Support Content Notification - Support Portal

SA89 : ProxyClient and Unified Agent Certificate Validation Flaw

Product/Component

Notification Id

1312

Last Updated

03 March 2020

Initial Publication Date

23 January 2015

Status

CLOSED

Severity

HIGH

CVSS Base Score

CVSS v2: 9.3

WorkAround

Affected CVE

SUMMARY

A flaw in the validation of the certificate presented by the ProxySG to the ProxyClient and Unified Agent can allow an attacker to pose as the legitimate ProxySG to deliver malicious executables and policy to clients.

AFFECTED PRODUCTS

The following products are vulnerable:

ProxyClient
All versions of ProxyClient prior to 3.3.3.3 and 3.4.4.10 are vulnerable.

Unified Agent
All versions of Unified Agent prior to 4.1.3.151952 are vulnerable when connecting to the Client Manager on ProxySG. Unified Agent connecting to ThreatPulse is not vulnerable.

Patches

ProxyClient
ProxyClient 3.4 - a fix is available in 3.4.4.10.
ProxyClient 3.3 - a fix is available in 3.3.3.3.
ProxyClient 3.2 and prior - a fix will not be provided. Please upgrade to the latest ProxyClient release with the vulnerability fix.

Unified Agent
Unified Agent 4.1 - a fix is available in 4.1.3.151952.

ISSUES

CVE-2015-1454

ProxyClient and Unified Agent connect to a Client Manager that resides on the ProxySG. The connection to the Client Manager is used to download new configuration and software updates to the client. The connection is secured using TLS/SSL and can be established over a corporate network or over a public network.

A flaw in the validation of the of the Client Manager certificate performed by the ProxyClient and the Unified agent could allow an attacker to pose as the Client Manager. An attacker could use this vulnerability to modify the configuration parameters of ProxyClient and Unified Agent, to deliver malicious web content to ProxyClient and Unified Agent, and to deliver malicious software updates to ProxyClient. An attacker potentially could use this flaw to gain full administrative acces to the client.

The Unified Agent is vulnerable only when connecting to the Client Manager on ProxySG. Unified Agent is not vulnerable when connecting to ThreatPulse. Connections from the Unified Agent to ThreatPulse are over a VPN, not over TLS/SSL.

ACKNOWLEDGEMENTS

This vulnerability was reported by Damien Cabrié. Thank you!

REFERENCES

CVE-2015-1454 - https://nvd.nist.gov/vuln/detail/CVE-2015-1454

REVISION

2015-02-13 Added URL for CVE number in References; marked as final
2015-02-09 Corrected CVE number
2015-02-02 CVE number assigned
2015-01-24 Clarified that Unified Agent is not vulnerable when connecting to ThreatPulse; Unified Agent is vulnerable only when connecting to the Client Manager on ProxySG.
2015-01-23 Initial public release