Multiple other vendors may still be affected

Aug 16, 2016 00:45 GMT  ·  By

Researcher Jerry Decime has revealed details about a security vulnerability that allows an attacker to gain a Man-in-the-Middle position and intercept HTTPS traffic thanks to flaws in the implementation of proxy authentication procedures in various products.

According to Decime, there is a flaw in how applications from several vendors respond to HTTP CONNECT requests via HTTP/1.0 407 Proxy Authentication Required responses.

FalseCONNECT explained for dummies

This flaw manifests itself only in network environments where users utilize proxy connections to get online. This type of setup is often used in enterprise networks where companies deploy powerful firewalls.

Decime explains that an attacker that has a foothold in a compromised network and has the ability to listen to proxy traffic can sniff for HTTP CONNECT requests sent to the local proxy.

When the attacker detects one of these requests, they reply instead of the real proxy server and issue a 407 Proxy Authentication Required response, asking the user for a password to access a specific service.

Because the HTTP CONNECT requests are unencrypted, the attacker knows when the victim wants to access sensitive accounts such as email or Intranet servers, even if those services are delivered via HTTPS.

The attacker can force the user to authenticate, sending the responses to them instead, hence the vulnerability's name of FalseCONNECT.

WebKit software more vulnerable than others

"WebKit-based clients are vulnerable to additional vectors due to the fact that HTML markup and JavaScript are rendered by the client Document Object Model (DOM) in the context of the originally requested HTTPS domain," a US-CERT alert reads.

WebKit is used for software such as Chrome, iTunes, Google Drive, Safari, and many mobile applications.

Multiple software vendors deploy applications that can handle proxy connections. Until now, Apple, Microsoft, Oracle, and Opera have acknowledged their products are affected. Lenovo has said this bug does not impact its software.

Other software vendors that are still evaluating the FalseCONNECT bug and may be affected include multiple Linux distros, Cisco, Google, HP, IBM, Juniper, Mozilla, Nokia, OpenBSD, SAP, Sony, and others.

Technical details about this flaw can be found on a dedicated website. US-CERT has also issued an alert, in which users can track vendor responses for the FalseCONNECT vulnerability.

FalseCONNECT attack visually explained
FalseCONNECT attack visually explained

Photo Gallery (2 Images)

FalseCONNECT vulnerability affects multiple software vendors
FalseCONNECT attack visually explained
Open gallery