Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

Internal IP Header Disclosure on Virtual Services

 

Information

 

Summary:

Looking to mitigate internal virtual service IP from being disclosed through a vulnerability scan.

Environment:

Product: VLM-3000

Version: Any

Platform: Any

Application: Any

Question/Problem Description:

Security scanner is reporting a vulnerability on several servers with internal IP header disclosure, and we tried the solutions mentioned on your site for the Basic Authentication Header and Real Server Redirects but the vulnerability still exists. 

Steps to Reproduce: Run a vulnerability scan to the virtual service, and it will report that the internal IP is being exposed.
Error Message: "Web Server HTTP Header Internal IP Disclosure Synopsis This web server leaks a private IP address through its HTTP headers"
Defect Number:  
Enhancement Number:  
Cause: Empty host headers in request
Resolution:

For this scenario, we typically recommend a method which involves creating two sub virtual services on the HTTP redirect VS and creating rules to prevent the internal IP disclosure. See below:

To prevent the internal IP disclosure, if there is nothing present in the Host header, we simply fail the request.
 
1. We must make a rule, which must be a content matching rule, and include a Header Field of 'Host' and a Match String of /.*/
 
2. This rule should be applied to the first SubVS while the default rule should be applied to the second SubVS.
 
3. For the first SubVS with the match rule created, we can add the 302 redirect as https://%h%s, and for the second SubVS with the default rule we will change the 302 to a 403, thus blocking requests made with empty host headers.
 
After doing this, any disclosure of internal IP addresses should be prevented.

 

As an alternative, Replace Header Content Rules can be leveraged.

The first step would be to determine which header is showing the IP. Common headers that may disclose the IP are Location or WWW-Authenticate. This can be determined by using Developer Tools on modern web browsers (F12 on Windows, CTRL + Shift + J on MAC prodcuts), then browsing to the site that's disclosing IPs.

Once he header has been determined, navigate to the LoadMaster's web UI > Rules & Checking > Content Rules > Create New > change the Rule Type to Replace Header. Name your Rule, apply your match string as:

/(.*)(\d+\.\d+\.\d+\.\d+)(.*)/

The Value of the header to be replaced is:

\1www.domain.com\3

Click Create Rule. Once created, navigate to Virtual Services > View/Modify Services > modify the VS that www.domain.com resolves for > if necessary, modify your desired SubVS > Advanced Properties > HTTP Header Modifications > apply your newly created rule as a Response Rule.

Also note that if this is a 443 VS, you won't see the HTTP Header Modifications field. This is because traffic must first be decrypted in order to inspect HTTP headers. SSL must first be enabled and a certificate needs to be applied before this field can be expected to appear.

Workaround:  
Notes:

https://support.kemptechnologies.com/hc/en-us/articles/203522429-How-to-Mitigate-Against-Internal-IP-Address-Domain-Name-Disclosure-In-Real-Server-Redirects 


Was this article helpful?
0 out of 0 found this helpful

Comments