This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ruan_Kotze
Advisor
‎2023-10-17 05:44 AM

Failed PCI ASV Scan - Redirection via Arbitrary Host Header Manipulation

Hi All,

I'm working with an Check Point customer in the Financial Sector to resolve their external ASV scan findings.

We've managed to resolve all findings but one - "Redirection via Arbitrary Host Header Manipulation".  The ASV vendor cannot really provide any information apart from a link to mitre.org that gives some vague guidance about input validation.  Even google just comes up with a handful of links.

The gateways in question are running R80.40 T198 and handles C2S VPN access with Office mode.

Any and all input and guidance appreciated:-)

Thanks,
Ruan

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2023-10-17 07:42 AM

Without more details about the issue, it's difficult to comment.
Is there a CVE number for the issue?

You may also want to try enabling the HTTP Host Header Injection protection in IPS as well.
See: https://advisories.checkpoint.com/defense/advisories/public/2020/cpai-2020-0286.html/ 

Ruan_Kotze
Advisor
‎2023-10-17 09:51 AM
In response to PhoneBoy

Hi Phoneboy,

Unfortunately the best this ASV vendor could is the link I shared - not very helpful.  I'm also wondering if it might not be a false positive - they're hitting port 80 and the gateway redirects to 443 - their crappy scanning software then interprets this as successful Host Header Manipulation.

Thanks for the lead on the IPS signature, will enable and see if it makes a difference.

P.S. Must also commend TAC for their willingness to assist - they've requested that I do a packet capture at the time of the scan so that they can see what's happening.

0 Kudos
Axel_Winterberg
Participant
‎2023-12-06 01:46 AM
In response to Ruan_Kotze

Hi Ruan,

I have the same issue on R81.10 with JHF T110.

The ASV vendor told us, that by Hostheader manipulation it will be possible to be redirected to a different Site.

You can check this by:        curl -VL http://<Cluster IP>/ -H "Host: example.com".

They told us to deactivate the Redirect. But this seems to be impossible. (implied Rules)

Or to check the Hostheader against a Whitelist. 

Didn`t find out how to solve this issue.  Both solutions can not be configured  on the Firewall.

If anyone can provide a solution, I would be very grateful!

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-12-06 02:06 AM
In response to Axel_Winterberg

Perhaps not a direct solution but are you already leveraging the configurations outlined in sk180808, sk105740 to restrict access to portal URLs?

CCSM R77/R80/ELITE
0 Kudos
PhoneBoy
Admin
Admin
‎2023-12-06 06:24 AM
In response to Axel_Winterberg

You probably need to do something like: https://support.checkpoint.com/results/sk/sk165937 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events