« The Multi-Principal OS Construction of the Gazelle Web Browser | Main | Protect Your Site With URL Rewriting »

CERT Advisory VU#435052: An Architectural Flaw Involving Transparent Proxies

For the past year in my spare time I've been researching a flaw involving transparent proxies and today CERT has published an advisory for this issue.  If you have a vulnerable proxy on your intranet NOW is the time to patch (details of affected vendors in the cert advisory).

I will be publishing a comprehensive document at a later time outlining additional behaviors not discussed in the CERT advisory. Stay Tuned....

CERT Advisory: http://www.kb.cert.org/vuls/id/435052


Feed You can follow this conversation by subscribing to the comment feed for this post.

All Comments are Moderated and will be delayed!

Doesn't this vulnerability only apply where the proxy (1) makes connection decisions based on the HTTP header info, but (2) makes the actual connection based on the original destination IP of the intercepted packet.

Where the destingation of the onward connection is also based on the header information, there is no vulnerability.

Hello Rich,

I will be releasing a paper sometime in March which outlines this exact question. I'm hesitant to provide to many details at this stage in order to provide additional time for vendors to address the issue (Note: I am not trying to 'hype' this bug up as many others in the industry tend to do). The vendors that I've personally spoken with acknowledge this issue.

I will disclose that I have created a Flash POC (which I will not be releasing as it serves no positive purpose) demonstrating this abusive behavior. If your transparent proxy is located on your internal network, then this flash will be able to access anything the proxy has access to.

Sorry if I'm being vague, I hope you understand.