search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

SurfControl SuperScout does not filter web requests fragmented in multiple packets

Vulnerability Note VU#139315

Original Release Date: 2002-08-09 | Last Revised: 2002-08-09

Overview

SurfControl SuperScout Web Filter does not block some HTTP requests that have been fragmented into multiple packets.

Description

SurfControl SuperScout Web Filter is software intended for companies that wish to limit employees' web surfing to appropriate uses. SuperScout anazlyzes individual packets that contain an HTTP GET request and a "Host:" header to determine whether an HTTP request to an inappropriate Web site is being made. SuperScout does not keep state of previous packets. Therefore, it will not block HTTP GET requests if the "Host:" header appears in a separate packet.

Impact

Users can bypass SuperScout filtering and access blocked Web content.

Solution

The CERT/CC is currently unaware of a practical solution to this problem.

None.

Vendor Information

139315
 
Expand all

SurfControl Affected

Notified:  December 20, 2001 Updated: February 26, 2002

Status

Affected

Vendor Statement

"We've addressed the vulnerability where blocking doesn't occur with the host header not being present.

"The vulnerability used to be present in one of our products: SuperScout Web Filter Win NT/2000 (our Pass-By, passive Ethernet technology).

"Our fix for this behavior is to rely on IP address to continue the block, when the host header is missing. This does not work, however, in a "Hosted" environment, where many different domains are served from the same IP. But, for the majority of our customers this will address the problem. The fix was introduced with version 4, released for general availability on October 15, 2001.

"Bare in mind that this vulnerability is only active for one of our SuperScout Web Filter (Pass-By for Win NT/2000 ). For our other SuperScout Web Filter brands that are based on Pass-Through architecture, the split packet vulnerability is not present. The SuperScout Web Filter products that are NOT affected are:
SuperScout Web Filter - for Microsoft Proxy
SuperScout Web Filter - for Microsoft ISA Server
SuperScout Web Filter - for Checkpoint FW-1/VPN-1 (Windows NT, Solaris, &
Linux)
SuperScout Web Filter VS(Velocity Server) - (Windows NT, Solaris, & Linux)"

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

http://www.securitytracker.com/alerts/2001/Jun/1001801.html

Acknowledgements

Thanks to Security Tracker for publishing an article on this issue.

This document was written by Shawn Van Ittersum.

Other Information

CVE IDs: None
Severity Metric: 0.30
Date Public: 2001-06-21
Date First Published: 2002-08-09
Date Last Updated: 2002-08-09 00:30 UTC
Document Revision: 21

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis