-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2016.0073
          Multiple Blue Coat products are affected by a security
                       control bypass vulnerability
                               18 July 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Blue Coat products
Operating System:     Network Appliance
Impact/Access:        Unauthorised Access -- Remote/Unauthenticated
Resolution:           Mitigation
Member content until: Wednesday, August 17 2016

OVERVIEW

        Multiple Blue Coat products are affected by a security control 
        bypass vulnerability:
        
        "Advanced Secure Gateway
        ASG 6.6 is vulnerable when deployed as a forward proxy, reverse 
        proxy, or a web application firewall (WAF).
        
        CacheFlow
        CacheFlow 3.4 is vulnerable when policy RDNS lookups are enabled via
        the CLI.
        
        ProxySG
        ProxySG 6.5 and 6.6 are vulnerable when deployed as a forward proxy,
        reverse proxy, or a web application firewall (WAF)." [1]


IMPACT

        The vendor has provided the following information:
        
        "The Blue Coat products listed in the Affected Products section 
        perform categorization on the hostnames and IP addresses of HTTP and
        HTTPS requests. When the server hostname is not available and the 
        server IP address is not categorized, the affected products perform
        a reverse DNS (RDNS) lookup to obtain the server hostname. The 
        server hostname is not available when one or more of the following 
        conditions apply:
        
        	- the HTTP or HTTPS request URL contains a literal IP address 
        	insteadof a hostname.
        	- the HTTPS request is processed in a ProxySG transparent proxy 
        	deployment or in a CacheFlow without a hostname in the Server 
        	Name Indication (SNI) TLS extension.
        	- the HTTPS request is processed in a transparent proxy 
        	deployment of ProxySG releases prior to 6.5.6.1.
        	- the request is processed by ProxySG as tunneled traffic 
        	without being handed off to the HTTP, HTTPS, or SSL proxy.
        
        HTTP and HTTPS requests that result in an RDNS lookup may, under 
        certain circumstances, cause the policy rules matched to be those 
        associated with the hostname returned by RDNS rather than the server
        IP address. This may prevent the policy from enforcing security 
        controls, such as blocking the request, requiring user 
        authentication, or performing payload scanning. ProxySG and ASG 
        appliances are vulnerable when deployed as a forward proxy, reverse
        proxy, or web application firewall (WAF)." [1]


MITIGATION

        The vendor has provided the following workaround:
        
        "ProxySG and ASG administrator users with write access can remediate
        this vulnerability by disabling reverse DNS (RDNS) lookups. The 
        following CPL syntax can be used in ASG 6.6, and ProxySG 6.5 and 
        6.6:
        
        	restrict rdns
        	all
        	end
        
        Administrator users can also use the ProxySG 6.5 and 6.6 Visual 
        Policy Manager (VPM) to disable reverse DNS lookups:
        
        	1. Start VPM.
        	2. Choose "Select Configuration".
        	3. Change the "Reverse DNS Lookup Restrictions" setting from
        	"None" to "All".
        	4. Install the policy.
        
        By default, CacheFlow 3.4 does not enable policy RDNS lookups. 
        Customers who leave RDNS lookups disabled prevent attacks against 
        CacheFlow. CacheFlow 3.4 administrator user can use the following 
        CLI commands to check and disable the RDNS lookup setting:
        
        	- To check RDNS lookups: "show config" (look for "policy rdns 
        	enable" string in output)
        	- To disable RDNS lookups: "policy rdns disable"" [1]


REFERENCES

        [1] SA130: Security Control Bypass Vulnerability in ProxySG, ASG, and
            CacheFlow
            https://bto.bluecoat.com/security-advisory/sa130

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBV4wojYx+lLeg9Ub1AQiIIg//cJnhuTiL6sWa4ssS9ZEMTz0WC59AEh9h
juPHFadnNwT800bkzZLZB12vwzCiTr3zqE5OuetmzpTn3imbZupjd691YYHftUxn
dvDthnQXEliz0apI6vWYubMl98a1iDOGRm7S/AZ7rrBvw8Jtfbl2PZ2BYvyTtIF1
HDZahtqg6YzZiwBcy/G/vbeGTUAUlH3OicegjBwboy98LmGEzLCm5MtF4VbsfqvN
pHgrQazZ1sVu+zdvY6UzYz7g9Obar56dSLvFR86LEXZ5dmqxqEkbQfcjLG/svBQb
aRuWJBWk+zCDIfZ8TL2hzbn1nQgfPWRHX9tym2S8lD5Hq0WfdR/DXPZIi2DbrUJu
O6sy1hx2V68slXilLllykolGj2k77cuNcvY9Dcj45yAi+8SES+b0RPgx6vFc1wVH
1M6MNj0Mz0W4T9LIDUM4rZCTqIEW1aJ8xm0ial89bvaBrkjjO+2cc+l77gCmDTUt
GtxPW5jCdNyCKhPgbqFYB/FD+VNCgLyLgaQM1xI8Kkg57tBnfa/1XxP/wjDjXxZN
PZqKATYq2gSqQ0Tsppo7JZxeQf7fs4xZlglyOQXqCZ8iAadPDCOKMQwfW9kp+cLL
5URgp/ACMGlMxp65+X5eB5sYKmw2HehlQsqtXnV9pptn5F1GuexeBSy34aPEYd3G
VYkptqHhC0o=
=wk1N
-----END PGP SIGNATURE-----