ESB-2018.0117 - [Appliance] Symantec Advanced Secure Gateway and ProxySG: Multiple vulnerabilities 2018-01-10

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.0117
              SA155: Multiple ASG and ProxySG Vulnerabilities
                              10 January 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Symantec Advanced Secure Gateway
                   Symantec ProxySG
Publisher:         Symantec
Operating System:  Network Appliance
Impact/Access:     Access Privileged Data         -- Existing Account            
                   Cross-site Scripting           -- Existing Account            
                   Provide Misleading Information -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-10257 CVE-2016-10256 CVE-2016-9100
                   CVE-2016-9099  

Original Bulletin: 
   https://www.symantec.com/security-center/network-protection-security-advisories/SA155

- --------------------------BEGIN INCLUDED TEXT--------------------

SA155: Multiple ASG and ProxySG Vulnerabilities

Security Advisory ID: 
SA155

Published Date: 
Jan 09, 2018

Advisory Status: 
Interim

Advisory Severity: 
Medium
CVSS v2 base score: 5.1 (MEDIUM) (AV:N/AC:H/Au:N/C:P/I:P/A:P)

CVE Number: 
CVE-2016-9099 - 2.6 (LOW) (AV:N/AC:H/Au:N/C:N/I:P/A:N)
CVE-2016-9100 - 5.1 (MEDIUM) (AV:N/AC:H/Au:N/C:P/I:P/A:P)
CVE-2016-10256 - 5.0 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CVE-2016-10257 - 5.0 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:N)

The Symantec ASG and ProxySG management consoles are susceptible to multiple 
vulnerabilities.  A remote attacker can, under certain circumstances, obtain 
sensitive authentication credential information, redirect target users to 
malicious sites, and inject arbitrary JavaScript code into the management
console web client application.

Affected Products:

Advanced Secure Gateway
ASG 6.6 and 6.7 prior to 6.7.2.1 are vulnerable to CVE-2016-9099 and 
CVE-2016-10257.  ASG 6.6 prior to 6.6.5.13 and 6.7 prior to 6.7.3.1 are 
vulnerable to CVE-2016-9100.

ProxySG
ProxySG 6.5 prior to 6.5.10.6 is vulnerable to all CVEs.  ProxySG 6.6 and 6.7
prior to 6.7.2.1 are vulnerable to CVE-2016-9099, CVE-2016-10256, and 
CVE-2016-10257.  ProxySG 6.6 prior to 6.6.5.13 and 6.7 prior to 6.7.3.1 are 
vulnerable to CVE-2016-9100.

Advisory Details: 

The Symantec ASG and ProxySG management consoles provide a web-based interface
for administrators to configure, manage, and monitor the respective appliance.
The ASG and ProxySG management consoles are susceptible to multiple
vulnerabilities.

CVE-2016-9099 is an open redirection vulnerability in the ASG and ProxySG 
management consoles.  A remote attacker can use a crafted management console 
URL in a phishing attack to redirect the target user to a malicious web site. 
Exploiting this vulnerability does not allow the attacker to bypass the
security controls enforced by the ASG/ProxySG policy.  If ASG/ProxySG are 
configured to intercept traffic from the target user, they will enforce the 
configured security controls on the redirected request to the malicious web 
site.

CVE-2016-9100 is an information disclosure vulnerability in the ASG and ProxySG
management consoles.  An attacker with access to the client host of an
authenticated administrator user can, under certain circumstances, obtain
sensitive authentication credential information.

CVE-2016-10256 is a reflected XSS vulnerability in the ProxySG management
console.  A remote attacker can use a crafted management console URL in a 
phishing attack to inject arbitrary JavaScript code into the management
console web client application. This is a separate vulnerability from
CVE-2016-10257.

CVE-2016-10257 is a reflected XSS vulnerability in the ASG and ProxySG
management consoles.  A remote attacker can use a crafted management console
URL in a phishing attack to inject arbitrary JavaScript code in the management
console web client application. This is a separate vulnerability from
CVE-2016-10256.

Patches: 

Advanced Secure Gateway
ASG 6.7 - a fix for CVE-2016-9099 and CVE-2016-10257 is available in 6.7.2.1.
A fix for CVE-2016-9100 is available in 6.7.3.1.

ASG 6.6 - a fix for CVE-2016-9100 is available in 6.6.5.13.  A fix for 
CVE-2016-9099 and CVE-2016-10257 is not available at this time.

ProxySG
ProxySG 6.7 - a fix for CVE-2016-9099, CVE-2016-10256, and CVE-2016-10257 is 
available in 6.7.2.1.  A fix for CVE-2016-9100 is available in 6.7.3.1.
ProxySG 6.6 - a fix for CVE-2016-9100 is available in 6.6.5.13.  A fix for 
CVE-2016-9099, CVE-2016-10256, and CVE-2016-10257 is not available at this time.
ProxySG 6.5 - a fix is available in 6.5.10.6.

Advisory History: 

2017-01-09 initial public release

Acknowledgements: 

Thanks to Jakub Pałaczyński and Pawel Bartunek for reporting this
vulnerability.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWlWu1ox+lLeg9Ub1AQiMJg/9H62tCHS+PM6xtw0uIoAfMqRc2CnUueeX
8JQZt49OWvdktBKkivtBQGtzgkqtRQ/aagdcyXMk7036Oj3yRjmRfmfdpYku1sw6
biRvl9cT/0QVAYSo5xW1loivkRyJgdlsHp8uOwWDuy5sBuqqBqdGPnCpQGFh+q0d
fx5uP8Ee3wT/8n9XhEAzQ6tO9YEjUA9z6m+u9jKC3HK5s/DIWMSwUNKQNybPPPkr
xjBQd52S9wYsbm/J8l76T9Xq03mpZIuadC/gsGx56wuXn4guCIkdyOR4dk7GSFdZ
jlsbYxNkcaGjpJIW6nJ8GUu2GNuOHwWk1c0oGy1UeZ15wZnN6j8fVBuDDWglv6gg
TZMUrKR3+o95SSwm7wLz8PZtQygEh0byTd91sTE+C5L8Krtkj+YTOuNH12u1WHKn
jgII/QOEMc+sf13c4t6YRcNlIBh9Vu2YLNcV4WyaTzl1eSBaqEW08SwOy6QVVNf+
tCkZ1h3SmJlrv5a7Z/iqdlE/6ZwuGo83pIop56+7t8b4NLILsV6/uOaS7HQMMZwz
tZv23rfTUb+Q6p9dd19at+cOXt8zizDdedO6X8b4qe8jZAIkoZeOCvQDKIza+7KX
Dy+PTr5wa/5F2j74//GjXo5PcFG2n/M0gcH97eRFDALE2P6Wkj1ypM9GkbQB9G4/
adjgBt1ib20=
=XcHI
-----END PGP SIGNATURE-----

« Back to bulletins