Blue Coat has released a software update to address a total of four vulnerabilities affecting the web-based administration console (WebUI) of the company’s SSL Visibility Appliance.
The Blue Coat SSL Visibility Appliance is an encrypted traffic management platform that provides organizations complete visibility into encrypted traffic. The WebUI, which allows customers to configure and manage the product, is accessible to authorized administrators through an HTTPS connection to the dedicated management port.
Vulnerabilities in the WebUI were discovered by Tim MalcomVetter from FishNet Security, who recently identified several security bugs in HP Network Automation.
The first vulnerability is a cross-site request forgery (CVE-2015-2852) that can be exploited by a remote attacker to gain access to the WebUI and perform various actions on behalf of an administrator. For the attack to work, the malicious actor must trick an administrator into visiting a specially crafted website.
The SSL Visibility Appliance’s WebUI is also vulnerable to clickjacking attacks due to improper validation of the request origin (CVE-2015-2854). Because the product doesn’t enforce the same origin policy in X-Frame Options response headers, an attacker can gain access to the administration console by tricking the admin into visiting a malicious website. If the targeted user is not authenticated, the attacker can trick them into authenticating by using hidden iframes, Blue Coat said in its advisory.
The WebUI is also vulnerable to cookie theft (CVE-2015-2855) and session fixation (CVE-2015-2853).
An attacker capable of sniffing network traffic can steal or manipulate an administrator’s cookie because these cookies don’t have HttpOnly and Secure flags set. The stolen cookie can then be used to impersonate the administrator.
The session fixation bug allows an attacker to hijack a user’s session by obtaining a valid session ID. Session IDs, which are set prior to authentication, can be obtained by an attacker because they are not invalidated or changed after authentication.
“A remote attacker’s access is limited by the capabilities granted to the administrator. The attacker can only perform operations in the WebUI that the administrator could perform. The WebUI can be used to read and modify information such as configuration, audit logs, authorized users, and the health and status of the appliance. It can also can be used to reboot the appliance,” Blue Coat wrote in its advisory.
The vulnerabilities affect Blue Coat SSL Visibility Appliance SV800, SV1800, SV2800 and SV3800 running versions 3.6.x through 3.8.3 of SSL Visibility. Blue Coat has addressed the bugs with the release of SSL Visibility 3.8.4. The company has noted that fixes are not being provided for versions 3.8.2f and 3.7.4.
According to Blue Coat, potential attacks can also be prevented by limiting access to the SSL Visibility management port to trusted clients, allowing only known IP addresses to access the management port, assigning distinct roles to different types of administrators, and using ProxySG and WebPulse to block access to malicious websites from clients.