An old scripting vulnerability that impacts a large number of Linux distributions and programing languages allows for man-in-the-middle attacks that could compromise web servers. The vulnerability, which affects many PHP and CGI web-apps, was revealed Monday in tandem with the release of a bevy patches from impacted companies and platforms.
Researchers at SaaS distributor VendHQ named the vulnerability Httpoxy. It affects server-side web applications that run in Common Gateway Interface (CGI) or CGI-like environments, such as some FastCGI configurations, along with programing languages PHP, Python, and Go.
“This is a very serious flaw, if you’re one of the few still reliant on CGI and PHP for generating web pages,” said Dominic Scheirlinck, principal engineer VendHQ, and one of several researchers from the firm that discovered Httpoxy. The vulnerability is rated as “medium” by the firm and is easily exploitable.
Scheirlinck describes Httpoxy as a set of vulnerabilities impacted by a simple namespace conflict tied to HTTP proxy headers that unsafely trust the “HTTP_PROXY” environment variable when generating forward requests. This namespace conflict allows an attacker to remotely configure the HTTP_PROXY environment variable on a web server by submitting a malicious Proxy: HTTP header.
This sets the stage for a remotely exploitable vulnerability where an attacker could launch a man-in-the-middle attack and redirect traffic to an arbitrary host. An adversary might also be able to intercept traffic and decipher sensitive communications. Or a cybercriminal could execute a denial of service attack by forcing vulnerable software to use a malicious proxy to tie up server resources, Scheirlinck said.
In cooperation with Httpoxy a number CVEs have been assigned to affected platforms and languages including; PHP (CVE-2016-5385), Go (CVE-2016-5386), Apache HTTP Server (CVE-2016-5387), Apache Tomcat (CVE-2016-5388), HHVM (CVE-2016-1000109) and Python (CVE-2016-1000110).
The vulnerability impacts the minority of web servers utilizing the older method in which a CGI script would talk to a backend server and pass through information to dynamically generate a web page, said Christopher Robinson, manager, Red Hat Product Security program management. “If you are on a more modern server, it’s still an option, but it’s not the default way of how webpages are rendered,” Robinson said.
Robinson said only about 3,000 of Red Hat customer servers are impacted by Httpoxy vulnerability. Additional remediation steps have been taken by proxy networks, like Akamai, who on Monday announced measures to protect their customers.
“Akamai has moved to protect the vast majority of its customers by blocking the HTTP headers which would alter these variables in a CGI/PHP environment,” the company announced Monday.
Scheirlinck said remediation for those impacted is drop-dead simple and only entails updating one line of code – no system reboot required.
“I would not anticipate there would be a large number of people impacted,” Robinson said. But because the vulnerability is so easily exploitable, he urged companies to fix affected server fast.
Httpoxy, Scheirlinck said, is tied to a much earlier Perl bug discovered 15 years ago found by Randal L Schwartz in 2001. At the time, Schwartz quickly fixed the vulnerability in the Perl libraries for the scripting language. But since then iterations of the bug have cropped up numerous times with vendors not always connecting the dots as to the larger scope of the vulnerability impacting other languages and libraries, Scheirlinck said.
