SA96 : SSL Visibility Appliance Web-based Vulnerabilities
1322
03 March 2020
29 May 2015
CLOSED
HIGH
CVSS v2: 8.3
SUMMARY
The SSL Visibility Appliance is susceptible to multiple web-based vulnerabilities in the administration console. The console is accessible only through the dedicated administration port. A remote attacker can use these vulnerabilities to obtain administrative access to the SSL Visibility Appliance.
AFFECTED PRODUCTS
| SSL Visibility (SSLV) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| All CVEs | 3.8.4FC and later | Not vulnerable, fixed in 3.8.4FC-17 |
| 3.8 | Upgrade to 3.8.4. | |
| 3.8.2F | Upgrade to later release with fixes. | |
| 3.7.4 | Upgrade to later release with fixes | |
ISSUES
The SSL Visibility Appliance provides a web-based administration console (the WebUI) from which an authorized administrator can configure and manage the product. Access to the WebUI is only through an HTTPS connection to the dedicated management port. Administrative access to read, create, and modify information is limited by the administrator’s role (Manage Appliance, Manage Policy, Manage PKI, and Auditor).
A remote attacker’s access is limited by the capabilities granted to the administrator. The attacker can only perform operations in the WebUI that the administrator could perform. The WebUI can be used to read and modify information such as configuration, audit logs, authorized users, and the health and status of the appliance. It can also can be used to reboot the appliance.
| CVE-2015-2852 | |
|---|---|
| References | SecurityFocus: BID 74921 / NVD: CVE-2015-2852 |
| Impact | Cross-site request forgery (CSRF) |
| Description | The WebUI is vulnerable to cross site request forgery (CSRF). A remote attacker can gain access to the WebUI by persuading an administrator to visit a malicious website using spear phishing emails or other social engineering techniques. If the administrator is already authenticated to the SSL Visibility appliance, the remote attacker can use the existing session to perform actions as the administrator without the administrator’s knowledge. |
| CVE-2015-2853 | |
|---|---|
| References | SecurityFocus: BID 74921 / NVD: CVE-2015-2853 |
| Impact | Session hijacking |
| Description | The WebUI is vulnerable to session fixation. The session ID is set prior to authentication and is not changed or invalidated after authentication. An attacker can hijack an administrator's session by obtaining their session ID and creating a cookie. |
| CVE-2015-2854 | |
|---|---|
| References | SecurityFocus: BID 74921 / NVD: CVE-2015-2854 |
| Impact | Clickjacking |
| Description | The WebUI is vulnerable to clickjacking due to improper validation of the request origin. SSLV does not enforce the same origin policy in X-Frame Options response headers. A remote attacker can gain access to the WebUI by persuading an administrator to visit a malicious website using spear phishing emails or other social engineering techniques. Even if the administrator is not authenticated, the remote attacker can use hidden iframes to trick the administrator into authenticating. |
| CVE-2015-2855 | |
|---|---|
| References | SecurityFocus: BID 74921 / NVD: CVE-2015-2855 |
| Impact | Information disclosure |
| Description | The WebUI is vulnerable to cookie theft attacks. A remote attacker can use the lack of the httponly and secure flags to obtain the administrator’s cookie. An attacker can obtain cookies by capturing network traffic. The cookie can be used by the attacker to act as the administrator. |
MITIGATION
Limit access to the SSL Visibility management port to trusted clients with limited access to the outside internet. SSLV can be configured to limit the IP addresses capable of accessing the management port.
Limit administrative capabilities by assigning distinct roles for different types of administrators.
Use ProxySG and WebPulse to block access to malicious websites from clients.
ACKNOWLEDGEMENTS
Thank you to Tim MalcomVetter from FishNet Security for reporting the vulnerabilities, and to CERT-CC for coordinating the disclosure.
REFERENCES
Clickjacking - https://www.owasp.org/index.php/Clickjacking
Cross-Site Request Forgery (CSRF) - https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
HttpOnly - https://www.owasp.org/index.php/HttpOnly
SecureFlag - https://www.owasp.org/index.php/SecureFlag
REVISION
2015-06-11 Marked as final
2015-05-29 Initial public release