Products from Apple, Microsoft, Oracle and possibly other major companies are affected by a vulnerability that exposes connections made via a proxy server to man-in-the-middle (MitM) attacks.
The security hole, discovered by researcher Jerry Decime and dubbed “FalseCONNECT,” is caused by issues in the implementation of proxy authentication and it can result in a complete compromise of HTTPS trust.
When a client and a server communicate over an encrypted channel, they perform a handshake where they establish a shared encryption key. If the connection goes through a proxy server, the proxy must not know the encryption key in order to ensure end-to-end security. This is achieved by using an HTTP CONNECT request, which instructs the proxy to establish a connection to the server and ensures that the proxy only acts as a data relay.
Since these HTTP CONNECT requests are made before the HTTPS handshake, the data is sent in clear text over HTTP. This allows an MitM attacker to replace the “200 OK CONNECT” response from the proxy with a “407 Proxy Authentication Required” message and phish the victim’s credentials.
In the case of clients that use the WebKit browser engine, the attacker can also use the “407 Proxy Authentication Required” response to execute arbitrary HTML and JavaScript code in the context of the targeted HTTPS website. A malicious actor can leverage this method to steal a user’s authentication credentials and session cookies and the attack would likely not raise any suspicion as the browser’s address bar still displays the padlock icon and the “https://” string.
Anyone who relies on a proxy could be affected by the FalseCONNECT vulnerability and some users might not even know that they are vulnerable if a proxy auto-config (PAC) file is installed on their system. Decime has also pointed out that even proxies which don’t require authentication are affected.
“Ultimately, exploitation of this client side vulnerability can be difficult to identify for users who move between networks,” Decime explained. “An organization utilizing an IDS or IPS may watch for malicious HTTP 407 responses to a CONNECT request on their network to attempt and detect an attack but this does no good if the user impacted is not on a network being monitored. For organizations that have placed IDS or IPS on exit nodes as an example, they may miss the exploitation of users on local subnets.”
The FalseCONNECT vulnerability can affect operating systems, browsers and other applications configured to use a proxy. According to CERT/CC, Apple, Microsoft, Opera and Oracle have confirmed that their products are affected.
Apple patched the flaw (CVE-2016-4644) in iOS 9.3.3, OS X 10.11.6 and tvOS 9.2.2 last month. CERT/CC’s list of potentially affected vendors includes tens of other companies.
Until the issue is addressed by all affected vendors, users have been advised to avoid the use of proxy-configured clients when connecting to untrusted networks, and disable PAC and web proxy auto-discovery (WPAD) if they are not needed.
Related Reading: Hackers Can Intercept HTTPS URLs via Proxy Attacks
Related Reading: SSL Flaw in Intel Crosswalk Exposes Apps to MitM Attacks