Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

FalseCONNECT Flaw Exposes Proxy Connections to Attacks

Products from Apple, Microsoft, Oracle and possibly other major companies are affected by a vulnerability that exposes connections made via a proxy server to man-in-the-middle (MitM) attacks.

Products from Apple, Microsoft, Oracle and possibly other major companies are affected by a vulnerability that exposes connections made via a proxy server to man-in-the-middle (MitM) attacks.

The security hole, discovered by researcher Jerry Decime and dubbed “FalseCONNECT,” is caused by issues in the implementation of proxy authentication and it can result in a complete compromise of HTTPS trust.

When a client and a server communicate over an encrypted channel, they perform a handshake where they establish a shared encryption key. If the connection goes through a proxy server, the proxy must not know the encryption key in order to ensure end-to-end security. This is achieved by using an HTTP CONNECT request, which instructs the proxy to establish a connection to the server and ensures that the proxy only acts as a data relay.

Since these HTTP CONNECT requests are made before the HTTPS handshake, the data is sent in clear text over HTTP. This allows an MitM attacker to replace the “200 OK CONNECT” response from the proxy with a “407 Proxy Authentication Required” message and phish the victim’s credentials.

In the case of clients that use the WebKit browser engine, the attacker can also use the “407 Proxy Authentication Required” response to execute arbitrary HTML and JavaScript code in the context of the targeted HTTPS website. A malicious actor can leverage this method to steal a user’s authentication credentials and session cookies and the attack would likely not raise any suspicion as the browser’s address bar still displays the padlock icon and the “https://” string.

Anyone who relies on a proxy could be affected by the FalseCONNECT vulnerability and some users might not even know that they are vulnerable if a proxy auto-config (PAC) file is installed on their system. Decime has also pointed out that even proxies which don’t require authentication are affected.

“Ultimately, exploitation of this client side vulnerability can be difficult to identify for users who move between networks,” Decime explained. “An organization utilizing an IDS or IPS may watch for malicious HTTP 407 responses to a CONNECT request on their network to attempt and detect an attack but this does no good if the user impacted is not on a network being monitored. For organizations that have placed IDS or IPS on exit nodes as an example, they may miss the exploitation of users on local subnets.”

The FalseCONNECT vulnerability can affect operating systems, browsers and other applications configured to use a proxy. According to CERT/CC, Apple, Microsoft, Opera and Oracle have confirmed that their products are affected.

Apple patched the flaw (CVE-2016-4644) in iOS 9.3.3, OS X 10.11.6 and tvOS 9.2.2 last month. CERT/CC’s list of potentially affected vendors includes tens of other companies.

Until the issue is addressed by all affected vendors, users have been advised to avoid the use of proxy-configured clients when connecting to untrusted networks, and disable PAC and web proxy auto-discovery (WPAD) if they are not needed.

Related Reading: Hackers Can Intercept HTTPS URLs via Proxy Attacks

Related Reading: SSL Flaw in Intel Crosswalk Exposes Apps to MitM Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Identity & Access

Strata Identity has raised $26 million in a Series B funding round led by Telstra Ventures, with additional investment from Forgepoint Capital, Innovating Capital,...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Funding/M&A

Identity and access governance vendor Saviynt has closed a $205 million financing round.