-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT Security Bulletin
Multiple Blue Coat products are affected by a security
control bypass vulnerability
18 July 2016
AusCERT Security Bulletin Summary
Product: Blue Coat products
Operating System: Network Appliance
Impact/Access: Unauthorised Access -- Remote/Unauthenticated
Member content until: Wednesday, August 17 2016
Multiple Blue Coat products are affected by a security control
"Advanced Secure Gateway
ASG 6.6 is vulnerable when deployed as a forward proxy, reverse
proxy, or a web application firewall (WAF).
CacheFlow 3.4 is vulnerable when policy RDNS lookups are enabled via
ProxySG 6.5 and 6.6 are vulnerable when deployed as a forward proxy,
reverse proxy, or a web application firewall (WAF)." 
The vendor has provided the following information:
"The Blue Coat products listed in the Affected Products section
perform categorization on the hostnames and IP addresses of HTTP and
HTTPS requests. When the server hostname is not available and the
server IP address is not categorized, the affected products perform
a reverse DNS (RDNS) lookup to obtain the server hostname. The
server hostname is not available when one or more of the following
- the HTTP or HTTPS request URL contains a literal IP address
insteadof a hostname.
- the HTTPS request is processed in a ProxySG transparent proxy
deployment or in a CacheFlow without a hostname in the Server
Name Indication (SNI) TLS extension.
- the HTTPS request is processed in a transparent proxy
deployment of ProxySG releases prior to 126.96.36.199.
- the request is processed by ProxySG as tunneled traffic
without being handed off to the HTTP, HTTPS, or SSL proxy.
HTTP and HTTPS requests that result in an RDNS lookup may, under
certain circumstances, cause the policy rules matched to be those
associated with the hostname returned by RDNS rather than the server
IP address. This may prevent the policy from enforcing security
controls, such as blocking the request, requiring user
authentication, or performing payload scanning. ProxySG and ASG
appliances are vulnerable when deployed as a forward proxy, reverse
proxy, or web application firewall (WAF)." 
The vendor has provided the following workaround:
"ProxySG and ASG administrator users with write access can remediate
this vulnerability by disabling reverse DNS (RDNS) lookups. The
following CPL syntax can be used in ASG 6.6, and ProxySG 6.5 and
Administrator users can also use the ProxySG 6.5 and 6.6 Visual
Policy Manager (VPM) to disable reverse DNS lookups:
1. Start VPM.
2. Choose "Select Configuration".
3. Change the "Reverse DNS Lookup Restrictions" setting from
"None" to "All".
4. Install the policy.
By default, CacheFlow 3.4 does not enable policy RDNS lookups.
Customers who leave RDNS lookups disabled prevent attacks against
CacheFlow. CacheFlow 3.4 administrator user can use the following
CLI commands to check and disable the RDNS lookup setting:
- To check RDNS lookups: "show config" (look for "policy rdns
enable" string in output)
- To disable RDNS lookups: "policy rdns disable"" 
 SA130: Security Control Bypass Vulnerability in ProxySG, ASG, and
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: firstname.lastname@example.org
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----