Preview Tool

Cisco Bug: CSCus17474 - Using client-supplied DNS, PC's hosts file can avoid https proxy

Last Modified

Nov 12, 2016

Products (1)

  • Cisco Web Security Appliance

Known Affected Releases

7.7.0-760 8.0.6-119

Description (partial)

If the WSA is using the client supplied DNS for explicit connections, a modified hosts file on the PC can be used to trick the SNI headers to identify the URL category based on a false SNI sent by the client, since the WSA will blindly reach out to the server IP in the client packet and pass through the connection.

All of these must be present:
- client supplied DNS
- explicit proxying
- SNI enabled
- users have access to their hosts files
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.