Vigil@nce - Cisco CSS, ACE: bypassing certificate authentication
July 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An attacker can add HTTP headers, in order to bypass the
certificate authentication of Cisco Series Content Services and
Cisco Application Control Engine.
Severity: 2/4
Creation date: 02/07/2010
DESCRIPTION OF THE VULNERABILITY
When a client offers a certificate to Cisco Series Content
Services and Cisco Application Control Engine, they add HTTP
headers for destination web servers:
ClientCert-Subject: C=fr, O=test, etc.
ClientCert-Subject-CN: CN=user
etc.
Web servers can then use these headers to authenticate clients.
However, two vulnerabilities impact this feature.
An attacker can send a query already containing "ClientCert-"
headers, which are not suppressed, and transmitted to the web
server. [severity:2/4; CVE-2010-1575]
An attacker can use headers ending by LF, CR or LFCR instead of
CRLF, in order to end the query before legitimate "ClientCert-"
headers. [severity:2/4; CVE-2010-1576]
An attacker can therefore add HTTP headers, in order to bypass the
certificate authentication of Cisco Series Content Services and
Cisco Application Control Engine.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Cisco-CSS-ACE-bypassing-certificate-authentication-9738