Support Content Notification - Support Portal

SA146: Improper User Authorization in ProxySG and ASG

Product/Component

Notification Id

1417

Last Updated

04 May 2021

Initial Publication Date

26 October 2017

Status

CLOSED

Severity

HIGH

CVSS Base Score

CVSS v2: 8.0

WorkAround

Affected CVE

SUMMARY

The ProxySG and ASG management consoles do not, under certain circumstances, correctly authorize administrator users. A malicious administrator with read-only access can exploit this vulnerability to access management console functionality that requires read-write access privileges.

AFFECTED PRODUCTS

Advanced Secure Gateway (ASG)
CVE	Affected Version(s)	Remediation
CVE-2016-9097	6.7	Not vulnerable, fixed in 6.7.2.1
CVE-2016-9097	6.6	Upgrade to 6.6.5.8.

ProxySG
CVE	Affected Version(s)	Remediation
CVE-2016-9097	6.7	Upgrade to 6.7.1.2.
	6.6	Upgrade to 6.6.5.8.
	6.5	Upgrade to 6.5.10.7.

ADDITIONAL PRODUCT INFORMATION

The ProxySG and ASG management consoles provide a web-based interface for authenticated administrators to configure, manage, and monitor the respective appliance. Both products define separate read-only and read-write authorization levels for authenticated administrators. Read-only administrators can only view appliance settings and policy configuration, but not modify them. They can also perform limited troubleshooting tasks. Read-write administrators have full access to the appliance settings and policy configuration. They can also perform all management tasks available through the management console.

ISSUES

CVE-2016-9097
Severity / CVSSv2	High / 8.0 (AV:N/AC:L/Au:S/C:P/I:P/A:C)
References	SecurityFocus: BID 101530 / NVD: CVE-2016-9097
Impact	Improper user authorization
Description	The ProxySG and ASG management consoles do not, under certain circumstances, correctly check the authorization of read-only administrator users. A malicious administrator with read-only access can exploit this vulnerability to access management console functionality that requries read-write access privileges.

ACKNOWLEDGEMENTS

Thanks to Jakub Pałaczyński and Pawel Bartunek for reporting this vulnerability.

REVISION

2017-11-25 SA status moved to Final
2017-11-09 Symantec recommends ProxySG 6.5 customers to upgrade to 6.5.10.7 or a later release to get the vulnerability fixes.
2017-10-26 initial public release