SA162: Multiple ASG and ProxySG Vulnerabilities
SUMMARY
The Symantec ASG and ProxySG management consoles are susceptible to several vulnerabilities. A remote attacker, with access to the management console, can cause denial of service through management console application crashes. A malicious appliance administrator can also inject arbitrary JavaScript code into the management console and target other administrator users with malicious code.
AFFECTED PRODUCTS
| Advanced Secure Gateway (ASG) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2016-10258 CVE-2017-13677 |
6.7 | Upgrade to 6.7.3.1. |
| 6.6 | Upgrade to 6.6.5.14. | |
| CVE-2017-13678 | 6.7 | Upgrade to 6.7.3.7 or 6.7.4.107. |
| 6.6 | Upgrade to 6.6.5.14. | |
| ProxySG | ||
|---|---|---|
| CVE | Affects Version(s) | Remediation |
| CVE-2016-10258 CVE-2017-13677 |
6.7 | Upgrade to 6.7.3.1. |
| 6.6 | Upgrade to 6.6.5.14. | |
| 6.5 | Upgrade to 6.5.10.8. | |
| CVE-2017-13678 | 6.7 | Upgrade to 6.7.3.7 or 6.7.4.107. |
| 6.6 | Upgrade to 6.6.5.14. | |
| 6.5 | Upgrade to 6.5.10.8. | |
ADDITIONAL PRODUCT INFORMATION
These vulnerabilities can only be exploited through the ASG and ProxySG management interfaces. Symantec recommends that customers deploy ASG and ProxySG in a secure network and restrict access to the management interfaces. Not deploying the appliances in a secure network or restricting management interface access increases the threat of exploiting the vulnerabilities.
ISSUES
| CVE-2016-10258 | |
|---|---|
| Severity / CVSSv2 | Low / 2.7 (AV:A/AC:L/Au:S/C:N/I:P/A:N) |
| References | SecurityFocus: BID 103685 / NVD: CVE-2016-10258 |
| Impact | Unrestricted file upload |
| Description | A malicious appliance administrator can upload arbitrary malicious files to the management console and trick another administrator user into downloading and executing malicious code. |
| CVE-2017-13677 | |
|---|---|
| Severity / CVSSv2 | Medium / 6.1 (AV:A/AC:L/Au:N/C:N/I:N/A:C) |
| References | SecurityFocus: BID 103685 / NVD: CVE-2017-13677 |
| Impact | Denial of service |
| Description | A remote attacker can use crafted HTTP/HTTPS requests to cause denial-of-service through management console application crashes. |
| CVE-2017-13678 | |
|---|---|
| Severity / CVSSv2 | Low / 3.8 (AV:A/AC:M/Au:S/C:P/I:P/A:N) |
| References | SecurityFocus: BID 103685 / NVD: CVE-2017-13678 |
| Impact | Cross Site Scripting (XSS) |
| Description | A malicious appliance administrator can inject arbitrary JavaScript code in the management console web client application. |
MITIGATION
These vulnerabilities can only be exploited through the ASG and ProxySG management interfaces. Symantec recommends that customers deploy ASG and ProxySG in a secure network and restrict access to the management interfaces.
ACKNOWLEDGEMENTS
Symantec would like to thank:
- Jakub Pałaczyński and Pawel Bartunek for reporting CVE-2016-10258
- Robert Jaroszuk @ RBS Security for reporting CVE-2017-13677 and CVE-2017-13678.
REVISION
2020-12-09 Advisory status moved to Closed.
2018-05-03 A fix for CVE-2017-13678 in ASG 6.7 and ProxySG 6.7 is available in 6.7.3.7.
2018-04-10 initial public release