Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2016.0073 Multiple Blue Coat products are affected by a security control bypass vulnerability 18 July 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Blue Coat products Operating System: Network Appliance Impact/Access: Unauthorised Access -- Remote/Unauthenticated Resolution: Mitigation Member content until: Wednesday, August 17 2016 OVERVIEW Multiple Blue Coat products are affected by a security control bypass vulnerability: "Advanced Secure Gateway ASG 6.6 is vulnerable when deployed as a forward proxy, reverse proxy, or a web application firewall (WAF). CacheFlow CacheFlow 3.4 is vulnerable when policy RDNS lookups are enabled via the CLI. ProxySG ProxySG 6.5 and 6.6 are vulnerable when deployed as a forward proxy, reverse proxy, or a web application firewall (WAF)." [1] IMPACT The vendor has provided the following information: "The Blue Coat products listed in the Affected Products section perform categorization on the hostnames and IP addresses of HTTP and HTTPS requests. When the server hostname is not available and the server IP address is not categorized, the affected products perform a reverse DNS (RDNS) lookup to obtain the server hostname. The server hostname is not available when one or more of the following conditions apply: - the HTTP or HTTPS request URL contains a literal IP address insteadof a hostname. - the HTTPS request is processed in a ProxySG transparent proxy deployment or in a CacheFlow without a hostname in the Server Name Indication (SNI) TLS extension. - the HTTPS request is processed in a transparent proxy deployment of ProxySG releases prior to 6.5.6.1. - the request is processed by ProxySG as tunneled traffic without being handed off to the HTTP, HTTPS, or SSL proxy. HTTP and HTTPS requests that result in an RDNS lookup may, under certain circumstances, cause the policy rules matched to be those associated with the hostname returned by RDNS rather than the server IP address. This may prevent the policy from enforcing security controls, such as blocking the request, requiring user authentication, or performing payload scanning. ProxySG and ASG appliances are vulnerable when deployed as a forward proxy, reverse proxy, or web application firewall (WAF)." [1] MITIGATION The vendor has provided the following workaround: "ProxySG and ASG administrator users with write access can remediate this vulnerability by disabling reverse DNS (RDNS) lookups. The following CPL syntax can be used in ASG 6.6, and ProxySG 6.5 and 6.6: restrict rdns all end Administrator users can also use the ProxySG 6.5 and 6.6 Visual Policy Manager (VPM) to disable reverse DNS lookups: 1. Start VPM. 2. Choose "Select Configuration". 3. Change the "Reverse DNS Lookup Restrictions" setting from "None" to "All". 4. Install the policy. By default, CacheFlow 3.4 does not enable policy RDNS lookups. Customers who leave RDNS lookups disabled prevent attacks against CacheFlow. CacheFlow 3.4 administrator user can use the following CLI commands to check and disable the RDNS lookup setting: - To check RDNS lookups: "show config" (look for "policy rdns enable" string in output) - To disable RDNS lookups: "policy rdns disable"" [1] REFERENCES [1] SA130: Security Control Bypass Vulnerability in ProxySG, ASG, and CacheFlow https://bto.bluecoat.com/security-advisory/sa130 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBV4wojYx+lLeg9Ub1AQiIIg//cJnhuTiL6sWa4ssS9ZEMTz0WC59AEh9h juPHFadnNwT800bkzZLZB12vwzCiTr3zqE5OuetmzpTn3imbZupjd691YYHftUxn dvDthnQXEliz0apI6vWYubMl98a1iDOGRm7S/AZ7rrBvw8Jtfbl2PZ2BYvyTtIF1 HDZahtqg6YzZiwBcy/G/vbeGTUAUlH3OicegjBwboy98LmGEzLCm5MtF4VbsfqvN pHgrQazZ1sVu+zdvY6UzYz7g9Obar56dSLvFR86LEXZ5dmqxqEkbQfcjLG/svBQb aRuWJBWk+zCDIfZ8TL2hzbn1nQgfPWRHX9tym2S8lD5Hq0WfdR/DXPZIi2DbrUJu O6sy1hx2V68slXilLllykolGj2k77cuNcvY9Dcj45yAi+8SES+b0RPgx6vFc1wVH 1M6MNj0Mz0W4T9LIDUM4rZCTqIEW1aJ8xm0ial89bvaBrkjjO+2cc+l77gCmDTUt GtxPW5jCdNyCKhPgbqFYB/FD+VNCgLyLgaQM1xI8Kkg57tBnfa/1XxP/wjDjXxZN PZqKATYq2gSqQ0Tsppo7JZxeQf7fs4xZlglyOQXqCZ8iAadPDCOKMQwfW9kp+cLL 5URgp/ACMGlMxp65+X5eB5sYKmw2HehlQsqtXnV9pptn5F1GuexeBSy34aPEYd3G VYkptqHhC0o= =wk1N -----END PGP SIGNATURE-----