Compliance Impact

This vulnerability allows an attacker to inject additional Set-Cookie headers via HTTP response splitting by exploiting unsanitized domain and path options in cookies. Such manipulation could enable overwriting session or authentication cookies or removing security flags like Secure or HttpOnly.

While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, the ability to manipulate cookies and potentially compromise session integrity or security flags could lead to unauthorized access or data exposure, which may impact compliance with data protection and privacy regulations.

Useful 0 Not Useful 0

Executive Summary

This vulnerability is an Improper Neutralization of CRLF Sequences, also known as CRLF Injection, found in the benoitc hackney library. Specifically, the hackney_cookie:setcookie/3 function validates the Name and Value arguments to prevent CRLF and control characters, but it does not validate the domain and path options before concatenating them into the HTTP response. An attacker who can control either the domain or path—such as by manipulating the Host header or request path—can inject CRLF sequences and additional Set-Cookie headers into the HTTP response, leading to HTTP Response Splitting.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker to perform HTTP Response Splitting by injecting CRLF sequences into HTTP responses. This can lead to security issues such as web cache poisoning, cross-site scripting (XSS), session fixation, or other attacks that rely on manipulating HTTP headers or responses.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves injection of CRLF sequences into HTTP response headers via the domain or path options in cookies. Detection involves monitoring HTTP responses for unexpected or multiple Set-Cookie headers that could indicate HTTP response splitting.

You can inspect HTTP traffic for suspicious Set-Cookie headers using network tools or commands such as:

• Using curl to view response headers: curl -I http://targetsite
• Using tcpdump to capture HTTP traffic: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
• Using grep or similar tools to search for multiple Set-Cookie headers or CRLF injection patterns in HTTP responses.

Additionally, reviewing application logs or source code to check if hackney versions from 0.9.0 up to but not including 4.0.1 are in use can help identify vulnerable systems.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade the hackney library to version 4.0.1 or later, where the vulnerability has been fixed by validating the domain and path cookie options against forbidden characters.

If upgrading immediately is not possible, ensure that any user-controlled input used for cookie domain or path options is sanitized to prevent injection of CRLF or control characters.

Review and restrict the sources of domain and path values to trusted inputs only, avoiding forwarding untrusted headers such as Host or request paths directly into cookie options.

Monitor HTTP responses for suspicious Set-Cookie headers that could indicate exploitation attempts.

Useful 0 Not Useful 0