Executive Summary

This vulnerability exists in the OpenShift Router's HTTP frontend when a Route has the insecureEdgeTerminationPolicy set to Allow. Normally, the router removes X-SSL-Client-* headers from incoming HTTP requests to prevent spoofing. However, due to this flaw, these headers are not removed, allowing an attacker to send crafted X-SSL-Client-* headers in plain HTTP requests.

As a result, backends that rely on these headers for mutual TLS authentication can be tricked into accepting forged client certificate identities, enabling an unauthenticated attacker to impersonate legitimate clients.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious security impacts by allowing an attacker to bypass mutual TLS authentication mechanisms.

• An attacker can impersonate any client certificate identity by sending forged X-SSL-Client-* headers.
• Unauthorized access to backend systems can be gained without proper authentication.
• This can lead to data breaches, unauthorized actions, and compromise of sensitive systems relying on client certificate authentication.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring HTTP requests to the OpenShift Router for the presence of X-SSL-Client-* headers, which should normally only be set by HTTPS frontends after a TLS handshake.

You can use network traffic inspection tools or commands to check for incoming HTTP requests containing headers like X-SSL-Client-DN, X-SSL-Client-DER, X-SSL-Client-NotAfter, X-SSL-Client-NotBefore, X-SSL-Client-SHA1, and X-SSL-Client-Subject.

• Use tcpdump or tshark to capture HTTP traffic and filter for X-SSL-Client-* headers.
• Example tcpdump command: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'X-SSL-Client-'
• Use curl or similar HTTP clients to test sending crafted HTTP requests with X-SSL-Client-* headers to your OpenShift Router and observe if they are forwarded to the backend.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, you should avoid using the insecureEdgeTerminationPolicy set to Allow on Routes in OpenShift Router.

Ensure that the HTTP frontend strips or blocks incoming X-SSL-Client-* headers to prevent attackers from injecting forged headers.

Consider configuring Routes to use secure termination policies that enforce TLS and proper header handling.

Apply any patches or updates provided by Red Hat or your OpenShift vendor that address this vulnerability.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows an attacker to bypass mutual TLS authentication by impersonating client certificate identities, leading to unauthorized access to backend systems.

Such unauthorized access can result in exposure or compromise of sensitive data, which may violate compliance requirements under standards like GDPR and HIPAA that mandate strong authentication and protection of personal and health information.

Therefore, the flaw can negatively impact compliance by undermining the security controls designed to protect sensitive data and ensure authenticated access.

Useful 0 Not Useful 0