CVE-2018-4030
Description
An exploitable vulnerability exists the safe browsing function of the CUJO Smart Firewall, version 7003. The bug lies in the way the safe browsing function parses HTTP requests. The "Host" header is incorrectly extracted from captured HTTP requests, which would allow an attacker to visit any malicious websites and bypass the firewall. An attacker could send an HTTP request to exploit this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The CUJO Smart Firewall's safe browsing function misparses the Host header in HTTP requests, allowing attackers to bypass the firewall and visit malicious websites.
Vulnerability
The CUJO Smart Firewall firmware version 7003 contains a vulnerability in the safe browsing function (safebro component). The function incorrectly extracts the "Host" header from captured HTTP requests due to inconsistent interpretation of HTTP requests (CWE-444) [1]. This allows the firewall to bypass its own filtering logic.
Exploitation
An attacker with network access can send a crafted HTTP request with a malformed Host header. No authentication is required. The request is processed by the safebro component, which misparses the header, causing the firewall to fail to block the malicious website.
Impact
Successful exploitation allows an attacker to visit any malicious website, bypassing the firewall's safe browsing protection. This compromises the integrity of the firewall's security function (CIA: integrity only, as per CVSS vector).
Mitigation
The vendor (CUJO) released a firmware update on April 23, 2019 to correct the vulnerability, as indicated by the Talos advisory [1]. Users should update to the latest firmware version. If no update is possible, the vulnerability may be mitigated by restricting network access to the firewall management interface.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: = 7003
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The safe browsing function inspects individual TCP packets instead of reassembling the full HTTP request, so a request split across multiple packets evades the Host header extraction regex."
Attack vector
An attacker on the same network as the CUJO Smart Firewall sends an HTTP request to a malicious website, but crafts the request so that the HTTP message spans multiple TCP packets (e.g., by using an overlong path of 1500 zeroes) [ref_id=1]. Because the firewall inspects individual packets rather than reassembling the full HTTP stream, no single packet contains both the HTTP method and the Host header in a form that matches the extraction regex `[A-Z]+ (%g+).*Host: (%g+)` [ref_id=1]. Consequently, the Host header is never extracted, the `safebro.filter` lookup is never triggered, and the connection is allowed through, bypassing the safe browsing block [ref_id=1]. No authentication or special privileges are required; the attacker only needs network access to send the crafted HTTP request [ref_id=1].
Affected code
The vulnerability resides in the `nf_http` Lua function within `/usr/libexec/cujo/lua/nf_http.lua` [ref_id=1]. The critical line is the regular expression `string.match(request, '[A-Z]+ (%g+).*Host: (%g+)')` at [3], which extracts the Host header from individual TCP packets rather than reassembled HTTP streams [ref_id=1]. The `safebro.filter` function and the `threat.lookup` function in the kernel Lua environment are also involved in the filtering decision chain [ref_id=1].
What the fix does
The advisory does not provide a patch or specific remediation code [ref_id=1]. The root cause is that the `nf_http` function inspects individual TCP packets rather than reassembling the full HTTP request stream [ref_id=1]. To close the vulnerability, the safe browsing function would need to buffer and reassemble TCP segments belonging to the same HTTP request before applying the Host header extraction regex, ensuring that the complete request line and headers are visible in a single inspection pass [ref_id=1].
Preconditions
- networkAttacker must be on the same local network as the CUJO Smart Firewall, as the device acts as a gateway inspecting forwarded traffic
- networkThe target HTTP server (malicious host) must be reachable over port 80
- authNo authentication or prior access is required; the attacker only needs to send a crafted HTTP request
Reproduction
The following proof of concept is provided in the advisory [ref_id=1]:
`$ curl 'http://${MALICIOUS_HOST}/'$(perl -e 'print "0"x1500')`
This generates an HTTP GET request with a 1500-character path, causing the request to be split across two TCP packets (assuming an MSS of 1460). The first packet contains only the GET line and part of the path; the second packet contains the remainder of the path, the Host header, and other headers. Neither packet alone matches the regex `[A-Z]+ (%g+).*Host: (%g+)`, so the Host header is never extracted and the connection bypasses filtering [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- talosintelligence.com/vulnerability_reports/TALOS-2018-0702mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.