SA107 : ProxySG and ASG Coaching Page Redirect
1340
04 May 2021
17 December 2015
CLOSED
LOW
CVSS v2: 3.3
SUMMARY
The URL displayed by ProxySG and ASG in a coaching page may differ from the actual URL that the user will be directed to after clicking Accept. A user who clicks on a specially crafted URL can be directed to an undesired or possibly malicious web site.
AFFECTED PRODUCTS
Advanced Secure Gateway | ||
---|---|---|
CVE | Affected Version(s) | Remediation |
All CVEs | 6.6 | Upgrade to 6.6.4.2. |
ProxySG | ||
---|---|---|
CVE | Affected Version(s) | Remediation |
All CVEs | 6.6 | Upgrade to 6.6.4.2. |
6.5 | Upgrade to 6.5.8.8. |
The fix in ProxySG provides an updated default coaching policy to address this vulnerability. Customers who previously customized their coaching policies must customize the new default coaching policy to protect against this vulnerability.
ISSUES
An administrator can configure ProxySG and ASG to display a notification page in users’ web browsers when certain conditions are met. When a notification page is displayed, the user must click the Accept button to gain access to the web content. Notification pages are designed to provide web compliance as well as to coach users. A coaching page displays when a user visits a web site that is blocked by content filtering policy. The page explains why the site is blocked, the consequences of un-authorized access, and a link to the site if business purposes warrants access. A coaching page is configured to display each time a user visits a new web page that is barred by content filtering policy; however, you can also configure this page to appear at different time intervals. A user returning to a web page that was previously accepted by the user may or may not provide a coaching page depending on how the policy is configured.
Under normal circumstances, ProxySG and ASG direct the user’s web browser to the web site displayed in the coaching page when the Accept button is clicked. However, if a user has clicked on a specially crafted URL, there are two URLs: one in clear text, and another that is specially encoded. If the clear text URL triggers the proxy device to display a coaching page, the user will see only the clear text URL on the coaching page. In this case, if the user clicks the Accept button, the user’s web browser will be directed to the specially encoded URL.
ProxySG and ASG will enforce all configured policy and protections that apply to the specially encoded URL. For example, if the proxy device determines that the specially encoded URL is categorized as malware and the proxy device is configured to block access to such URLs, access to the specially encoded URL will be blocked and the content will not be delivered to the user’s browser.
If the content provided by the specially encoded URL is not blocked by the proxy device, the content will be delivered to the user’s browser. The content may be undesired or malicious.
The fix in ProxySG provides a new coaching policy which will prevent the user's web browser from being directed to a different URL. Customers who previosly customized their coaching policies must customize the new default coaching policy to protect against this vulnerability.
For more information about configuring notification pages, refer to the "Notify User" section in Chapter 3 of Blue Coat Systems ProxySG Visual Policy Manager Reference and Advanced Policy Tasks available on BTO.
CVE-2015-8597 | |
---|---|
Severity / CVSSv2 | Low / 3.3 (AV:A/AC:L/Au:N/C:N/I:P/A:N) |
References | SecurityFocus: BID 85707 / NVD: CVE-2015-8597 |
Impact | Open redirection |
MITIGATION
Coaching pages can be disabled, but this option is not recommended. ProxySG and ASG will enforce configured policy and protections that apply to the specially encoded URL and will block content that should not be delivered to the user’s browser.
Review the categories that are blocked and ensure that users are not allowed to access content that is undesired and/or dangerous such as Malware, Phishing, and Botnet.
ACKNOWLEDGEMENTS
Thanks to Patrick ‘mts0n’ Mattsson from Knowit Secure AB for reporting the vulnerability.
REVISION
2016-07-13 fix is available for SGOS 6.6 and ASG 6.6; SA status moved to Final
2016-01-18 Added CVE number
2015-12-21 ASG is 6.6 also vulnerable and a fix is pending.
2015-12-17 initial public release