Network Security

AERAsec
Network Security
Current Security Messages


Most of the links lead to the corresponding files at CERT or other organisations. So changes take place immediately, especially which patches should be installed or which changes in the configuration should be made to avoid this vulnerability. Some of the files are transferred by FTP.

By the way: If we're not publishing well-known risks inheritant in any widely used platform or program that doesn't mean this particular platform or program is safe to use!

Here you find our network security search engine!


This is some information you send:

Your Browser

CCBot/2.0 (http://commoncrawl.org/faq/)

Your IP address

(no reverse DNS resolution) [54.225.39.142]

Your referer

(filtered or not existing)

Current month, Last month, Last 10 messages, Last 20 messages (index only)

Chosen message with ID ae-200202-051

System: Several Firewall, Caching & Antivirus Proxy Software
Topic: Bypass blocking rules or Antivirus filters by using HTTP/CONNECT method
Links: Squid-Cache/FAQ, SecurityFocus#4131, SecurityFocus/Info-Finjan, CERT VU#150227, CERT VU#868219
ID: ae-200202-051

It was detected that several firewall, caching and antivirus proxy software doesn't enough restrict the HTTP/CONNECT feature. Looks like on some software this can't be restricted by design.
It's possible to connect to arbitrary ports using this HTTP/CONNECT feature, sometimes also below port 1024.
An example looks like this:
$ telnet your.local.proxy 3128
Trying 1.2.3.4...
Connected to your.local.proxy.
Escape character is '^]'.
CONNECT wwwspecial.domain.example:44444 / HTTP/1.0

HTTP/1.0 200 Connection established

GET /eicar.com
X5************CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*Connection closed by foreign host.

If you see the eicar.com test file in clear text, a second issue exists, if you use a antivirus proxy software: It doesn't scan any traffic using HTTP/CONNECT, even it's not encrypted.

If you can also connect to ports lower than 1024, a third issue is coming up. Try it by using:
CONNECT mail.domain.example:25 / HTTP/1.0
If working, possible any ports from 1 to 65535 can be connected from inside to outside and breaks perhaps your security policy.

Finally a connection request to port 80 using:
CONNECT www.domain.example:80 / HTTP/1.0
This should be normally not working, too.

Solutions:
1) Disable method CONNECT completely, if possible by software and security policy (this will disable HTTPS traffic also)
2) Restrict ports which can be used for method CONNECT to e.g. 443 (https) only (Squid-Cache-Software does this by default setting since some years to ports 443 and 563 [NNTP over ssl] only)
3) Restrict outgoing traffic from the proxy to allowed ports only using local or near-by firewalling (e.g. port 80 and 443 only).
4) If antivirus is bypassed, contact vendor for solution



(c) 2000-2017 AERAsec Network Services and Security GmbH