Authentication Bypass in ASG and ProxySG
Summary
The Symantec Advanced Secure Gateway (ASG) and ProxySG web management consoles are susceptible to an authentication bypass vulnerability. An unauthenticated attacker can execute arbitrary CLI commands, view/modify the appliance configuration and policy, and shutdown/restart the appliance.
Affected Product(s)
| Advanced Secure Gateway (ASG) | ||
| CVE | Supported Version(s) | Remediation |
| CVE-2021-30648 | 6.6 | No longer under maintenance. Upgrade to 6.7.5.12 |
| 6.7 | Upgrade to 6.7.5.12 (recommended) or 6.7.4.17 | |
| 7.2 | Upgrade to 7.2.7.2 | |
| 7.3 | Upgrade to 7.3.3.3 | |
| ProxySG | ||
| CVE | Supported Version(s) | Remediation |
| CVE-2021-30648 | 6.5 | No longer under maintenance. Upgrade to 6.7.5.12 (recommended). A fix is also available in 6.5.10.16. |
| 6.6 | No longer under maintenance. Upgrade to 6.7.5.12 (recommended). A fix is also available in 6.6.5.19. | |
| 6.7 | Upgrade to 6.7.5.12 (recommended), 6.7.4.17, or 6.7.3.15 | |
| 7.2 | Upgrade to 7.2.7.2 | |
| 7.3 | Upgrade to 7.3.3.3 | |
Additional Product Information
At the time of this advisory's publication, Broadcom is not aware of any evidence that CVE-2021-30648 is actively exploited in the wild.
Successful exploitation of CVE-2021-30648 to modify appliance configuration/policy, shut down or restart the appliance results in Event Log messages logged on ASG and ProxySG. Event Log messages starting with "Config admin at <remote-IP-address> 'unknown' " are considered to be indicators of compromise (IOCs).
For example:
2021-01-01 17:42:27-00:00UTC "Config admin at <remote-IP-address> 'unknown', enabled NTP" 0 140002:7D
2021-01-01 18:00:42-00:00UTC "Config admin at <remote-IP-address> 'unknown', installed new Local Policy File" 0 140002:7D
2021-01-01 01:45:36-00:00UTC "Config admin at <remote-IP-address> 'unknown', initiated restart regular" 0 140002:7D
Exploiting this vulnerability to execute CLI commands that do not modify the appliance configuration/policy, shut down or restart the appliance may not result in logging the same Event Log messages.
Issue Details
| CVE-2021-30648 | |
| Severity / CVSS v3.1: | Critical / 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) |
| References: | NVD: CVE-2021-30648 |
| Impact: | Security control bypass |
| Description: | An authentication bypass vulnerability in the ASG and ProxySG web management consoles allows a remote unauthenticated attacker to send crafted HTTP/HTTPS requests that bypass user authentication. The attacker can exploit this vulnerability to execute arbitrary CLI commands (through the web management console) in enable or configuration mode, view/modify the appliance configuration and policy, and shutdown/restart the appliance. |
Mitigation
CVE-2021-30648 is exploitable in ASG and ProxySG only if the attacker can send HTTP/HTTPS requests to the web management console. Customers can mitigate this vulnerability using existing network infrastructure, such as network partitioning and firewalls, to restrict access to the web management console to a trusted network.
CVE-2021-30648 is not exploitable to perform arbitrary code execution. ASG and ProxySG only provide a restricted CLI and not a general operating system shell. The CLI commands an attacker can execute are restricted to the commands provided by the CLI.
Revisions
2021-06-29 initial public release