{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/357312#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\nHTTP web proxies and web accelerators  that support HTTP/2 for an HTTP/1.1 backend webserver are vulnerable to HTTP Request Smuggling. \r\n\r\n### Description\r\nThe affected systems allow invalid characters such as carriage return and newline characters in HTTP/2 headers. When an attacker passes these invalid contents to a vulnerable system,  the forwarded HTTP/1 request includes the unintended malicious data. This is commonly known as HTTP Request Splitting. In the case of HTTP web proxies, this vulnerability can lead to HTTP Request smuggling, which enables an attacker to access protected internal sites.  \r\n\r\n### Impact\r\nAn attacker can send a crafted HTTP/2 request with malicious content to bypass network security measures, thereby reaching internal protected servers and accessing sensitive data. \r\n\r\n### Solution\r\n#### Apply updates\r\nInstall vendor-provided patches and updates to ensure malicious HTTP/2 content is blocked or rejected as described in [RFC 7540 (Section 8.1.2.6)](https://datatracker.ietf.org/doc/html/rfc7540#section-8.1.2.6) and [RFC 7540 (Section 10.3)](https://datatracker.ietf.org/doc/html/rfc7540#section-10.3).  Both \"request\" and \"response\" should be  inspected by the web proxy and rejected in accordance with Stream Error Handling as described in  [RFC 7450 (Section 5.4.2)](https://datatracker.ietf.org/doc/html/rfc7540#section-5.4.2). \r\n\r\n#### Inspect and block anomalous HTTP/2 traffic \r\nIf HTTP/2 is not supported, block the protocol on the web proxies to avoid abuse of HTTP/2 protocol.  Where HTTP/2 is supported, enforce strict rules for HTTP header checks to ensure malicious headers are normalized or rejected.  \r\nChecks of this type include:\r\n* HTTP Headers with invalid Header name or value\r\n* HTTP Headers with invalid or no content-length\r\n* Unsupported or invalid HTTP methods\r\n\r\n#### Test and verify your web proxy\r\nScan your public web server proxy with OWASP recommended [tests](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/15-Testing_for_HTTP_Splitting_Smuggling) to ensure your web servers are not vulnerable to abuse via HTTP response splitting.\r\n\r\n### Acknowledgements\r\nThanks to the reporter James Kettle of [PortSwigger](https://portswigger.net/research/http2) for the information about this vulnerability.\r\n\r\nThis document was written by Timur Snoke.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"},{"category":"other","text":"The Imperva Security Research team is constantly analyzing new security exploits to ensure the highest quality of protection for our customers. Imperva has deployed a security update to our cloud platform to address an emerging issue around HTTP request splitting / request header injection over HTTP/2.","title":"Vendor statment from Imperva Inc."},{"category":"other","text":"nginx HTTP/2 module checks '\\0', LF, CR and other invalid characters since the introduction.","title":"Vendor statment from Nginx"},{"category":"other","text":"Barracuda has confirmed that our services are not affected by the proof of concept.","title":"Vendor statment from Barracuda Networks"},{"category":"other","text":"Through testing, we have confirmed with the researcher that we are not vulnerable.","title":"Vendor statment from Fastly"},{"category":"other","text":"Juniper products are not vulnerable to this issue.","title":"Vendor statment from Juniper Networks"},{"category":"other","text":"Zscaler's web proxies do not yet support HTTP/2 connections.","title":"Vendor statment from Zscaler"},{"category":"other","text":"We have confirmed that Menlo Security products are not affected by this vulnerability.","title":"Vendor statment from Menlo Security"},{"category":"other","text":"A10 Networks is assessing the vulnerabilities surfaced by VU#357312.1 to determine whether A10 products are affected.","title":"Vendor statment from A10 Networks"},{"category":"other","text":"ContentKeeper products and services are not affected by the vulnerability VU#357312.","title":"Vendor statment from ContentKeeper"},{"category":"other","text":"Trend Micro has investigated this issue and has found that none our products are affected.","title":"Vendor statment from Trend Micro"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/357312"},{"url":"https://portswigger.net/research/request-smuggling","summary":"https://portswigger.net/research/request-smuggling"},{"url":"https://datatracker.ietf.org/doc/html/rfc7540","summary":"https://datatracker.ietf.org/doc/html/rfc7540"},{"url":"https://portswigger.net/research/http2","summary":"https://portswigger.net/research/http2"},{"url":"https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/15-Testing_for_HTTP_Splitting_Smuggling","summary":"https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/15-Testing_for_HTTP_Splitting_Smuggling"},{"url":"https://support.f5.com/csp/article/K27144609","summary":"Reference(s) from vendor \"F5 Networks Inc.\""},{"url":"https://support.f5.com/csp/article/K97045220","summary":"Reference(s) from vendor \"F5 Networks Inc.\""},{"url":"https://support.f5.com/csp/article/K63312282","summary":"Reference(s) from vendor \"F5 Networks Inc.\""},{"url":"https://support.f5.com/csp/article/K30341203","summary":"Reference(s) from vendor \"F5 Networks Inc.\""}],"title":"HTTP Request Smuggling in Web Proxies","tracking":{"current_release_date":"2021-08-12T11:44:33+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#357312","initial_release_date":"2021-08-06 12:23:44.237148+00:00","revision_history":[{"date":"2021-08-12T11:44:33+00:00","number":"1.20210812114433.3","summary":"Released on 2021-08-12T11:44:33+00:00"}],"status":"final","version":"1.20210812114433.3"}},"vulnerabilities":[{"title":"This is an HTTP response splitting vulnerability in web proxies, and affects systems configured to terminate HTTP/2 requests before forwarding them to backend web servers via HTTP/1.","notes":[{"category":"summary","text":"This is an HTTP response splitting vulnerability in web proxies, and affects systems configured to terminate HTTP/2 requests before forwarding them to backend web servers via HTTP/1.1. The affected systems allow carriage return and new newline characters in HTTP/2 headers. These carriage return and new line characters are inserted directly in outbound HTTP/1.1 requests, which results in HTTP response splitting."}],"ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#357312"}],"product_status":{"known_affected":["CSAFPID-91a0d5c0-39d8-11f1-8422-122e2785dc9f","CSAFPID-91a4ea16-39d8-11f1-8422-122e2785dc9f"],"known_not_affected":["CSAFPID-91a11a76-39d8-11f1-8422-122e2785dc9f","CSAFPID-91a15d1a-39d8-11f1-8422-122e2785dc9f","CSAFPID-91a1fb12-39d8-11f1-8422-122e2785dc9f","CSAFPID-91a2472a-39d8-11f1-8422-122e2785dc9f","CSAFPID-91a275ec-39d8-11f1-8422-122e2785dc9f","CSAFPID-91a2a3e6-39d8-11f1-8422-122e2785dc9f","CSAFPID-91a2d82a-39d8-11f1-8422-122e2785dc9f","CSAFPID-91a34742-39d8-11f1-8422-122e2785dc9f","CSAFPID-91a3d64e-39d8-11f1-8422-122e2785dc9f","CSAFPID-91a4086c-39d8-11f1-8422-122e2785dc9f","CSAFPID-91a46a46-39d8-11f1-8422-122e2785dc9f","CSAFPID-91a49a8e-39d8-11f1-8422-122e2785dc9f","CSAFPID-91a4c298-39d8-11f1-8422-122e2785dc9f"]}}],"product_tree":{"branches":[{"category":"vendor","name":"Imperva Inc.","product":{"name":"Imperva Inc. Products","product_id":"CSAFPID-91a0d5c0-39d8-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Nginx","product":{"name":"Nginx Products","product_id":"CSAFPID-91a11a76-39d8-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Sophos","product":{"name":"Sophos Products","product_id":"CSAFPID-91a15d1a-39d8-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Google","product":{"name":"Google Products","product_id":"CSAFPID-91a1a266-39d8-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Barracuda Networks","product":{"name":"Barracuda Networks Products","product_id":"CSAFPID-91a1fb12-39d8-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Fastly","product":{"name":"Fastly Products","product_id":"CSAFPID-91a2472a-39d8-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Cloudflare","product":{"name":"Cloudflare Products","product_id":"CSAFPID-91a275ec-39d8-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Juniper Networks","product":{"name":"Juniper Networks Products","product_id":"CSAFPID-91a2a3e6-39d8-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Qualys","product":{"name":"Qualys Products","product_id":"CSAFPID-91a2d82a-39d8-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Zscaler","product":{"name":"Zscaler Products","product_id":"CSAFPID-91a30bb0-39d8-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Menlo Security","product":{"name":"Menlo Security Products","product_id":"CSAFPID-91a34742-39d8-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Microsoft","product":{"name":"Microsoft Products","product_id":"CSAFPID-91a38932-39d8-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Akamai Technologies Inc.","product":{"name":"Akamai Technologies Inc. Products","product_id":"CSAFPID-91a3d64e-39d8-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"McAfee","product":{"name":"McAfee Products","product_id":"CSAFPID-91a4086c-39d8-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"A10 Networks","product":{"name":"A10 Networks Products","product_id":"CSAFPID-91a4338c-39d8-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"ContentKeeper","product":{"name":"ContentKeeper Products","product_id":"CSAFPID-91a46a46-39d8-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Trend Micro","product":{"name":"Trend Micro Products","product_id":"CSAFPID-91a49a8e-39d8-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Citrix","product":{"name":"Citrix Products","product_id":"CSAFPID-91a4c298-39d8-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"F5 Networks Inc.","product":{"name":"F5 Networks Inc. Products","product_id":"CSAFPID-91a4ea16-39d8-11f1-8422-122e2785dc9f"}}]}}