August 16, 2016
Researcher Jerry Decime revealed details about a security vulnerability that allows an attacker to gain a Man-in-the-Middle position and intercept HTTPS traffic thanks to flaws in the implementation of proxy authentication procedures in various products.
According to Decime, there is a flaw in how applications from several vendors respond to HTTP CONNECT requests via HTTP/1.0 407 Proxy Authentication Required responses.
This flaw manifests itself only in network environments where users utilize proxy connections to get online. This type of setup is often used in enterprise networks where companies deploy powerful firewalls.
Decime explains that an attacker that has a foothold in a compromised network and has the ability to listen to proxy traffic can sniff for HTTP CONNECT requests sent to the local proxy.
When the attacker detects one of these requests, he then replies instead of the real proxy server, and issues a 407 Proxy Authentication Required response, asking the user for a password to access a specific service.
Because the HTTP CONNECT requests are unencrypted, the attacker knows when the victim wants to access sensitive accounts such as email or Intranet servers, even if those services are delivered via HTTPS.
The attacker can force the user to authenticate, sending the responses to him instead, hence the vulnerability’s name of FalseCONNECT.
WebKit software more vulnerable than others
WebKit is used for software such as Chrome, iTunes, Google Drive, Safari, and many mobile applications.
Multiple software vendors deploy applications that can handle proxy connections. Until know, Apple, Microsoft, Oracle, and Opera have acknowledged their products are affected. Lenovo said this bug does not impact its software.
Other software vendors that are still evaluating the FalseCONNECT bug and may be affected include multiple Linux distros, Cisco, Google, HP, IBM, Juniper, Mozilla, Nokia, OpenBSD, SAP, Sony, and others.
Technical details about this flaw can be found on a dedicated website. US-CERT has also issued an alert, in which users can track vendor responses for the FalseCONNECT vulnerability.