Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

net/http: invalid headers are normalized, allowing request smuggling #34540

Closed
FiloSottile opened this issue Sep 25, 2019 · 9 comments
Closed

net/http: invalid headers are normalized, allowing request smuggling #34540

FiloSottile opened this issue Sep 25, 2019 · 9 comments
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done. Security
Milestone
Go1.14

Comments

@FiloSottile
Copy link
Contributor

net/http (through net/textproto) used to accept and normalize invalid HTTP/1.1 headers with a space before the colon, in violation of RFC 7230. If a Go server is used behind a reverse proxy that accepts and forwards but doesn't normalize such invalid headers, the reverse proxy and the server can interpret the headers differently. This can lead to filter bypasses or request smuggling, the latter if requests from separate clients are multiplexed onto the same connection by the proxy. Such invalid headers are now rejected by Go servers, and passed without normalization to Go client applications.

This issue is CVE-2019-16276 and is fixed in Go 1.13.1 and Go 1.12.10.
@FiloSottile FiloSottile added Security NeedsFix The path to resolution is known, but the work has not been done. labels Sep 25, 2019
@FiloSottile FiloSottile added this to the Go1.14 milestone Sep 25, 2019
@FiloSottile FiloSottile self-assigned this Sep 25, 2019
@FiloSottile
Copy link
Contributor Author

@gopherbot Please open backport issues for this. This was a security problem.

This was referenced Sep 25, 2019
Closed
Closed
@gopherbot
Copy link
Contributor

Backport issue(s) opened: #34541 (for 1.12), #34542 (for 1.13).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://golang.org/wiki/MinorReleases.

dongsupark pushed a commit to flatcar-archive/coreos-overlay that referenced this issue Sep 26, 2019
dev-lang/go: update dev-lang/go to 1.12.10 and add go 1.13.1
64a62d3 
To fix security issues in Go,
[CVE-2019-16276](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16276),
let's update dev-lang/go from 1.12.9 to 1.12.10, and add go 1.13.1.

See also golang/go#34540
@dongsupark dongsupark mentioned this issue Sep 26, 2019
Merged
dongsupark pushed a commit to flatcar/flatcar-linux-update-operator that referenced this issue Sep 26, 2019
upgrade Go to 1.13.1
71b025e 
To fix security issues in Go,
[CVE-2019-16276](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16276),
we should upgrade Go to 1.13.1.

See also golang/go#34540
@dongsupark dongsupark mentioned this issue Sep 26, 2019
Merged
@bbrks bbrks mentioned this issue Sep 26, 2019
Merged
notnoop pushed a commit to hashicorp/nomad that referenced this issue Sep 26, 2019
Use golang to 1.12.10
053a100 
To get fix for golang/go#34540 .
@thaJeztah
Copy link
Contributor

Looks like this fix is not in master, only in the release branches, correct?

@notnoop notnoop mentioned this issue Sep 26, 2019
Merged
@desimone desimone mentioned this issue Sep 26, 2019
Merged
3 tasks
@FiloSottile
Copy link
Contributor Author

Looks like this fix is not in master, only in the release branches, correct?

At the moment, correct. I will land it in master today.

@gopherbot
Copy link
Contributor

Change https://golang.org/cl/197503 mentions this issue: net/textproto: don't normalize headers with spaces before the colon

@thaJeztah
Copy link
Contributor

👍 I just noticed it, looking for the commit it was cherry-picked/backported from (which was missing)

@tao12345666333 tao12345666333 mentioned this issue Sep 27, 2019
Merged
@Leosirth Leosirth mentioned this issue Sep 27, 2019
Closed
This was referenced Sep 27, 2019
Merged
Merged
@kenliu kenliu mentioned this issue Sep 28, 2019
Closed
@warmchang warmchang mentioned this issue Sep 28, 2019
Closed
@thausler786
Copy link

Thanks for remediating this vulnerability so fast! We've got a couple of questions, mostly bookkeeping:

  1. When do you plan to publish the details of this vulnerability in MITRE?
  2. Do you have a CVSS score for this vulnerability?

@FiloSottile
Copy link
Contributor Author

Just notified MITRE of the publication. We never assign the CVSS on our side.

@andrewstucki andrewstucki mentioned this issue Sep 30, 2019
Closed
woodsts pushed a commit to woodsts/buildroot that referenced this issue Oct 2, 2019
@jacmet
package/go: security bump to version 1.12.10
bd574c4 
Fixes the following security vulnerabilities:

- CVE-2019-16276: Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP
  Request Smuggling.
  golang/go#34540

>From the release notes:

go1.12.10 (released 2019/09/25) includes security fixes to the net/http and
net/textproto packages

Signed-off-by: Peter Korsgaard <[email protected]>
buildroot-auto-update pushed a commit to buildroot/buildroot that referenced this issue Oct 2, 2019
@jacmet
package/go: security bump to version 1.12.10
5c44ff3 
Fixes the following security vulnerabilities:

- CVE-2019-16276: Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP
  Request Smuggling.
  golang/go#34540

>From the release notes:

go1.12.10 (released 2019/09/25) includes security fixes to the net/http and
net/textproto packages

Signed-off-by: Peter Korsgaard <[email protected]>
(cherry picked from commit bd574c4)
Signed-off-by: Peter Korsgaard <[email protected]>
buildroot-auto-update pushed a commit to buildroot/buildroot that referenced this issue Oct 2, 2019
@jacmet
package/go: add Debian backport of upstream security fix
442fefb 
Fixes the following security vulnerability:

- CVE-2019-16276: Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP
  Request Smuggling.
  golang/go#34540

Upstream has not provided a go 1.11.x release with a fix for this, so
instead include the Debian backport of the upstream security fix from:

https://sources.debian.org/src/golang-1.11/1.11.6-1+deb10u2/debian/patches/0007-Fix-CVE-2019-16276.patch/

Signed-off-by: Peter Korsgaard <[email protected]>
buildroot-auto-update pushed a commit to buildroot/buildroot that referenced this issue Oct 2, 2019
@jacmet
package/go: security bump to version 1.12.10
2610ab4 
Fixes the following security vulnerabilities:

- CVE-2019-16276: Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP
  Request Smuggling.
  golang/go#34540

>From the release notes:

go1.12.10 (released 2019/09/25) includes security fixes to the net/http and
net/textproto packages

Signed-off-by: Peter Korsgaard <[email protected]>
(cherry picked from commit bd574c4)
Signed-off-by: Peter Korsgaard <[email protected]>
@yeya24 yeya24 mentioned this issue Oct 10, 2019
Closed
@sporkmonger
Copy link

One thing that's potentially worth noting, even after the fix, it's still difficult for handler code to identify the characteristics of a desync payload. There's enough information to reliably identify it's happening inside the textproto package, but not when you've got a *http.Request. This makes it challenging to write detection logic for this type of attack in Go without duplicating a substantial portion of Go's HTTP stack or using lower-level functions that complicate the use of middleware, etc. If you were trying to write, e.g. a web application firewall in Go, visibility on malicious traffic is pretty useful.

@tanjunchen tanjunchen mentioned this issue Oct 16, 2019
Closed
@requaos requaos mentioned this issue Oct 16, 2019
Merged
This was referenced Oct 21, 2019
Closed
Closed
Merged
@chr1sbest chr1sbest mentioned this issue Nov 4, 2019
Closed
@FiloSottile FiloSottile mentioned this issue May 5, 2020
Closed
Risca pushed a commit to Risca/CHIP-buildroot that referenced this issue Jun 14, 2020
@jacmet @Risca
package/go: security bump to version 1.12.10
9a74967 
Fixes the following security vulnerabilities:

- CVE-2019-16276: Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP
  Request Smuggling.
  golang/go#34540

>From the release notes:

go1.12.10 (released 2019/09/25) includes security fixes to the net/http and
net/textproto packages

Signed-off-by: Peter Korsgaard <[email protected]>
@golang golang locked and limited conversation to collaborators Oct 11, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done. Security
Projects
None yet
Milestone
Go1.14
Development

No branches or pull requests
5 participants
@sporkmonger @FiloSottile @thausler786 @thaJeztah @gopherbot