Guest

Preview Tool

Cisco Bug: CSCus17474 - Using client-supplied DNS, PC's hosts file can avoid https proxy

Last Modified

Nov 12, 2016

Products (1)

  • Cisco Web Security Appliance

Known Affected Releases

7.7.0-760 8.0.6-119

Description (partial)

Symptom:
If the WSA is using the client supplied DNS for explicit connections, a modified hosts file on the PC can be used to trick the SNI headers to identify the URL category based on a false SNI sent by the client, since the WSA will blindly reach out to the server IP in the client packet and pass through the connection.

Conditions:
All of these must be present:
- client supplied DNS
- explicit proxying
- SNI enabled
- users have access to their hosts files
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.