Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
symantecSymantec Security ResponseSMNTC-1322
HistoryMay 29, 2015 - 8:00 a.m.

SA96 : SSL Visibility Appliance Web-based Vulnerabilities

2015-05-2908:00:00
Symantec Security Response
13

0.006 Low

EPSS

Percentile

77.8%

JSON

SUMMARY

The SSL Visibility Appliance is susceptible to multiple web-based vulnerabilities in the administration console. The console is accessible only through the dedicated administration port. A remote attacker can use these vulnerabilities to obtain administrative access to the SSL Visibility Appliance.

AFFECTED PRODUCTS

SSL Visibility (SSLV)

CVE |Affected Version(s)|Remediation
All CVEs | 3.8.4FC and later | Not vulnerable, fixed in 3.8.4FC-17
3.8 | Upgrade to 3.8.4.
3.8.2F | Upgrade to later release with fixes.
3.7.4 | Upgrade to later release with fixes

ISSUES

The SSL Visibility Appliance provides a web-based administration console (the WebUI) from which an authorized administrator can configure and manage the product. Access to the WebUI is only through an HTTPS connection to the dedicated management port. Administrative access to read, create, and modify information is limited by the administrator's role (Manage Appliance, Manage Policy, Manage PKI, and Auditor).

A remote attacker's access is limited by the capabilities granted to the administrator. The attacker can only perform operations in the WebUI that the administrator could perform. The WebUI can be used to read and modify information such as configuration, audit logs, authorized users, and the health and status of the appliance. It can also can be used to reboot the appliance.

CVE-2015-2852

References | SecurityFocus: BID 74921 / NVD: CVE-2015-2852 Impact| Cross-site request forgery (CSRF) Description | The WebUI is vulnerable to cross site request forgery (CSRF). A remote attacker can gain access to the WebUI by persuading an administrator to visit a malicious website using spear phishing emails or other social engineering techniques. If the administrator is already authenticated to the SSL Visibility appliance, the remote attacker can use the existing session to perform actions as the administrator without the administrator's knowledge.

CVE-2015-2853

References | SecurityFocus: BID 74921 / NVD: CVE-2015-2853 Impact| Session hijacking Description | The WebUI is vulnerable to session fixation. The session ID is set prior to authentication and is not changed or invalidated after authentication. An attacker can hijack an administrator’s session by obtaining their session ID and creating a cookie.

CVE-2015-2854

References | SecurityFocus: BID 74921 / NVD: CVE-2015-2854 Impact| Clickjacking Description | The WebUI is vulnerable to clickjacking due to improper validation of the request origin. SSLV does not enforce the same origin policy in X-Frame Options response headers. A remote attacker can gain access to the WebUI by persuading an administrator to visit a malicious website using spear phishing emails or other social engineering techniques. Even if the administrator is not authenticated, the remote attacker can use hidden iframes to trick the administrator into authenticating.

CVE-2015-2855

References | SecurityFocus: BID 74921 / NVD: CVE-2015-2855 Impact| Information disclosure Description | The WebUI is vulnerable to cookie theft attacks. A remote attacker can use the lack of the httponly and secure flags to obtain the administrator's cookie. An attacker can obtain cookies by capturing network traffic. The cookie can be used by the attacker to act as the administrator.

MITIGATION

Limit access to the SSL Visibility management port to trusted clients with limited access to the outside internet. SSLV can be configured to limit the IP addresses capable of accessing the management port.

Limit administrative capabilities by assigning distinct roles for different types of administrators.

Use ProxySG and WebPulse to block access to malicious websites from clients.

ACKNOWLEDGEMENTS

Thank you to Tim MalcomVetter from FishNet Security for reporting the vulnerabilities, and to CERT-CC for coordinating the disclosure.

REFERENCES

Clickjacking - <https://www.owasp.org/index.php/Clickjacking&gt;
Cross-Site Request Forgery (CSRF) - <https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)&gt;
HttpOnly - <https://www.owasp.org/index.php/HttpOnly&gt;
SecureFlag - <https://www.owasp.org/index.php/SecureFlag&gt;

REVISION

2015-06-11 Marked as final
2015-05-29 Initial public release

Related

cert 1
prion 5
cvelist 5
nvd 5
cve 5
cert
cert
Blue Coat SSL Visibility Appliance contains multiple vulnerabilities
2015-05-29 00:00:00
prion
prion
Design/Logic Flaw
2015-05-30 19:59:00
Cross site request forgery (csrf)
2015-05-30 19:59:00
Session fixation
2015-05-30 19:59:00
cvelist
cvelist
CVE-2015-2854
2015-05-30 19:00:00
CVE-2015-2852
2015-05-30 19:00:00
CVE-2015-2853
2015-05-30 19:00:00
nvd
nvd
CVE-2015-2854
2015-05-30 19:59:07
CVE-2015-2853
2015-05-30 19:59:06
CVE-2015-2852
2015-05-30 19:59:04
cve
cve
CVE-2015-2854
2015-05-30 19:59:07
CVE-2015-2853
2015-05-30 19:59:06
CVE-2015-2852
2015-05-30 19:59:04

0.006 Low

EPSS

Percentile

77.8%

JSON
Related for SMNTC-1322
cert1prion5cvelist5nvd5cve5