Session Hijacking Vulnerability in ProxySG and ASG
Summary
The ASG and ProxySG management consoles are susceptible to a session hijacking vulnerability. A remote attacker, with access to the appliance management interface, can hijack the session of a currently logged-in user and access the management console.
Affected Product(s)
Advanced Secure Gateway (ASG) | ||
CVE | Supported Version(s) | Remediation |
CVE-2019-18375 | 6.7 (prior to 6.7.4) | Not vulnerable |
6.7.4 | Upgrade to 6.7.4.10. | |
6.7 (6.7.5 and later) | Not vulnerable, fixed in 6.7.5.1. | |
7.1 | Upgrade to a later release with fixes. | |
7.2 | Not vulnerable, fixed in 7.2.0.1. |
ProxySG | ||
CVE | Supported Version(s) | Remediation |
CVE-2019-18375 | 6.5, 6.7 (prior to 6.7.4) | Not vulnerable |
6.7.4 | Upgrade to 6.7.4.10. | |
6.7 (6.7.5 and later) | Not vulnerable, fixed in 6.7.5.1. | |
7.1 | Upgrade to a later release with fixes. | |
7.2 | Not vulnerable, fixed in 7.2.0.1. |
Additional Product Information
ASG 7.1 and ProxySG 7.1 are Early Availability (EA) releases and will not be released as General Availability (GA). Fixes will not be provided for ASG 7.1 and ProxySG 7.1. Please upgrade to ASG 7.2 and ProxySG 7.2 for the vulnerability fixes.
Issue Details
CVE-2019-18375 | |
Severity / CVSS v3.0: | High / 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) |
References: | NVD: CVE-2019-18375 |
Impact: | Session hijacking |
Description: | A session hijacking vulnerability in the ASG and ProxySG management consoles allow a remote attacker, with access to the management interface, to hijack the session of a currently logged-in user and access the management console with the privileges of the hijacked session. |
Mitigation & Additional Information
CVE-2019-18375 can only be exploited through the ASG and ProxySG management interfaces. Symantec recommends that customers deploy ASG and ProxySG in a secure network and restrict access to the management interfaces. Not deploying the products in a secure network or restricting management interface access increases the threat of exploiting the vulnerabilities.
Acknowledgements
- CVE-2019-18375: Balazs Hambalko, IT Security Consultant
Revisions
2020-04-09 initial public release