SUMMARY

AFFECTED PRODUCTS

The fix in ProxySG provides an updated default coaching policy to address this vulnerability.  Customers who previously customized their coaching policies must customize the new default coaching policy to protect against this vulnerability.

ISSUES

An administrator can configure ProxySG and ASG to display a notification page in users’ web browsers when certain conditions are met.  When a notification page is displayed, the user must click the Accept button to gain access to the web content.  Notification pages are designed to provide web compliance as well as to coach users.  A coaching page displays when a user visits a web site that is blocked by content filtering policy.  The page explains why the site is blocked, the consequences of un-authorized access, and a link to the site if business purposes warrants access.  A coaching page is configured to display each time a user visits a new web page that is barred by content filtering policy; however, you can also configure this page to appear at different time intervals.  A user returning to a web page that was previously accepted by the user may or may not provide a coaching page depending on how the policy is configured. 

Under normal circumstances, ProxySG and ASG direct the user’s web browser to the web site displayed in the coaching page when the Accept button is clicked.  However, if a user has clicked on a specially crafted URL, there are two URLs:  one in clear text, and another that is specially encoded.  If the clear text URL triggers the proxy device to display a coaching page, the user will see only the clear text URL on the coaching page.  In this case, if the user clicks the Accept button, the user’s web browser will be directed to the specially encoded URL. 

ProxySG and ASG will enforce all configured policy and protections that apply to the specially encoded URL.  For example, if the proxy device determines that the specially encoded URL is categorized as malware and the proxy device is configured to block access to such URLs, access to the specially encoded URL will be blocked and the content will not be delivered to the user’s browser. 

If the content provided by the specially encoded URL is not blocked by the proxy device, the content will be delivered to the user’s browser.  The content may be undesired or malicious.

The fix in ProxySG provides a new coaching policy which will prevent the user's web browser from being directed to a different URL.  Customers who previosly customized their coaching policies must customize the new default coaching policy to protect against this vulnerability.

For more information about configuring notification pages, refer to the "Notify User" section in Chapter 3 of Blue Coat Systems ProxySG Visual Policy Manager Reference and Advanced Policy Tasks available on BTO.

MITIGATION

ACKNOWLEDGEMENTS

REVISION

2016-07-13 fix is available for SGOS 6.6 and ASG 6.6; SA status moved to Final
2016-01-18 Added CVE number
2015-12-21 ASG is 6.6 also vulnerable and a fix is pending.
2015-12-17 initial public release