topic Re: Failed PCI ASV Scan - Redirection via Arbitrary Host Header Manipulation in General Topics

Failed PCI ASV Scan - Redirection via Arbitrary Host Header Manipulation

Ruan_Kotze — Tue, 17 Oct 2023 17:14:00 GMT

Hi All,

I'm working with an Check Point customer in the Financial Sector to resolve their external ASV scan findings.

We've managed to resolve all findings but one - "Redirection via Arbitrary Host Header Manipulation". The ASV vendor cannot really provide any information apart from a link to mitre.org that gives some vague guidance about input validation. Even google just comes up with a handful of links.

The gateways in question are running R80.40 T198 and handles C2S VPN access with Office mode.

Any and all input and guidance appreciated:-)

Thanks,
Ruan

Re: Failed PCI ASV Scan - Redirection via Arbitrary Host Header Manipulation

PhoneBoy — Tue, 17 Oct 2023 14:42:55 GMT

Without more details about the issue, it's difficult to comment.
Is there a CVE number for the issue?

You may also want to try enabling the HTTP Host Header Injection protection in IPS as well.
See: https://advisories.checkpoint.com/defense/advisories/public/2020/cpai-2020-0286.html/

Re: Failed PCI ASV Scan - Redirection via Arbitrary Host Header Manipulation

Ruan_Kotze — Tue, 17 Oct 2023 16:51:46 GMT

Hi Phoneboy,

Unfortunately the best this ASV vendor could is the link I shared - not very helpful. I'm also wondering if it might not be a false positive - they're hitting port 80 and the gateway redirects to 443 - their crappy scanning software then interprets this as successful Host Header Manipulation.

Thanks for the lead on the IPS signature, will enable and see if it makes a difference.

P.S. Must also commend TAC for their willingness to assist - they've requested that I do a packet capture at the time of the scan so that they can see what's happening.

Re: Failed PCI ASV Scan - Redirection via Arbitrary Host Header Manipulation

Axel_Winterberg — Wed, 06 Dec 2023 09:46:30 GMT

Hi Ruan,

I have the same issue on R81.10 with JHF T110.

The ASV vendor told us, that by Hostheader manipulation it will be possible to be redirected to a different Site.

You can check this by: curl -VL http://<Cluster IP>/ -H "Host: example.com".

They told us to deactivate the Redirect. But this seems to be impossible. (implied Rules)

Or to check the Hostheader against a Whitelist.

Didn`t find out how to solve this issue. Both solutions can not be configured on the Firewall.

If anyone can provide a solution, I would be very grateful!

Re: Failed PCI ASV Scan - Redirection via Arbitrary Host Header Manipulation

Chris_Atkinson — Wed, 06 Dec 2023 10:42:52 GMT

Perhaps not a direct solution but are you already leveraging the configurations outlined in sk180808, sk105740 to restrict access to portal URLs?

Re: Failed PCI ASV Scan - Redirection via Arbitrary Host Header Manipulation

PhoneBoy — Wed, 06 Dec 2023 14:24:45 GMT

You probably need to do something like: https://support.checkpoint.com/results/sk/sk165937