Security Advisories

October 22, 2010 - ProxyAV Cross Site Request Forgery vulnerability

Security Advisories ID:    SA46
Version:    10.0
Status:    Published
Published date:    06/19/2010
Updated:    01/12/2012
 

Advisory Status

Final

Advisory Severity

High, CVSS v2 base score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVE Number

There are no CVEs for the vulnerability.

Summary

A remote attacker can use URL links and/or malicious scripts to execute ProxyAV commands if the administrator has an active session in the ProxyAV management console.

Affected Products

All ProxyAV products prior to 3.2.6.1 are vulnerable.

Details

An attacker who lures a ProxyAV administrator to browse a malicious website can use Cross Site Request Forgery (CSRF or XSRF) to submit commands to ProxyAV and gain control of the appliance.  Commands that the attacker can submit include changing the password, changing the policy, and restarting the appliance.

ProxyAV has implemented the following measures to provide better protection from CSRF attacks:

  • When changing the administrator password, the current password must be entered.
  • When disabling authentication, the current password must be entered.
  • All requests that modify or set configuration are submitted through POST.
  • The session timeout is enforced across all supported browsers (Internet Explorer version 6.0 and above and Firefox version 3.6 and above).
  • A logout option has been provided in the management console that will terminate the session.

Workarounds

Customers can limit the impact of this vulnerablity in these ways:

  • Ensure the session timeout value is set to a value greater than 0 to enforce automatic session expiration.  By default this value is set to 10 minutes.
  • Manage ProxyAV using a dedicated machine that does not connect to any other internal or external websites.
  • Use only supported browsers to access the management console.
  • When management tasks have been completed, log out of the session using the newly supplied logout option.

Patches

ProxyAV 3.2 - a fix is available in 3.2.6.1 or later versions.  The fix is available to customers with a valid BlueTouch Online login from https://bto.bluecoat.com/download/product/4.

ProxyAV 3.1 and earlier - please upgrade to a later version.

Advisory History

2012-01-12 Minor edit that later versions contain the fix as well.

2012-01-11 Added URL for download.

2011-09-06 Marked status as final.  No further fixes will be released.

2010-10-22 Initial public release


Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question