Security Advisories

August 16, 2010 - ProxySG privilege escalation

Security Advisories ID:    SA45
Version:    17.0
Status:    Published
Published date:    06/14/2010
Updated:    01/17/2012
 

Advisory Status

Final

Advisory Severity

High, CVSS v2 base score: 7.4 (AV:A/AC:M/Au:S/C:C/I:C/A:C)

CVE Number

No CVEs are associated with this vulnerability.

Summary

A read only ProxySG administrator can gain full administrative control by sending CLI commands over HTTPS to the ProxySG.

Affected Products

All versions of ProxySG prior to 6.1 are vulnerable.

Details

A read only administrator is limited to a small subset of commands that cannot change the configuration of the ProxySG.  Privileges are limited in ProxySG for commands entered in the Management Console and the CLI.  Sending commands via an HTTPS URL bypasses the privilege enforcement and allows a read only administrator to execute all administrative commands.

Workarounds

Disabling all read-only administrators will prevent this vulnerability from being exploited.

Patches

ProxySG 6.1 - a fix is available in SGOS 6.1.1.1.  The fix is available to customers with a valid BlueTouch Online login from https://bto.bluecoat.com/download/product/5351.

ProxySG 5.5 - a fix is available in SGOS 5.5.4.1.  The fix is available to customers with a valid BlueTouch Online login from https://bto.bluecoat.com/download/product/41.

ProxySG 5.4 - a fix is available in SGOS 5.4.5.1.  The fix is available to customers with a valid BlueTouch Online login from bto.bluecoat.com/download/product/17

ProxySG 5.3 - please upgrade to a later version.

ProxySG 4.3 - a fix is available in SGOS 4.3.4.1.  The fix is available to customers with a valid BlueTouch Online login from https://bto.bluecoat.com/download/product/13

ProxySG 4.2 - please upgrade to a later version.

For information on how to upgrade SGOS, please see KB3608.

References

The vulnerability was discovered by Jonathon Krier and Laurent Mathieu from Verizon Business Luxembourg and reported by Thierry Zoller from Verizon Business Luxembourg.

Advisory History

2012-01-17 Changed status to final.

2011-02-17 Update the SGOS 5.5 fix from SGOS 5.5.3.1 to 5.5.4.1 to reflect issues that affect SGOS 5.5.3.1.  Updated SGOS 4.3 fix to reflect that the issue is resolved in SGOS 4.3.4.1.  Also included link to KB3608 on how to update SGOS.

2010-11-04 Notification of a fix in patch release 4.3.3.16.

2010-11-01 Notification of a patch release to address the defect in 5.5.3.1. 

2010-10-27 Notification of 5.4.5.1 patch release being promoted to a GA release.

2010-10-15 Notification of a fix in patch release 5.4.5.1.

2010-09-29 Notification of a fix in 6.1.1.1. Update of pages affected by the defect in 5.5.3.1.

2010-10-02 Added information about a defect in 5.5.3.1.

2010-09-01 Added a workaround.

2010-08-23 Ammended the discovery of the vulnerability to properly credit Jonathon Krier and Laurent Mathieu.

2010-08-16 Initial public release.


Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question