Support Content Notification - Support Portal

SA20 : Denial of CONNECT Request May Be Ignored

Product/Component

Notification Id

1086

Last Updated

03 March 2020

Initial Publication Date

03 February 2006

Status

CLOSED

Severity

MEDIUM

CVSS Base Score

WorkAround

Affected CVE

SUMMARY

An error has been identified in SGOS version 4.1 that can cause policy which blocks CONNECT requests (implicitly or explicitly) to be ignored under certain circumstances. Instead of blocking the traffic, it is allowed.

This can lead to an open TCP proxy.

AFFECTED PRODUCTS

Fixed in:
SG 4.1.4 or Higher

MITIGATION

Workaround for ProxySG:

Place the following policy rule in the beginning of every VPM Web Access layer or CPL Proxy layer that contains an ALLOW, DENY or EXCEPTION action:

http.method=CONNECT url.port=!443 DENY

Adding this in a layer by itself will not workaround the issue, it must be added to the beginning of every Web Access or Proxy layer.

REFERENCES

http://secunia.com/advisories/18622/