Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.0117 SA155: Multiple ASG and ProxySG Vulnerabilities 10 January 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Symantec Advanced Secure Gateway Symantec ProxySG Publisher: Symantec Operating System: Network Appliance Impact/Access: Access Privileged Data -- Existing Account Cross-site Scripting -- Existing Account Provide Misleading Information -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2016-10257 CVE-2016-10256 CVE-2016-9100 CVE-2016-9099 Original Bulletin: https://www.symantec.com/security-center/network-protection-security-advisories/SA155 - --------------------------BEGIN INCLUDED TEXT-------------------- SA155: Multiple ASG and ProxySG Vulnerabilities Security Advisory ID: SA155 Published Date: Jan 09, 2018 Advisory Status: Interim Advisory Severity: Medium CVSS v2 base score: 5.1 (MEDIUM) (AV:N/AC:H/Au:N/C:P/I:P/A:P) CVE Number: CVE-2016-9099 - 2.6 (LOW) (AV:N/AC:H/Au:N/C:N/I:P/A:N) CVE-2016-9100 - 5.1 (MEDIUM) (AV:N/AC:H/Au:N/C:P/I:P/A:P) CVE-2016-10256 - 5.0 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:N) CVE-2016-10257 - 5.0 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:N) The Symantec ASG and ProxySG management consoles are susceptible to multiple vulnerabilities. A remote attacker can, under certain circumstances, obtain sensitive authentication credential information, redirect target users to malicious sites, and inject arbitrary JavaScript code into the management console web client application. Affected Products: Advanced Secure Gateway ASG 6.6 and 6.7 prior to 6.7.2.1 are vulnerable to CVE-2016-9099 and CVE-2016-10257. ASG 6.6 prior to 6.6.5.13 and 6.7 prior to 6.7.3.1 are vulnerable to CVE-2016-9100. ProxySG ProxySG 6.5 prior to 6.5.10.6 is vulnerable to all CVEs. ProxySG 6.6 and 6.7 prior to 6.7.2.1 are vulnerable to CVE-2016-9099, CVE-2016-10256, and CVE-2016-10257. ProxySG 6.6 prior to 6.6.5.13 and 6.7 prior to 6.7.3.1 are vulnerable to CVE-2016-9100. Advisory Details: The Symantec ASG and ProxySG management consoles provide a web-based interface for administrators to configure, manage, and monitor the respective appliance. The ASG and ProxySG management consoles are susceptible to multiple vulnerabilities. CVE-2016-9099 is an open redirection vulnerability in the ASG and ProxySG management consoles. A remote attacker can use a crafted management console URL in a phishing attack to redirect the target user to a malicious web site. Exploiting this vulnerability does not allow the attacker to bypass the security controls enforced by the ASG/ProxySG policy. If ASG/ProxySG are configured to intercept traffic from the target user, they will enforce the configured security controls on the redirected request to the malicious web site. CVE-2016-9100 is an information disclosure vulnerability in the ASG and ProxySG management consoles. An attacker with access to the client host of an authenticated administrator user can, under certain circumstances, obtain sensitive authentication credential information. CVE-2016-10256 is a reflected XSS vulnerability in the ProxySG management console. A remote attacker can use a crafted management console URL in a phishing attack to inject arbitrary JavaScript code into the management console web client application. This is a separate vulnerability from CVE-2016-10257. CVE-2016-10257 is a reflected XSS vulnerability in the ASG and ProxySG management consoles. A remote attacker can use a crafted management console URL in a phishing attack to inject arbitrary JavaScript code in the management console web client application. This is a separate vulnerability from CVE-2016-10256. Patches: Advanced Secure Gateway ASG 6.7 - a fix for CVE-2016-9099 and CVE-2016-10257 is available in 6.7.2.1. A fix for CVE-2016-9100 is available in 6.7.3.1. ASG 6.6 - a fix for CVE-2016-9100 is available in 6.6.5.13. A fix for CVE-2016-9099 and CVE-2016-10257 is not available at this time. ProxySG ProxySG 6.7 - a fix for CVE-2016-9099, CVE-2016-10256, and CVE-2016-10257 is available in 6.7.2.1. A fix for CVE-2016-9100 is available in 6.7.3.1. ProxySG 6.6 - a fix for CVE-2016-9100 is available in 6.6.5.13. A fix for CVE-2016-9099, CVE-2016-10256, and CVE-2016-10257 is not available at this time. ProxySG 6.5 - a fix is available in 6.5.10.6. Advisory History: 2017-01-09 initial public release Acknowledgements: Thanks to Jakub Pałaczyński and Pawel Bartunek for reporting this vulnerability. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWlWu1ox+lLeg9Ub1AQiMJg/9H62tCHS+PM6xtw0uIoAfMqRc2CnUueeX 8JQZt49OWvdktBKkivtBQGtzgkqtRQ/aagdcyXMk7036Oj3yRjmRfmfdpYku1sw6 biRvl9cT/0QVAYSo5xW1loivkRyJgdlsHp8uOwWDuy5sBuqqBqdGPnCpQGFh+q0d fx5uP8Ee3wT/8n9XhEAzQ6tO9YEjUA9z6m+u9jKC3HK5s/DIWMSwUNKQNybPPPkr xjBQd52S9wYsbm/J8l76T9Xq03mpZIuadC/gsGx56wuXn4guCIkdyOR4dk7GSFdZ jlsbYxNkcaGjpJIW6nJ8GUu2GNuOHwWk1c0oGy1UeZ15wZnN6j8fVBuDDWglv6gg TZMUrKR3+o95SSwm7wLz8PZtQygEh0byTd91sTE+C5L8Krtkj+YTOuNH12u1WHKn jgII/QOEMc+sf13c4t6YRcNlIBh9Vu2YLNcV4WyaTzl1eSBaqEW08SwOy6QVVNf+ tCkZ1h3SmJlrv5a7Z/iqdlE/6ZwuGo83pIop56+7t8b4NLILsV6/uOaS7HQMMZwz tZv23rfTUb+Q6p9dd19at+cOXt8zizDdedO6X8b4qe8jZAIkoZeOCvQDKIza+7KX Dy+PTr5wa/5F2j74//GjXo5PcFG2n/M0gcH97eRFDALE2P6Wkj1ypM9GkbQB9G4/ adjgBt1ib20= =XcHI -----END PGP SIGNATURE-----