Security Advisories

April 27, 2011 - Stack overflow in BCAAA

Security Advisories ID:    SA55
Version:    11.0
Status:    Published
Published date:    04/04/2011
Updated:    08/28/2013
 

Advisory Status

Final

Advisory Severity

High, CVSS v2 base score: 8.3 (AV:A/AC:L/Au:N/C:C/I:C/A:C)

CVE Number

No CVEs are associated with this vulnerability.

Summary

BCAAA is vulnerable to a stack overflow attack.  An attacker could exploit this vulnerability to inject malicious code that can be run remotely and used to gain complete control of the Windows Server.  BCAAA is used by ProxySG and ProxyOne.

Affected Products

The following products are vulnerable:

ProxySG

All versions of BCAAA associated with ProxySG releases 4.2.3, 4.3, 5.2, 5.3, 5.4, 5.5, and 6.1 available prior to April 21, 2011 or with a build number less than 60258 are vulnerable.  The BCAAA version number cannot be used to determine if the BCAAA service has been fixed. 

ProxyOne

All versions of BCAAA associated with ProxyOne are vulnerable. 

Details

The synchronization feature of BCAAA was introduced in ProxySG versions 4.2 and 5.2.  A BCAAA build associated with prior releases is not vulnerable. 

ProxySG and ProxyOne require BCAAA to be deployed on a separate Windows Server machine.  The best indication of whether the installed BCAAA is vulnerable is by examining the build number.  The build number of BCAAA can be determined by looking at the properties of the BCAAA executable file.  The file version property displays a four digit version number followed by the build number.  Any build number prior to 60258 is vulnerable.

Port 16102 is only used to synchronize single sign-on information between BCAAA instances.  When a vulnerable build of BCAAA is installed, the port may be configured to be open even if synchronization is not enabled.  Large packets sent to this port will result in a stack overflow.  In most cases, the process that belongs to the BCAAA service will crash.  Specially crafted packets could result in the BCAAA service executing code provided in the packet. 

The BCAAA service must be installed such that it has the ‘Log on as a service’ right. In certain configurations, the BCAAA service must also have the ‘Act as part of the operating system’ right. This makes the BCAAA service a highly privileged user.  An attacker could use these rights to gain control of the Windows Server on which the BCAAA service is installed or to access the AD Domain of which the BCAAA service is a member.

Early support for the synchronization feature did not automatically enable port 16102 when BCAAA was installed.  In order to enable the port, the administrator had to change the BCAAA configuration file (sso.ini) to indicate that BCAAA should perform a Domain Controller Query (DCQ) for Windows SSO.  The builds of BCAAA associated with the following ProxySG versions must have both EnableSyncServer=1 and DCQEnabled=1 uncommented in the configuration file to enable port 16102:

ProxySG 4.2:  4.2.3.2 and later

ProxySG 4.3:  all releases

ProxySG 5.2:  all releases

ProxySG 5.3:  5.3.3.1 and 5.3.2.17 and earlier

ProxySG 5.4:  5.4.1.11 and earlier

Later builds that support data synchronization for both Windows SSO and Novell SSO enable port 16102 by default when BCAAA is installed.  Port 16102 is enabled only if EnableSyncServer=1 is uncommented in the configuration file.  The DCQEnabled configuration setting is only used to determine whether or not DCQ should be enabled and is not used to determine if the port should be enabled.  The builds of BCAAA associated with the following ProxySG versions set EnableSyncServer=1 by default when installed and therefore enable port 16102 by default: 

ProxySG 5.3:  5.3.2.18 and later except for 5.3.3.1 which does require both settings to be enabled.

ProxySG 5.4:  5.4.1.12 and later

ProxySG 5.5:  all releases

ProxySG 6.1:  all releases

Upgrading BCAAA does not overwrite the previous sso.ini configuration file.  Customers must change the configuration file manually to disable the port.

Blue Coat encourages customers who do not use the synchronization feature to disable port 16102 as described in the Workarounds section below.

Blue Coat recommends that the BCAAA service be deployed behind the firewall.  If the BCAAA service is deployed outside of the firewall, note that the CVSS v2 base score increases to 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C).

Workarounds

ProxySG

Customers who do not synchronize single sign-on information between BCAAA instances should disable port 16102 in the.  To disable port 16102:

1. Open the configuration file sso.ini file in a text editor.

2. Locate the section SSOSyncSetup (the defaults are listed below).

• ServerPriority=100
• EnableSyncServer=1
• SyncPortNumber=16102
• UseSSL=0
• VerifyCertificate=0
• QueryDelta=10
• RetrySyncTime=60

3. Change the value of EnableSyncServer to 0 (EnableSyncServer=0).

4. Save the file.

5. Restart the BCAAA service.

ProxyOne

ProxyOne installations that do not synchronize single sign-on information can safely disable port 16102.  To disable the port, follow the instructions for ProxySG above.

Patches

ProxySG

The vulnerability exists only in BCAAA.  An update to the latest version of BCAAA for your SGOS version is required.  An update to SGOS is encouraged, but not required.

The vulnerability fix addresses the stack overflow and disables port 16102 by default for new installations.  Existing .ini files for BCAAA will not be overwritten.  Blue Coat encourages customers with existing BCAAA installations to disable port 16102 if the synchronization feature is not in use.  For instructions on how to disable the port, see the Workarounds section above.

ProxySG 6.2 - a fix is available in the BCAAA associated with 6.2.1.1.  The fix is available to customers with a valid BlueTouch Online login from bto.bluecoat.com/download/product/7375.

ProxySG 6.1 - a fix is available in the BCAAA  associated with 6.1.4.1.  The fix is available to customers with a valid BlueTouch Online login from bto.bluecoat.com/download/product/5351.

ProxySG 5.5 - a fix is available in the BCAAA associated with 5.5.5.1.  The fix is available to customers with a valid BlueTouch Online login from bto.bluecoat.com/download/product/41

ProxySG 5.4 - a fix is available in the BCAAA associated with 5.4.7.1.  The fix is available to customers with a valid BlueTouch Online login from bto.bluecoat.com/download/product/17.

ProxySG 5.3 - please use the BCAAA associated with 4.3.4.2.

ProxySG 4.3 - a fix is available in the BCAAA associated with 4.3.5.1.  The fix is available to customers with a valid Blue Touch Online login from https://bto.bluecoat.com/download/product/13.

ProxyOne

A fix will not be provided.

References

The vulnerability was discovered and reported to Blue Coat Systems by Paul Harrington of NGS Secure.  Many thanks to both Paul and NGS Secure for their help.

For more information on BCAAA, see the "Using BCAAA" chapter of the SGOS Administration Guide, located at https://bto.bluecoat.com/documentation/pubs/ProxySG.

Advisory History

2013-08-28 Included link to the SGOS 4.3.5.1 fix, removed interim fix.  Marked status as Final.

2012-01-18 Notificaiton that ProxyOne will not be fixed.

2012-01-17 Notification that the BCAAA from 4.3.4.2 can be used with 5.3.

2011-05-25 Notification of fix in a patch release of ProxySG version 4.3.4.2.

2011-05-23 Updated to specify that only the process used by BCAAA will crash if the vulnerability is exploited, not the Windows Server.  Clarified which builds of BCAAA have the port enabled by default when installed.  Updated to reflect that the BCAAA associated with ProxySG 6.1.4.1 has the fix.

2011-05-06 Updated to reflect a fix delivered for ProxySG 5.4.7.1 and to clarify which builds of BCAAA are vulnerable.

2011-05-02 Updated to reflect that the BCAAA associated with ProxySG 6.2.1.1 has the fix.

2011-04-27 Initial public release


Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question