Products from Apple, Microsoft, Oracle and possibly other major companies are affected by a vulnerability that exposes connections made via a proxy server to man-in-the-middle (MitM) attacks.
The security hole, discovered by researcher Jerry Decime and dubbed “FalseCONNECT,” is caused by issues in the implementation of proxy authentication and it can result in a complete compromise of HTTPS trust.
When a client and a server communicate over an encrypted channel, they perform a handshake where they establish a shared encryption key. If the connection goes through a proxy server, the proxy must not know the encryption key in order to ensure end-to-end security. This is achieved by using an HTTP CONNECT request, which instructs the proxy to establish a connection to the server and ensures that the proxy only acts as a data relay.
Since these HTTP CONNECT requests are made before the HTTPS handshake, the data is sent in clear text over HTTP. This allows an MitM attacker to replace the “200 OK CONNECT” response from the proxy with a “407 Proxy Authentication Required” message and phish the victim’s credentials.
Anyone who relies on a proxy could be affected by the FalseCONNECT vulnerability and some users might not even know that they are vulnerable if a proxy auto-config (PAC) file is installed on their system. Decime has also pointed out that even proxies which don’t require authentication are affected.
“Ultimately, exploitation of this client side vulnerability can be difficult to identify for users who move between networks,” Decime explained. “An organization utilizing an IDS or IPS may watch for malicious HTTP 407 responses to a CONNECT request on their network to attempt and detect an attack but this does no good if the user impacted is not on a network being monitored. For organizations that have placed IDS or IPS on exit nodes as an example, they may miss the exploitation of users on local subnets.”
The FalseCONNECT vulnerability can affect operating systems, browsers and other applications configured to use a proxy. According to CERT/CC, Apple, Microsoft, Opera and Oracle have confirmed that their products are affected.
Until the issue is addressed by all affected vendors, users have been advised to avoid the use of proxy-configured clients when connecting to untrusted networks, and disable PAC and web proxy auto-discovery (WPAD) if they are not needed.
Related Reading: Hackers Can Intercept HTTPS URLs via Proxy Attacks
Related Reading: SSL Flaw in Intel Crosswalk Exposes Apps to MitM Attacks