Vulnerability Name:

CVE-2009-0803 (CCN-49149)

Assigned:2009-02-23
Published:2009-02-23
Updated:2009-06-18
Summary:SmoothWall SmoothGuardian, as used in SmoothWall Firewall, NetworkGuardian, and SchoolGuardian 2008, when transparent interception mode is enabled, uses the HTTP Host header to determine the remote endpoint, which allows remote attackers to bypass access controls for Flash, Java, Silverlight, and probably other technologies, and possibly communicate with restricted intranet sites, via a crafted web page that causes a client to send HTTP requests with a modified Host header.
CVSS v3 Severity:6.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:5.4 Medium (CVSS v2 Vector: AV:N/AC:H/Au:N/C:C/I:N/A:N)
4.0 Medium (Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:C/I:N/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Authentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): None
Availibility (A): None
5.8 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N)
4.3 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-264
Vulnerability Consequences:Bypass Security
References:Source: MITRE
Type: CNA
CVE-2009-0801

Source: MITRE
Type: CNA
CVE-2009-0802

Source: MITRE
Type: CNA
CVE-2009-0803

Source: MITRE
Type: CNA
CVE-2009-0804

Source: MITRE
Type: CNA
CVE-2009-1211

Source: CCN
Type: SA34014
SmoothGuardian HTTP "Host:" Header Security Bypass

Source: CCN
Type: SA34018
Ziproxy HTTP "Host:" Header Security Bypass

Source: CCN
Type: SA34019
Squid HTTP "Host:" Header Security Bypass

Source: CCN
Type: SA34020
WinGate HTTP "Host:" Header Security Bypass

Source: CCN
Type: SA34064
Blue Coat ProxySG HTTP "Host:" Header Security Bypass

Source: CCN
Type: SECTRACK ID: 1021781
Blue Coat ProxySG Host Header Processing May Let Remote Users Bypass Security Restrictions

Source: CCN
Type: US-CERT VU#435052
Intercepting proxy servers may incorrectly rely on HTTP headers to make connections

Source: CERT-VN
Type: US Government Resource
VU#435052

Source: CONFIRM
Type: US Government Resource
http://www.kb.cert.org/vuls/id/MAPG-7M6SM7

Source: CCN
Type: US-CERT Web site
Ziproxy Information for VU#435052

Source: CCN
Type: OSVDB ID: 52409
Squid Transparent Interception Mode HTTP Host Header Dependancy Media Access Control Bypass

Source: CCN
Type: OSVDB ID: 52410
WinGate Transparent Interception Mode HTTP Host Header Dependancy Media Access Control Bypass

Source: CCN
Type: OSVDB ID: 52411
SmoothGuardian Transparent Interception Mode HTTP Host Header Dependancy Media Access Control Bypass

Source: CCN
Type: OSVDB ID: 52412
Ziproxy Transparent Interception Mode HTTP Host Header Dependancy Media Access Control Bypass

Source: CCN
Type: OSVDB ID: 52413
Blue Coat ProxySG Transparent Interception Mode HTTP Host Header Dependancy Media Access Control Bypass

Source: CCN
Type: OSVDB ID: 62393
Blue Coat Proxy Spoofed Referer Field Authentication Bypass

Source: BID
Type: Vendor Advisory
33858

Source: CCN
Type: BID-33858
Multiple HTTP Proxy HTTP Host Header Incorrect Relay Behavior Vulnerability

Source: CCN
Type: BID-36045
Blue Coat ProxySG Proxy Authentication Bypass Vulnerability

Source: CCN
Type: SmoothWall Web site
SmoothWall

Source: CCN
Type: Squid Web site
Squid Web Proxy Cache

Source: CCN
Type: Qbik Web site
WinGate Proxy Server

Source: CCN
Type: Ziproxy Web page
Ziproxy

Source: XF
Type: UNKNOWN
multiple-proxy-interception-security-bypass(49149)

Source: CCN
Type: Blue Coat Web site
ProxySG in transparent deployments intercepting HTTP/HTTPS traffic

Vulnerable Configuration:Configuration 1:
  • cpe:/a:smoothwall:networkguardian:2008:*:*:*:*:*:*:*
  • OR cpe:/a:smoothwall:schoolguardian:2008:*:*:*:*:*:*:*
  • OR cpe:/a:smoothwall:smoothguardian:2008:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:qbik:wingate:6.1.1.1077:*:*:*:*:*:*:*
  • OR cpe:/a:qbik:wingate:6.1.4:*:*:*:*:*:*:*
  • OR cpe:/a:squid-cache:squid:3.0:*:*:*:*:*:*:*
  • OR cpe:/a:bluecoat:proxysg:4.2.6:*:*:*:*:*:*:*
  • OR cpe:/a:bluecoat:proxysg:5.2.2.4:*:*:*:*:*:*:*
  • OR cpe:/a:squid-cache:squid:3.0.stable1:*:*:*:*:*:*:*
  • OR cpe:/a:squid-cache:squid:3.0.stable2:*:*:*:*:*:*:*
  • OR cpe:/a:squid-cache:squid:3.0.stable3:*:*:*:*:*:*:*
  • OR cpe:/a:squid-cache:squid:3.0.stable4:*:*:*:*:*:*:*
  • OR cpe:/a:qbik:wingate:6.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:qbik:wingate:6.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:squid-cache:squid:2.7.stable5:*:*:*:*:*:*:*
  • OR cpe:/a:squid-cache:squid:2.7:-:*:*:*:*:*:*
  • OR cpe:/a:squid-cache:squid:3.0.stable5:*:*:*:*:*:*:*
  • OR cpe:/a:squid-cache:squid:3.0.stable6:*:*:*:*:*:*:*
  • OR cpe:/a:squid-cache:squid:3.0.stable7:*:*:*:*:*:*:*
  • OR cpe:/a:squid-cache:squid:3.0.stable12:*:*:*:*:*:*:*
  • OR cpe:/a:squid-cache:squid:3.0.stable13:*:*:*:*:*:*:*
  • OR cpe:/a:squid-cache:squid:2.7.stable6:*:*:*:*:*:*:*
  • OR cpe:/a:qbik:wingate:6.0.2_build_1000:*:*:*:*:*:*:*
  • OR cpe:/a:qbik:wingate:6.0.2_build_1001:*:*:*:*:*:*:*
  • OR cpe:/a:qbik:wingate:6.0.1_build_995:*:*:*:*:*:*:*
  • OR cpe:/a:qbik:wingate:6.0.1_build_993:*:*:*:*:*:*:*
  • OR cpe:/a:qbik:wingate:6.0.3_build_1005:*:*:*:*:*:*:*
  • OR cpe:/a:qbik:wingate:6.2:*:*:*:*:*:*:*
  • OR cpe:/a:qbik:wingate:6.1:*:*:*:*:*:*:*
  • OR cpe:/a:qbik:wingate:6.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:qbik:wingate:6.5.2:*:*:*:*:*:*:*
  • OR cpe:/a:qbik:wingate:6.1.3:*:*:*:*:*:*:*
  • OR cpe:/a:qbik:wingate:6.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:smoothwall:smoothguardian:2008:*:*:*:*:*:*:*
  • OR cpe:/a:smoothwall:networkguardian:2008:*:*:*:*:*:*:*
  • OR cpe:/a:smoothwall:schoolguardian:2008:*:*:*:*:*:*:*
  • OR cpe:/a:ziproxy:ziproxy:2.6.0:*:*:*:*:*:*:*
  • OR cpe:/a:bluecoat:proxysg:5.4.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:bluecoat:proxysg:5.3.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:bluecoat:proxysg:5.2.5.2:*:*:*:*:*:*:*
  • OR cpe:/a:bluecoat:proxysg:5.1.6.1:*:*:*:*:*:*:*
  • OR cpe:/a:bluecoat:proxysg:4.3.2.3:*:*:*:*:*:*:*
  • OR cpe:/a:bluecoat:proxysg:5.4:*:*:*:*:*:*:*
  • OR cpe:/a:bluecoat:proxysg:5.3:*:*:*:*:*:*:*
  • OR cpe:/a:bluecoat:proxysg:5.1:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    smoothwall networkguardian 2008
    smoothwall schoolguardian 2008
    smoothwall smoothguardian 2008
    qbik wingate 6.1.1.1077
    qbik wingate 6.1.4
    squid-cache squid 3.0
    bluecoat proxysg 4.2.6
    bluecoat proxysg 5.2.2.4
    squid-cache squid 3.0.stable1
    squid-cache squid 3.0.stable2
    squid-cache squid 3.0.stable3
    squid-cache squid 3.0.stable4
    qbik wingate 6.2.2
    qbik wingate 6.2.1
    squid-cache squid 2.7.stable5
    squid-cache squid 2.7
    squid-cache squid 3.0.stable5
    squid-cache squid 3.0.stable6
    squid-cache squid 3.0.stable7
    squid-cache squid 3.0.stable12
    squid-cache squid 3.0.stable13
    squid-cache squid 2.7.stable6
    qbik wingate 6.0.2_build_1000
    qbik wingate 6.0.2_build_1001
    qbik wingate 6.0.1_build_995
    qbik wingate 6.0.1_build_993
    qbik wingate 6.0.3_build_1005
    qbik wingate 6.2
    qbik wingate 6.1
    qbik wingate 6.0.0
    qbik wingate 6.5.2
    qbik wingate 6.1.3
    qbik wingate 6.1.2
    smoothwall smoothguardian 2008
    smoothwall networkguardian 2008
    smoothwall schoolguardian 2008
    ziproxy ziproxy 2.6.0
    bluecoat proxysg 5.4.1.1
    bluecoat proxysg 5.3.2.1
    bluecoat proxysg 5.2.5.2
    bluecoat proxysg 5.1.6.1
    bluecoat proxysg 4.3.2.3
    bluecoat proxysg 5.4
    bluecoat proxysg 5.3
    bluecoat proxysg 5.1