOS

      Notified:  June 17, 2016 Updated:  June 17, 2016

      Status

        Unknown

      Vendor Statement

      No statement is currently available from the vendor regarding this vulnerability.

      Vendor References

        Cisco

        Notified:  July 28, 2016 Updated:  July 28, 2016

        Status

          Unknown

        Vendor Statement

        No statement is currently available from the vendor regarding this vulnerability.

        Vendor References

          CoreOS

          Notified:  June 17, 2016 Updated:  June 17, 2016

          Status

            Unknown

          Vendor Statement

          No statement is currently available from the vendor regarding this vulnerability.

          Vendor References

            Debian GNU/Linux

            Notified:  June 17, 2016 Updated:  June 17, 2016

            Status

              Unknown

            Vendor Statement

            No statement is currently available from the vendor regarding this vulnerability.

            Vendor References

              DesktopBSD

              Notified:  June 17, 2016 Updated:  June 17, 2016

              Status

                Unknown

              Vendor Statement

              No statement is currently available from the vendor regarding this vulnerability.

              Vendor References

                DragonFly BSD Project

                Notified:  June 17, 2016 Updated:  June 17, 2016

                Status

                  Unknown

                Vendor Statement

                No statement is currently available from the vendor regarding this vulnerability.

                Vendor References

                  EMC Corporation

                  Notified:  June 17, 2016 Updated:  June 17, 2016

                  Status

                    Unknown

                  Vendor Statement

                  No statement is currently available from the vendor regarding this vulnerability.

                  Vendor References

                    F5 Networks, Inc.

                    Notified:  June 17, 2016 Updated:  June 17, 2016

                    Status

                      Unknown

                    Vendor Statement

                    No statement is currently available from the vendor regarding this vulnerability.

                    Vendor References

                      Fedora Project

                      Notified:  June 17, 2016 Updated:  June 17, 2016

                      Status

                        Unknown

                      Vendor Statement

                      No statement is currently available from the vendor regarding this vulnerability.

                      Vendor References

                        FreeBSD Project

                        Notified:  June 17, 2016 Updated:  June 17, 2016

                        Status

                          Unknown

                        Vendor Statement

                        No statement is currently available from the vendor regarding this vulnerability.

                        Vendor References

                          Gentoo Linux

                          Notified:  June 17, 2016 Updated:  June 17, 2016

                          Status

                            Unknown

                          Vendor Statement

                          No statement is currently available from the vendor regarding this vulnerability.

                          Vendor References

                            Google

                            Notified:  June 17, 2016 Updated:  June 17, 2016

                            Status

                              Unknown

                            Vendor Statement

                            No statement is currently available from the vendor regarding this vulnerability.

                            Vendor References

                              Hardened BSD

                              Notified:  June 17, 2016 Updated:  June 17, 2016

                              Status

                                Unknown

                              Vendor Statement

                              No statement is currently available from the vendor regarding this vulnerability.

                              Vendor References

                                Hewlett Packard Enterprise

                                Notified:  June 17, 2016 Updated:  June 17, 2016

                                Status

                                  Unknown

                                Vendor Statement

                                No statement is currently available from the vendor regarding this vulnerability.

                                Vendor References

                                  Hitachi

                                  Notified:  June 17, 2016 Updated:  June 17, 2016

                                  Status

                                    Unknown

                                  Vendor Statement

                                  No statement is currently available from the vendor regarding this vulnerability.

                                  Vendor References

                                    IBM Corporation

                                    Notified:  June 17, 2016 Updated:  June 17, 2016

                                    Status

                                      Unknown

                                    Vendor Statement

                                    No statement is currently available from the vendor regarding this vulnerability.

                                    Vendor References

                                      Juniper Networks

                                      Notified:  June 17, 2016 Updated:  June 17, 2016

                                      Status

                                        Unknown

                                      Vendor Statement

                                      No statement is currently available from the vendor regarding this vulnerability.

                                      Vendor References

                                        Mocana

                                        Notified:  July 28, 2016 Updated:  July 28, 2016

                                        Status

                                          Unknown

                                        Vendor Statement

                                        No statement is currently available from the vendor regarding this vulnerability.

                                        Vendor References

                                          Mozilla

                                          Notified:  June 17, 2016 Updated:  June 17, 2016

                                          Status

                                            Unknown

                                          Vendor Statement

                                          No statement is currently available from the vendor regarding this vulnerability.

                                          Vendor References

                                            NEC Corporation

                                            Notified:  June 17, 2016 Updated:  June 17, 2016

                                            Status

                                              Unknown

                                            Vendor Statement

                                            No statement is currently available from the vendor regarding this vulnerability.

                                            Vendor References

                                              NetBSD

                                              Notified:  June 17, 2016 Updated:  June 17, 2016

                                              Status

                                                Unknown

                                              Vendor Statement

                                              No statement is currently available from the vendor regarding this vulnerability.

                                              Vendor References

                                                Nokia

                                                Notified:  June 17, 2016 Updated:  June 17, 2016

                                                Status

                                                  Unknown

                                                Vendor Statement

                                                No statement is currently available from the vendor regarding this vulnerability.

                                                Vendor References

                                                  OmniTI

                                                  Notified:  June 17, 2016 Updated:  June 17, 2016

                                                  Status

                                                    Unknown

                                                  Vendor Statement

                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                  Vendor References

                                                    OpenBSD

                                                    Notified:  June 17, 2016 Updated:  June 17, 2016

                                                    Status

                                                      Unknown

                                                    Vendor Statement

                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                    Vendor References

                                                      Openwall GNU/*/Linux

                                                      Notified:  June 17, 2016 Updated:  June 17, 2016

                                                      Status

                                                        Unknown

                                                      Vendor Statement

                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                      Vendor References

                                                        QNX Software Systems Inc.

                                                        Notified:  June 17, 2016 Updated:  June 17, 2016

                                                        Status

                                                          Unknown

                                                        Vendor Statement

                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                        Vendor References

                                                          Red Hat, Inc.

                                                          Notified:  June 17, 2016 Updated:  June 17, 2016

                                                          Status

                                                            Unknown

                                                          Vendor Statement

                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                          Vendor References

                                                            SAP

                                                            Notified:  July 28, 2016 Updated:  July 28, 2016

                                                            Status

                                                              Unknown

                                                            Vendor Statement

                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                            Vendor References

                                                              SUSE Linux

                                                              Notified:  June 17, 2016 Updated:  July 19, 2016

                                                              Statement Date:   July 18, 2016

                                                              Status

                                                                Unknown

                                                              Vendor Statement

                                                              SUSE may include fixes for this issue in future updates to SLE or openSUSE packages when they become available from projects implementing GUI http user agents.

                                                              Vendor Information

                                                              We are not aware of further vendor information regarding this vulnerability.

                                                              Slackware Linux Inc.

                                                              Notified:  June 17, 2016 Updated:  June 17, 2016

                                                              Status

                                                                Unknown

                                                              Vendor Statement

                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                              Vendor References

                                                                Sony Corporation

                                                                Notified:  June 17, 2016 Updated:  June 17, 2016

                                                                Status

                                                                  Unknown

                                                                Vendor Statement

                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                Vendor References

                                                                  Synology

                                                                  Notified:  July 28, 2016 Updated:  July 28, 2016

                                                                  Status

                                                                    Unknown

                                                                  Vendor Statement

                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                  Vendor References

                                                                    Turbolinux

                                                                    Notified:  June 17, 2016 Updated:  June 17, 2016

                                                                    Status

                                                                      Unknown

                                                                    Vendor Statement

                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                    Vendor References

                                                                      Ubuntu

                                                                      Notified:  June 17, 2016 Updated:  June 17, 2016

                                                                      Status

                                                                        Unknown

                                                                      Vendor Statement

                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                      Vendor References

                                                                        Unisys

                                                                        Notified:  June 17, 2016 Updated:  June 17, 2016

                                                                        Status

                                                                          Unknown

                                                                        Vendor Statement

                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                        Vendor References

                                                                          m0n0wall

                                                                          Notified:  June 17, 2016 Updated:  June 17, 2016

                                                                          Status

                                                                            Unknown

                                                                          Vendor Statement

                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                          Vendor References

                                                                            openSUSE project

                                                                            Notified:  June 17, 2016 Updated:  June 17, 2016

                                                                            Status

                                                                              Unknown

                                                                            Vendor Statement

                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                            Vendor References

                                                                              View all 44 vendors View less vendors


                                                                              CVSS Metrics

                                                                              Group Score Vector
                                                                              Base 4.3 AV:A/AC:M/Au:N/C:P/I:P/A:N
                                                                              Temporal 3.4 E:POC/RL:OF/RC:C
                                                                              Environmental 3.4 CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

                                                                              References

                                                                              Acknowledgements

                                                                              Thanks to Jerry Decime for reporting these vulnerabilities.

                                                                              This document was written by Joel Land.

                                                                              Other Information

                                                                              CVE IDs: None
                                                                              Date Public: 2016-08-15
                                                                              Date First Published: 2016-08-15
                                                                              Date Last Updated: 2018-04-04 18:12 UTC
                                                                              Document Revision: 34

                                                                              Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.