ESB-2018.1126 - [Appliance][Virtual] Symantec ASG, ProxySG: Multiple vulnerabilities 2018-04-12

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.1126
        Multiple vulnerabilities fixed in Symantec ASG and ProxySG
                               12 April 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Symantec ASG
                   Symantec ProxySG
Publisher:         Symantec
Operating System:  Network Appliance
                   Virtualisation
Impact/Access:     Create Arbitrary Files -- Existing Account      
                   Denial of Service      -- Remote/Unauthenticated
                   Cross-site Scripting   -- Existing Account      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-13678 CVE-2017-13677 CVE-2016-10258

Original Bulletin: 
   https://www.symantec.com/security-center/network-protection-security-advisories/SA162

- --------------------------BEGIN INCLUDED TEXT--------------------

SA162: Multiple ASG and ProxySG Vulnerabilities

Security Advisory ID: SA162
Published Date: Apr 10, 2018
Advisory Status: Interim
Advisory Severity: Medium
CVSS v2 base score: 6.1 (AV:A/AC:L/Au:N/C:N/I:N/A:C)
CVE Number: 
CVE-2016-10258 - 2.7 (LOW) (AV:A/AC:L/Au:S/C:N/I:P/A:N)
CVE-2017-13677 - 6.1 (MEDIUM) (AV:A/AC:L/Au:N/C:N/I:N/A:C)
CVE-2017-13678 - 3.8 (LOW) (AV:A/AC:M/Au:S/C:P/I:P/A:N)

The Symantec ASG and ProxySG management consoles are susceptible to several
vulnerabilities.  A remote attacker, with access to the management console, can
cause denial of service through management console application crashes.  A
malicious appliance administrator can also inject arbitrary JavaScript code
into the management console and target other administrator users with malicious
code.

Affected Products:

Advanced Secure Gateway
ASG 6.6 prior to 6.6.5.14 is vulnerable to all CVEs.  ASG 6.7 prior to 6.7.3.1
is vulnerable to CVE-2016-10258 and CVE-2017-13677.  ASG 6.7 prior to 6.7.4.107
is vulnerable to CVE-2017-13678.

ProxySG
ProxySG 6.5 prior to 6.5.10.8 and 6.6 prior to 6.6.5.14 are vulnerable to all
CVEs.  ProxySG 6.7 prior to 6.7.3.1 is vulnerable to CVE-2016-10258 and
CVE-2017-13677.  ProxySG 6.7 prior to 6.7.4.107 is vulnerable to
CVE-2017-13678.

Advisory Details: 

The Symantec ASG and ProxySG management consoles provide a web-based interface
for administrators to configure, manage, and monitor the respective appliance. 
The ASG and ProxySG management consoles are susceptible to several
vulnerabilities.

  * CVE-2016-10258 is an unrestricted file upload vulnerability in the ASG and
    ProxySG management consoles.  A malicious appliance administrator can
    upload arbitrary malicious files to the management console and trick
    another administrator user into downloading and executing malicious code.
  * CVE-2017-13677 is a denial-of-service (DoS) vulnerability in the ASG and
    ProxySG management consoles.  A remote attacker can use crafted HTTP/HTTPS
    requests to cause denial-of-service through management console application
    crashes.
  * CVE-2017-13678 is a stored XSS vulnerability in the ASG and ProxySG
    management consoles.  A malicious appliance administrator can inject
    arbitrary JavaScript code in the management console web client application.

These vulnerabilities can only be exploited through the ASG and ProxySG
management interfaces.  Symantec recommends that customers deploy ASG and
ProxySG in a secure network and restrict access to the management interfaces. 
Not deploying the appliances in a secure network or restricting management
interface access increases the threat of exploiting the vulnerabilities.

Workarounds: 

These vulnerabilities can only be exploited through the ASG and ProxySG
management interfaces.  Symantec recommends that customers deploy ASG and
ProxySG in a secure network and restrict access to the management interfaces.

Patches: 

Advanced Secure Gateway
ASG 6.7 - a fix for CVE-2016-10258 and CVE-2017-13677 is available in 6.7.3.1. 
A fix for CVE-2017-13678 is available in 6.7.4.107.
ASG 6.6 - a fix for all CVEs is available in 6.6.5.14.

ProxySG
ProxySG 6.7 - a fix for CVE-2016-10258 and CVE-2017-13677 is available in
6.7.3.1.  A fix for CVE-2017-13678 is available in 6.7.4.107.
ProxySG 6.6 - a fix for all CVEs is available in 6.6.5.14.
ProxySG 6.5 - a fix for all CVEs is available in 6.5.10.8.

References: 

CVE-2016-10258 - https://nvd.nist.gov/vuln/detail/CVE-2016-10258
CVE-2017-13677 - https://nvd.nist.gov/vuln/detail/CVE-2017-13677
CVE-2017-13678 - https://nvd.nist.gov/vuln/detail/CVE-2017-13678

Advisory History: 

2018-04-10 initial public release

Acknowledgements: 

Symantec would like to thank:

  * Jakub Pa?aczy?ski and Pawel Bartunek for reporting CVE-2016-10258
  * Robert Jaroszuk @ RBS Security for reporting CVE-2017-13677 and
    CVE-2017-13678.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWs64RIx+lLeg9Ub1AQj+HxAAlFpHOYWw3sMZkHkxbX6wuX68Ke2tlKTl
VheYJU/fS7P2Otqt7ZBCjWUcK4Dys8Hr73KRjcrQIeU8kq8CIyJo9qE74JnG92kI
3errH+1cXl2Ly/lZXGHDuiBQPfrU4Jz1baDvjv4xz58k7RDRmrvURuomhpvVV54P
T0nEt4Ogjv9m32gjF5SND0MI9JNTdIMyQHB3LZH4fb4tlklas7rZWBFKWEOh9uoR
92IwOytciB7wTWSSZd0iO3qCsaXblCVZrb3NDnCKy628mgwjXfhrZB4URLodmIp5
wkYLkVqa/cueZSURKpOzLBUZrjrvHAzHhjnVS2zPAsuc4N/sRM718H6mkMioWUkw
ozH6W3oNctqkQkS3ruUcVG4b847DmT95OgMUki1Z19PaGcHi2JqA+jwezIl3gHZy
bijjFseiL8eHLauvk3hPAsWRpsGicHtCvASuw8ofHEB3Nr4j0JiEUI9hMbro0egJ
oos3XCVWx9HyeXNhGvSKtud+9bu6IrnuvXvBeOPGKHJUxTYjaTgLJ2rXD38LKjdQ
qmjCzIB9wysikzpu1lvGftcoN/2MU5i2Xn9r9CyH0lfAluTcD6+cfGIr7xnPecyq
RcJoU4Q1wC08gWoLDOTcm/3Aoa9FVpD+7UbJQHBPjZlOMx6oXfGaH3H3NJiUO+rY
XjJDtBeqpeU=
=tFBq
-----END PGP SIGNATURE-----

« Back to bulletins