SNI Vulnerability Affects Some Security ProductsExploitation Could Enable Attackers to Exfiltrate Data, Researchers Say
Researchers at Mnemonics Labs have found a vulnerability in the server name indication, or SNI, of the TLS Client Hello extension used to perform TLS inspection. Exploitation of this vulnerability could enable attackers to bypass the security protocol of many security products, leading to stealthy exfiltration of data, the researchers say.
“This is a widespread issue that affects different types of security solutions from a variety of vendors. We successfully tested our technique against products from Cisco, F5 Networks, Palo Alto Networks and Fortinet. We speculate that many other vendors also are susceptible,” say Mnemonics Labs’ security researchers Morten Marstrander and Matteo Malvica in a blog.
The vulnerability has been registered as CVE-2021-34749 and has a CVSS score of 5.8.
Mitigations have been provided by F5 and Palo Alto, while Fortinet and Cisco are expected to release fixes soon, Mnemonics Lab reports.
Cisco stated in a security advisory that some of its products - including its Web Security Appliance and Firepower Threat Defense and certain versions of the Snort detection engine - are affected by the SNI vulnerability, and it's investigating whether other products are affected.
Cisco added that no workaround is yet available for the vulnerability, but its Product Security Incident Response Team has found no evidence of the flaw being exploited in the wild. The other vendors did not report on exploits.
F5 notes its F5 BIG-IP running TMOS 14.1.2, with SSL Orchestrator 5.5.8 is affected, and Palo Alto Networks says NGFW running PAN-OS 9.1.1 is affected. Fortinet’s NGFW running FortiOS 6.2.3 is also affected.
The SNIcat Exploit
Mnemonics security researchers Marstrander and Malvica developed the SNIcat exploit as a proof-of-concept early last year. The duo found the vulnerability while investigating how network security solutions handle the TLS’ SNI field for categorizing and blocking bad URLs/hostnames.
Modern network security solutions such as web proxies, next-generation firewalls and dedicated TLS interception and inspection solutions have a functionality called decryption mirroring. The security solutions provide a copy of the decrypted traffic to a mirror port, which is usually connected to an IDS that inspects the decrypted traffic.
“This is all well and good from a security monitoring perspective. However, we discovered that devices connected to the mirror port do not receive the TLS handshake at all, opening up a new way of performing stealthy exfiltration utilizing the TLS Client Hello,” the researchers say.
The proof-of-concept SNIcat tool illustrates how the SNI field can be abused by injecting arbitrary data into the legitimate extension and using it as a “smuggling container” without the traffic being copied to a decryption mirror port, say the Mnemonics researchers.
The SNIcat tool has two components: a passive agent that is dropped as a secondary payload on an already compromised system and a command-and-control server used to control the passive agent remotely over the open internet.
In a brief video, the researchers show how data exfiltration is done using the SNIcat tool.
'Clever Side Channel'
Craig Young, principal security researcher at Tripwire says of the vulnerability, “This is one of many clever side channels attackers can leverage to exfiltrate data in spite of security protection appliances. Although restrictions posed on permissible server names indicated via TLS handshake may reduce exposure to this, ultimately it can only limit the rate at which data escapes the protected network unless it is restricted to only pre-approved values. The same is true of DNS requests as well, which are also commonly used to obscure exfiltrated data.
“Restricting an organization to the point where no data can be exfiltrated also prevents any meaningful business from being conducted. It is necessary to rely on multiple layers of security with the focus of detecting intruders and recognizing abnormal behaviors.”
Mnemonic researchers say that they have “developed a very early-stage proof of concept of a “passiveSNI” detection tool similar to a Passive DNS application. This can be used to detect SNIcat vulnerability through endpoints. Check Point has separately published signatures for detecting and blocking SNIcat in both their EDR and NGFW solutions.
The Mnemonic researchers also suggest additional mitigation steps, including detection in the security perimeter rather than the endpoint periphery.