Operating System:

[Appliance]

Published:

25 February 2014

Protect yourself against future threats.

//Service

Incident Management

Whether it is proactive or reactive services you're after, we will help you detect, interpret and respond to attacks from across the globe.

Read more
Resources > Security Bulletins > ASB-2014.0019 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2014.0019
          A vulnerability has been discovered in Bluecoat ProxySG
                             25 February 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Bluecoat ProxySG
Operating System:     Network Appliance
Impact/Access:        Administrator Compromise -- Console/Physical
Resolution:           Patch/Upgrade
CVE Names:            CVE-2014-2033  
Member content until: Thursday, March 27 2014

OVERVIEW

        A vulnerability has been discovered in Bluecoat ProxySG. Bluecoat warns
        that "Locally defined users on the ProxySG appliance who have been 
        deleted or whose passwords have been changed can continue to log in to 
        appliance for a brief period of time." [1]


IMPACT

        The vendor provides the following information regarding the impact of
        this vulnerability:
        
        "SGOS supports multiple types of authentication realms for 
        authenticating administrative and proxy users. Most authentication 
        realms use remote authentication databases. Locally defined users and 
        user lists are in the local authentication realm. The local 
        authentication realm is typically used for administrative and console 
        access, but can be used for proxy users as well.
        
        
        When local users change their password, are deleted, or are removed 
        from or added to a user list, changes may take up to 15 minutes to 
        take effect due to caching. If another password-related event (such 
        as a correct login with the new password or a rejected login due to 
        incorrect password) occurs, the time for changes to take effect may 
        be shorter.
        
        An attacker who knows the account password can exploit this gap to 
        gain unauthorized administrative access through the Management 
        Console, or the SSH or serial console if the local realm is used for 
        console access. A deleted user would continue to have network access 
        for up to 15 minutes." [1]


MITIGATION

        The vendor has provided the following information regading patches:
        
        "ProxySG 6.5 – A fix is available in the 6.5.1.4 and in 6.5.4 and later. 
        ProxySG 6.4 – A fix is available in 6.4.6.2 and later.
        ProxySG 6.3 – Please upgrade to a later version.
        ProxySG 6.2 – A fix is available in 6.2.15.4 and later.
        ProxySG 6.1 – A fix is not yet available as of 6.1.6.3.
        ProxySG 5.5 – A fix is not yet available as of 5.5.11.3.
        ProxySG 5.4 and earlier – Please upgrade to a later version. " [1]


REFERENCES

        [1] February 18, 2014 – Changes to ProxySG local users are delayed
            https://kb.bluecoat.com/index?page=content&id=SA77&actp=RSS

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUwwWfBLndAQH1ShLAQLBbBAApqsbs5K2PTK0Fu4XYTEwQyueCfXdwZfY
TFlfezDnNi8lj0i7Ce1pC5PrpiusxKSN2PQ/UDD3SlgKQCKYhbz5IOSUDtFWAWX1
ahX/uY45CNtx2AUoU3TS2ZUsdmLlDaaGQ+7WNsnZxCNKg5SXAVxmNoEae/ZFfKxB
IPAFjwmstHwWJThu25dBoIxxyi3yEO+Z6UC33DGaQemHHtVqOOd9nUIGqQ7xKJzp
y4gvxDSLQ9KRGTE/0tqJu6hSpOiCnC06U6d/vSQ4rAprZ24GOo2Xe1Zc6IWMilRa
RuRafgffPaqgZlAiFGiKkLYkoUqlfddYd+vn3MwFLWACwfw38VyKZy0wpUJ8b4/g
7g+JDgWf8/DfuyYZFSil45GWbSjwHUiqL32P+zaZF3B2OlzvtoH6ZG3NiTFW8Gy8
Xt8F6HTLz+REsfFSvv+Gjns4Z67h9JFBuO94+qpcG1qxJ99IDD+t2QUYaR8huzgS
bGLv153ALWe2Rtmx9YgAOucE9IMvN42LIe6AFem9mxfJsXrUOIutpQnbWA1+Umna
SYXB3MqBbE2MpQ/lJZLO48u/T6PPBpAxJMP1ZCjGMm53jFZLdRSVYLDPWD5vjifl
uNVEQlEK+x3OkPULeyGrIjsZ6ZP/45wSjNYmSLdTc+q4q3ppVIm6aj8n36gLVK7J
SEyHKTolcSs=
=WQoG
-----END PGP SIGNATURE-----