Governance & Risk Management , IT Risk Management , Patch Management

SNI Vulnerability Affects Some Security Products

Exploitation Could Enable Attackers to Exfiltrate Data, Researchers Say
SNI Vulnerability Affects Some Security Products
The SNI vulnerability enables bypass of security protocol. (Image source: Mnemonics)

Researchers at Mnemonics Labs have found a vulnerability in the server name indication, or SNI, of the TLS Client Hello extension used to perform TLS inspection. Exploitation of this vulnerability could enable attackers to bypass the security protocol of many security products, leading to stealthy exfiltration of data, the researchers say.

See Also: OnDemand | Generative AI: Myths, Realities and Practical Use Cases

“This is a widespread issue that affects different types of security solutions from a variety of vendors. We successfully tested our technique against products from Cisco, F5 Networks, Palo Alto Networks and Fortinet. We speculate that many other vendors also are susceptible,” say Mnemonics Labs’ security researchers Morten Marstrander and Matteo Malvica in a blog.

The vulnerability has been registered as CVE-2021-34749 and has a CVSS score of 5.8.


Mitigations have been provided by F5 and Palo Alto, while Fortinet and Cisco are expected to release fixes soon, Mnemonics Lab reports.

Cisco stated in a security advisory that some of its products - including its Web Security Appliance and Firepower Threat Defense and certain versions of the Snort detection engine - are affected by the SNI vulnerability, and it's investigating whether other products are affected.

Cisco added that no workaround is yet available for the vulnerability, but its Product Security Incident Response Team has found no evidence of the flaw being exploited in the wild. The other vendors did not report on exploits.

F5 notes its F5 BIG-IP running TMOS 14.1.2, with SSL Orchestrator 5.5.8 is affected, and Palo Alto Networks says NGFW running PAN-OS 9.1.1 is affected. Fortinet’s NGFW running FortiOS 6.2.3 is also affected.

The SNIcat Exploit

Mnemonics security researchers Marstrander and Malvica developed the SNIcat exploit as a proof-of-concept early last year. The duo found the vulnerability while investigating how network security solutions handle the TLS’ SNI field for categorizing and blocking bad URLs/hostnames.

Modern network security solutions such as web proxies, next-generation firewalls and dedicated TLS interception and inspection solutions have a functionality called decryption mirroring. The security solutions provide a copy of the decrypted traffic to a mirror port, which is usually connected to an IDS that inspects the decrypted traffic.

“This is all well and good from a security monitoring perspective. However, we discovered that devices connected to the mirror port do not receive the TLS handshake at all, opening up a new way of performing stealthy exfiltration utilizing the TLS Client Hello,” the researchers say.

The proof-of-concept SNIcat tool illustrates how the SNI field can be abused by injecting arbitrary data into the legitimate extension and using it as a “smuggling container” without the traffic being copied to a decryption mirror port, say the Mnemonics researchers.

The SNIcat tool has two components: a passive agent that is dropped as a secondary payload on an already compromised system and a command-and-control server used to control the passive agent remotely over the open internet.

In a brief video, the researchers show how data exfiltration is done using the SNIcat tool.

'Clever Side Channel'

Craig Young, principal security researcher at Tripwire says of the vulnerability, “This is one of many clever side channels attackers can leverage to exfiltrate data in spite of security protection appliances. Although restrictions posed on permissible server names indicated via TLS handshake may reduce exposure to this, ultimately it can only limit the rate at which data escapes the protected network unless it is restricted to only pre-approved values. The same is true of DNS requests as well, which are also commonly used to obscure exfiltrated data.

“Restricting an organization to the point where no data can be exfiltrated also prevents any meaningful business from being conducted. It is necessary to rely on multiple layers of security with the focus of detecting intruders and recognizing abnormal behaviors.”

Mnemonic researchers say that they have “developed a very early-stage proof of concept of a “passiveSNI” detection tool similar to a Passive DNS application. This can be used to detect SNIcat vulnerability through endpoints. Check Point has separately published signatures for detecting and blocking SNIcat in both their EDR and NGFW solutions.

The Mnemonic researchers also suggest additional mitigation steps, including detection in the security perimeter rather than the endpoint periphery.

About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.