Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Blue Coat Fixes Several Flaws in SSL Visibility Appliance

Blue Coat has released a software update to address a total of four vulnerabilities affecting the web-based administration console (WebUI) of the company’s SSL Visibility Appliance.

Blue Coat has released a software update to address a total of four vulnerabilities affecting the web-based administration console (WebUI) of the company’s SSL Visibility Appliance.

The Blue Coat SSL Visibility Appliance is an encrypted traffic management platform that provides organizations complete visibility into encrypted traffic. The WebUI, which allows customers to configure and manage the product, is accessible to authorized administrators through an HTTPS connection to the dedicated management port.Blue Coat SSL Visibility Appliance

Vulnerabilities in the WebUI were discovered by Tim MalcomVetter from FishNet Security, who recently identified several security bugs in HP Network Automation.

The first vulnerability is a cross-site request forgery (CVE-2015-2852) that can be exploited by a remote attacker to gain access to the WebUI and perform various actions on behalf of an administrator. For the attack to work, the malicious actor must trick an administrator into visiting a specially crafted website.

The SSL Visibility Appliance’s WebUI is also vulnerable to clickjacking attacks due to improper validation of the request origin (CVE-2015-2854). Because the product doesn’t enforce the same origin policy in X-Frame Options response headers, an attacker can gain access to the administration console by tricking the admin into visiting a malicious website. If the targeted user is not authenticated, the attacker can trick them into authenticating by using hidden iframes, Blue Coat said in its advisory.

The WebUI is also vulnerable to cookie theft (CVE-2015-2855) and session fixation (CVE-2015-2853).

An attacker capable of sniffing network traffic can steal or manipulate an administrator’s cookie because these cookies don’t have HttpOnly and Secure flags set. The stolen cookie can then be used to impersonate the administrator.

The session fixation bug allows an attacker to hijack a user’s session by obtaining a valid session ID. Session IDs, which are set prior to authentication, can be obtained by an attacker because they are not invalidated or changed after authentication.

“A remote attacker’s access is limited by the capabilities granted to the administrator. The attacker can only perform operations in the WebUI that the administrator could perform. The WebUI can be used to read and modify information such as configuration, audit logs, authorized users, and the health and status of the appliance. It can also can be used to reboot the appliance,” Blue Coat wrote in its advisory.

Advertisement. Scroll to continue reading.

The vulnerabilities affect Blue Coat SSL Visibility Appliance SV800, SV1800, SV2800 and SV3800 running versions 3.6.x through 3.8.3 of SSL Visibility. Blue Coat has addressed the bugs with the release of SSL Visibility 3.8.4. The company has noted that fixes are not being provided for versions 3.8.2f and 3.7.4.

According to Blue Coat, potential attacks can also be prevented by limiting access to the SSL Visibility management port to trusted clients, allowing only known IP addresses to access the management port, assigning distinct roles to different types of administrators, and using ProxySG and WebPulse to block access to malicious websites from clients.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Stephanie Crowe has been appointed head of the Australian Cyber Security Centre (ACSC).

Cloud security giant Wiz has named Fazal Merchant as President and Chief Financial Officer.

Cybersecurity and data protection company Acronis has appointed Gerald Beuchelt as CISO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.