Allele Security Alert
ASA-2019-00570
Identifier(s)
ASA-2019-00570, CVE-2019-16276
Title
Request Smuggling due to normalization of invalid headers
Vendor(s)
The Go Authors
Product(s)
Go
Affected version(s)
Go versions before 1.13.1
Go versions before 1.12.10
Fixed version(s)
Go version 1.13.1
Go version 1.12.10
Proof of concept
Unknown
Description
Go’s net/http (through net/textproto) used to accept and normalize invalid HTTP/1.1 headers with a space before the colon, in violation of RFC 7230. If a Go server is used behind a reverse proxy that accepts and forwards but doesn’t normalize such invalid headers, the reverse proxy and the server can interpret the headers differently. This can lead to filter bypasses or request smuggling, the latter if requests from separate clients are multiplexed onto the same connection by the proxy.
Technical details
Unknown
Credits
Unknown
Reference(s)
net/http: invalid headers are normalized, allowing request smuggling #34540
https://github.com/golang/go/issues/34540
197503: net/textproto: don’t normalize headers with spaces before the colon
https://go-review.googlesource.com/c/go/+/197503/
Analysis of Two Newly Patched Kubernetes Vulnerabilities
https://blog.paloaltonetworks.com/2019/10/cloud-kubernetes-vulnerabilities/
[ANNOUNCE] Security Advisory for CVE-2019-16276
https://groups.google.com/forum/?utm_medium=email&utm_source=footer#!topic/kubernetes-security-announce/PtsUCqFi4h4
HTTP Desync Attacks: Request Smuggling Reborn
https://portswigger.net/blog/http-desync-attacks-request-smuggling-reborn
CVE-2019-16276
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16276
CVE-2019-16276
https://nvd.nist.gov/vuln/detail/CVE-2019-16276
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: October 17, 2019