CVE-2023-50093

Vulnerability

The APIIDA API Gateway Manager for Broadcom Layer7 version 2023.2.2 is vulnerable to Host Header Injection. The login and forgot-password pages use the value of the Host header received from the client in the form action URL. This allows an attacker to inject an arbitrary domain into the header, which is then reflected in the page source. An attacker can intercept and modify the Host header of a request to the login page, causing any subsequent credentials entered by a legitimate user to be submitted to the attacker-controlled domain. The affected version is v2023.2.2; earlier or later versions may also be affected but were not tested [2].

Exploitation

The attacker must be in a position to intercept network traffic between the victim user and the APIIDA server (e.g., via a man-in-the-middle attack on an unsecured network, or by controlling a router or proxy). Using a proxy tool such as Burp Suite, the attacker intercepts the victim's initial request to the login page (commonly https://localhost/ or the configured hostname) [2]. The attacker then replaces the original Host header value with a domain under their control (e.g., a subdomain on Burp Collaborator or a personal server) [2]. The modified request is forwarded to the server, which responds with the login form containing the attacker's domain in the form action URL. If the victim, unaware of the manipulation, enters their credentials and submits the form, the credentials are sent to the attacker's external domain, allowing the attacker to capture them [2].

Impact

Successful exploitation allows an attacker to steal the credentials (username and password) of a legitimate user who logs in after the Host header has been tampered with [2]. This leads to unauthorized access to the APIIDA API Gateway Manager, potentially compromising the entire API management platform. The attacker gains the same level of access as the victim user, which could be administrative depending on the victim's privileges. The confidentiality of user credentials is compromised, and the attacker may be able to further escalate privileges or move laterally within the network.

Mitigation

As of the publication date of this CVE (January 3, 2024), no official fix or patch has been announced by APIIDA or Broadcom for version 2023.2.2 [1][2]. The vendor's website does not mention this vulnerability or a corrected version [1]. Users should consider implementing a web application firewall (WAF) rule to validate and normalize the Host header against a whitelist of allowed domains. Additionally, ensure all administrative access to the gateway manager is performed over secure, trusted networks (e.g., VPN) to reduce the risk of man-in-the-middle attacks. Monitor for any outbound connections to unexpected domains from the login system. If a patched version is released, it will be available from the official APIIDA download page [1].