Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

FalseCONNECT Flaw Exposes Proxy Connections to Attacks

Products from Apple, Microsoft, Oracle and possibly other major companies are affected by a vulnerability that exposes connections made via a proxy server to man-in-the-middle (MitM) attacks.

Products from Apple, Microsoft, Oracle and possibly other major companies are affected by a vulnerability that exposes connections made via a proxy server to man-in-the-middle (MitM) attacks.

The security hole, discovered by researcher Jerry Decime and dubbed “FalseCONNECT,” is caused by issues in the implementation of proxy authentication and it can result in a complete compromise of HTTPS trust.

When a client and a server communicate over an encrypted channel, they perform a handshake where they establish a shared encryption key. If the connection goes through a proxy server, the proxy must not know the encryption key in order to ensure end-to-end security. This is achieved by using an HTTP CONNECT request, which instructs the proxy to establish a connection to the server and ensures that the proxy only acts as a data relay.

Since these HTTP CONNECT requests are made before the HTTPS handshake, the data is sent in clear text over HTTP. This allows an MitM attacker to replace the “200 OK CONNECT” response from the proxy with a “407 Proxy Authentication Required” message and phish the victim’s credentials.

In the case of clients that use the WebKit browser engine, the attacker can also use the “407 Proxy Authentication Required” response to execute arbitrary HTML and JavaScript code in the context of the targeted HTTPS website. A malicious actor can leverage this method to steal a user’s authentication credentials and session cookies and the attack would likely not raise any suspicion as the browser’s address bar still displays the padlock icon and the “https://” string.

Anyone who relies on a proxy could be affected by the FalseCONNECT vulnerability and some users might not even know that they are vulnerable if a proxy auto-config (PAC) file is installed on their system. Decime has also pointed out that even proxies which don’t require authentication are affected.

“Ultimately, exploitation of this client side vulnerability can be difficult to identify for users who move between networks,” Decime explained. “An organization utilizing an IDS or IPS may watch for malicious HTTP 407 responses to a CONNECT request on their network to attempt and detect an attack but this does no good if the user impacted is not on a network being monitored. For organizations that have placed IDS or IPS on exit nodes as an example, they may miss the exploitation of users on local subnets.”

The FalseCONNECT vulnerability can affect operating systems, browsers and other applications configured to use a proxy. According to CERT/CC, Apple, Microsoft, Opera and Oracle have confirmed that their products are affected.

Advertisement. Scroll to continue reading.

Apple patched the flaw (CVE-2016-4644) in iOS 9.3.3, OS X 10.11.6 and tvOS 9.2.2 last month. CERT/CC’s list of potentially affected vendors includes tens of other companies.

Until the issue is addressed by all affected vendors, users have been advised to avoid the use of proxy-configured clients when connecting to untrusted networks, and disable PAC and web proxy auto-discovery (WPAD) if they are not needed.

Related Reading: Hackers Can Intercept HTTPS URLs via Proxy Attacks

Related Reading: SSL Flaw in Intel Crosswalk Exposes Apps to MitM Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Funding/M&A

The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...