Bug 1353798 (CVE-2016-5386) - CVE-2016-5386 Go: sets environmental variable based on user supplied Proxy request header
Summary: CVE-2016-5386 Go: sets environmental variable based on user supplied Proxy r...
Status: CLOSED ERRATA
Alias: CVE-2016-5386
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20160718,repor...
Keywords: Security
Depends On: 1327920 1327921 1357601 1357602 1358278 1358279
Blocks: 1353762
TreeView+ depends on / blocked
 
Reported: 2016-07-08 03:27 UTC by Kurt Seifried
Modified: 2018-09-24 02:12 UTC (History)
52 users (show)

Fixed In Version: Go 1.6.3, Go 1.7rc2
Doc Type: If docs needed, set a value
Doc Text:
An input-validation flaw was discovered in the Go programming language built in CGI implementation, which set the environment variable "HTTP_PROXY" using the incoming "Proxy" HTTP-request header. The environment variable "HTTP_PROXY" is used by numerous web clients, including Go's net/http package, to specify a proxy server to use for HTTP and, in some cases, HTTPS requests. This meant that when a CGI-based web application ran, an attacker could specify a proxy server which the application then used for subsequent outgoing requests, allowing a man-in-the-middle attack.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-10-13 08:59:53 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:1538 normal SHIPPED_LIVE Moderate: golang security, bug fix, and enhancement update 2016-08-02 22:20:29 UTC

Description Kurt Seifried 2016-07-08 03:27:25 UTC
Dominic Scheirlinck of VendHQ reports:

Many software projects and vendors have implemented support for the “Proxy” request header in their respective CGI implementations and languages by creating the “HTTP_PROXY” environmental variable based on the header value. When this variable is used (in many cases automatically by various HTTP client libraries) any outgoing requests generated in turn from the attackers original request can be redirected to an attacker controlled proxy. This allows attackers to view potentially sensitive information, reply with malformed data, or to hold connections open causing a potential denial of service. 

The Go programming language can automatically populate the HTTP_PROXY environmental variable with a user supplied "Proxy" header.

Comment 1 Kurt Seifried 2016-07-08 03:27:41 UTC
Acknowledgments:

Name: Scott Geary (VendHQ)

Comment 2 Doran Moppert 2016-07-08 05:49:05 UTC
To go package "net/http" honours $HTTP_PROXY as well as $http_proxy when making outbound requests, making CGI programs written in go vulnerable.

Go HTTP servers that do not invoke CGI scripts are not directly vulnerable:

  - the HTTP_PROXY var is not set in the server process's environment
  - the HTTP_PROXY var is not set in subprocesses launched directly by os.exec

Comment 4 Stefan Cornelius 2016-07-18 15:35:24 UTC
Created golang tracking bugs for this issue:

Affects: epel-6 [bug 1357601]
Affects: fedora-all [bug 1357602]

Comment 8 Summer Long 2016-07-26 00:52:17 UTC
Upstream announcement on golang-announce mailing list:

https://groups.google.com/forum/#!topic/golang-announce/7jZDOQ8f8tM

[security] Go 1.6.3 and 1.7rc2 are released

Chris Broadfoot 	
Jul 19

A security-related issue was recently reported in Go's net/http/cgi package and net/http package when used in a CGI environment. Go 1.6.3 and Go 1.7rc2 will contain a fix for this issue.

Go versions 1.0-1.6.2 and 1.7rc1 are vulnerable to an input validation flaw in the CGI components resulting in the HTTP_PROXY environment variable being set by the incoming Proxy header. This environment variable was also used to set the outgoing proxy, enabling an attacker to insert a proxy into outgoing requests of a CGI program.

This is CVE-2016-5386 and was addressed by this change: https://golang.org/cl/25010, tracked in this issue: https://golang.org/issue/16405

The Go team would like to thank Dominic Scheirlinck for coordinating disclosure of this issue across multiple languages and CGI environments. Read more about "httpoxy" here: https://httpoxy.org/

Go 1.6.3 also adds support for macOS Sierra. See https://golang.org/issue/16354 for details.

Downloads are available at https://golang.org/dl for all supported platforms.

Cheers,
Chris (on behalf of the Go team)

Comment 13 Fedora Update System 2016-07-28 23:54:27 UTC
golang-1.6.3-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2016-07-29 02:51:36 UTC
golang-1.5.4-2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 15 errata-xmlrpc 2016-08-02 18:25:36 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:1538 https://rhn.redhat.com/errata/RHSA-2016-1538.html


Note You need to log in before you can comment on or make changes to this bug.