search menu icon-carat-right cmu-wordmark

CERT Coordination Center

HTTP Request Smuggling in Web Proxies

Vulnerability Note VU#357312

Original Release Date: 2021-08-06 | Last Revised: 2021-08-12

Overview

HTTP web proxies and web accelerators that support HTTP/2 for an HTTP/1.1 backend webserver are vulnerable to HTTP Request Smuggling.

Description

The affected systems allow invalid characters such as carriage return and newline characters in HTTP/2 headers. When an attacker passes these invalid contents to a vulnerable system, the forwarded HTTP/1 request includes the unintended malicious data. This is commonly known as HTTP Request Splitting. In the case of HTTP web proxies, this vulnerability can lead to HTTP Request smuggling, which enables an attacker to access protected internal sites.

Impact

An attacker can send a crafted HTTP/2 request with malicious content to bypass network security measures, thereby reaching internal protected servers and accessing sensitive data.

Solution

Apply updates

Install vendor-provided patches and updates to ensure malicious HTTP/2 content is blocked or rejected as described in RFC 7540 (Section 8.1.2.6) and RFC 7540 (Section 10.3). Both "request" and "response" should be inspected by the web proxy and rejected in accordance with Stream Error Handling as described in RFC 7450 (Section 5.4.2).

Inspect and block anomalous HTTP/2 traffic

If HTTP/2 is not supported, block the protocol on the web proxies to avoid abuse of HTTP/2 protocol. Where HTTP/2 is supported, enforce strict rules for HTTP header checks to ensure malicious headers are normalized or rejected.
Checks of this type include: * HTTP Headers with invalid Header name or value * HTTP Headers with invalid or no content-length * Unsupported or invalid HTTP methods

Test and verify your web proxy

Scan your public web server proxy with OWASP recommended tests to ensure your web servers are not vulnerable to abuse via HTTP response splitting.

Acknowledgements

Thanks to the reporter James Kettle of PortSwigger for the information about this vulnerability.

This document was written by Timur Snoke.

Vendor Information

357312
 

F5 Networks Inc. Affected

Notified:  2021-05-14 Updated: 2021-08-06

Statement Date:   August 05, 2021

VU#357312.1 Affected

Vendor Statement

We have not received a statement from the vendor.

References

Imperva Inc. Affected

Notified:  2021-05-14 Updated: 2021-08-12

Statement Date:   August 11, 2021

VU#357312.1 Affected

Vendor Statement

The Imperva Security Research team is constantly analyzing new security exploits to ensure the highest quality of protection for our customers. Imperva has deployed a security update to our cloud platform to address an emerging issue around HTTP request splitting / request header injection over HTTP/2.

Akamai Technologies Inc. Not Affected

Notified:  2021-05-14 Updated: 2021-08-06

Statement Date:   August 05, 2021

VU#357312.1 Not Affected

Vendor Statement

We have not received a statement from the vendor.

Barracuda Networks Not Affected

Notified:  2021-05-14 Updated: 2021-08-06

Statement Date:   May 20, 2021

VU#357312.1 Not Affected

Vendor Statement

Barracuda has confirmed that our services are not affected by the proof of concept.

Citrix Not Affected

Notified:  2021-05-14 Updated: 2021-08-06

Statement Date:   August 03, 2021

VU#357312.1 Not Affected

Vendor Statement

We have not received a statement from the vendor.

Cloudflare Not Affected

Notified:  2021-05-14 Updated: 2021-08-06

Statement Date:   May 20, 2021

VU#357312.1 Not Affected

Vendor Statement

We have not received a statement from the vendor.

ContentKeeper Not Affected

Notified:  2021-05-14 Updated: 2021-08-06

Statement Date:   July 05, 2021

VU#357312.1 Not Affected

Vendor Statement

ContentKeeper products and services are not affected by the vulnerability VU#357312.

Fastly Not Affected

Notified:  2021-05-14 Updated: 2021-08-06

Statement Date:   May 20, 2021

VU#357312.1 Not Affected

Vendor Statement

Through testing, we have confirmed with the researcher that we are not vulnerable.

Juniper Networks Not Affected

Notified:  2021-05-19 Updated: 2021-08-06

Statement Date:   August 05, 2021

VU#357312.1 Not Affected

Vendor Statement

Juniper products are not vulnerable to this issue.

McAfee Not Affected

Notified:  2021-05-14 Updated: 2021-08-06

Statement Date:   June 22, 2021

VU#357312.1 Not Affected

Vendor Statement

We have not received a statement from the vendor.

Menlo Security Not Affected

Notified:  2021-05-14 Updated: 2021-08-09

Statement Date:   August 06, 2021

VU#357312.1 Not Affected

Vendor Statement

We have confirmed that Menlo Security products are not affected by this vulnerability.

Nginx Not Affected

Notified:  2021-05-14 Updated: 2021-08-06

Statement Date:   August 05, 2021

VU#357312.1 Not Affected

Vendor Statement

nginx HTTP/2 module checks '\0', LF, CR and other invalid characters since the introduction.

Qualys Not Affected

Notified:  2021-05-14 Updated: 2021-08-06

Statement Date:   May 21, 2021

VU#357312.1 Not Affected

Vendor Statement

We have not received a statement from the vendor.

Sophos Not Affected

Notified:  2021-05-14 Updated: 2021-08-06

Statement Date:   May 17, 2021

VU#357312.1 Not Affected

Vendor Statement

We have not received a statement from the vendor.

Trend Micro Not Affected

Notified:  2021-05-14 Updated: 2021-08-06

Statement Date:   August 05, 2021

VU#357312.1 Not Affected

Vendor Statement

Trend Micro has investigated this issue and has found that none our products are affected.

A10 Networks Unknown

Notified:  2021-05-14 Updated: 2021-08-06

Statement Date:   June 23, 2021

VU#357312.1 Unknown

Vendor Statement

A10 Networks is assessing the vulnerabilities surfaced by VU#357312.1 to determine whether A10 products are affected.

Zscaler Unknown

Notified:  2021-05-14 Updated: 2021-08-06

Statement Date:   May 26, 2021

VU#357312.1 Unknown

Vendor Statement

Zscaler's web proxies do not yet support HTTP/2 connections.

Amazon Unknown

Notified:  2021-05-14 Updated: 2021-08-06

VU#357312.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

Broadcom Unknown

Notified:  2021-05-14 Updated: 2021-08-06

VU#357312.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

Cisco Unknown

Notified:  2021-05-14 Updated: 2021-08-06

VU#357312.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

Forcepoint Unknown

Notified:  2021-05-14 Updated: 2021-08-06

VU#357312.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

Fortinet Unknown

Notified:  2021-05-14 Updated: 2021-08-06

VU#357312.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

Google Unknown

Notified:  2021-05-14 Updated: 2021-08-06

Statement Date:   May 17, 2021

VU#357312.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

Huawei Unknown

Notified:  2021-05-14 Updated: 2021-08-06

VU#357312.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

iboss Unknown

Notified:  2021-05-14 Updated: 2021-08-06

VU#357312.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

Kaspersky Unknown

Notified:  2021-05-14 Updated: 2021-08-06

VU#357312.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

Microsoft Unknown

Notified:  2021-05-14 Updated: 2021-08-06

Statement Date:   May 28, 2021

VU#357312.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

netsweeper Unknown

Notified:  2021-05-14 Updated: 2021-08-06

VU#357312.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

Oracle Corporation Unknown

Notified:  2021-05-14 Updated: 2021-08-06

VU#357312.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

Pulse Secure Unknown

Notified:  2021-05-19 Updated: 2021-08-06

VU#357312.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

Sucuri Unknown

Notified:  2021-05-14 Updated: 2021-08-06

VU#357312.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

Symantec Unknown

Notified:  2021-05-14 Updated: 2021-08-06

VU#357312.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

Trustwave Secure Web Gateway (SWG) Unknown

Notified:  2021-05-14 Updated: 2021-08-06

VU#357312.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

Trustwave Web Application Firewall (WAF) Unknown

Notified:  2021-05-14 Updated: 2021-08-06

VU#357312.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

Verizon Unknown

Notified:  2021-05-14 Updated: 2021-08-06

VU#357312.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

VMware Unknown

Notified:  2021-05-14 Updated: 2021-08-06

VU#357312.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

Wallarm Unknown

Notified:  2021-05-14 Updated: 2021-08-06

VU#357312.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

View all 37 vendors View less vendors


Other Information

Date Public: 2021-08-06
Date First Published: 2021-08-06
Date Last Updated: 2021-08-12 11:44 UTC
Document Revision: 3

Sponsored by CISA.