7.9 - VU#221620

Executive Summary

Summary
Title	Blue Coat ProxySG local user changes contain a time and state vulnerability

Informations
Name	VU#221620	First vendor Publication	2014-02-28
Vendor	VU-CERT	Last vendor Modification	2014-02-28
Severity (Vendor)	N/A	Revision	M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:A/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score	7.9	Attack Range	Adjacent network
Cvss Impact Score	10	Attack Complexity	Medium
Cvss Expoit Score	5.5	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#221620

Blue Coat ProxySG local user changes contain a time and state vulnerability

Original Release date: 28 Feb 2014 | Last revised: 28 Feb 2014

Overview

Changes to Blue Coat ProxySG local users do not take effect immediately, giving an attacker with known credentials a window of opportunity to use those credentials even if the user was deleted or the password was changed. (CWE-361)

Description

Blue Coat Security Advisory SA77 states:

SGOS supports multiple types of authentication realms for authenticating administrative and proxy users. Most authentication realms use remote authentication databases. Locally defined users and user lists are in the local authentication realm. The local authentication realm is typically used for administrative and console access, but can be used for proxy users as well.

When local users change their password, are deleted, or are removed from or added to a user list, changes may take up to 15 minutes to take effect due to caching. If another password-related event (such as a correct login with the new password or a rejected login due to incorrect password) occurs, the time for changes to take effect may be shorter.

An attacker who knows the account password can exploit this gap to gain unauthorized administrative access through the Management Console, or the SSH or serial console if the local realm is used for console access. A deleted user would continue to have network access for up to 15 minutes.

Additional details may be found in the full Blue Coat Security Advisory.

Impact

An attacker with knowledge of existing credentials may be able to log in as that user even after the account was deleted. If the local realm is used for console access then the credentials may be used to compromise administrative access.

Solution

Apply an Update

Apply the appropriate patch for the affected version in use.

ProxySG 6.5 – A fix is available in 6.5.4 and later.
ProxySG 6.4 – A fix is not yet available as of 6.4.6.1.
ProxySG 6.3 – Please upgrade to a later version.
ProxySG 6.2 – A fix is not yet available as of 6.2.15.3.
ProxySG 6.1 – A fix is not yet available as of 6.1.6.3.
ProxySG 5.5 – A fix is not yet available as of 5.5.11.3.
ProxySG 5.4 and earlier – Please upgrade to a later version.

If you are unable to upgrade, please consider the following workarounds.

After changing a password, immediately log in with the new password or attempt to log in with an incorrect password.

After disabling an account, immediately attempt to use that account with an incorrect password.
Use non-local realm authentication types such as LDAP, certificate, and SAML.

Vendor Information (Learn More)

Vendor	Status	Date Notified	Date Updated
Blue Coat Systems	Affected	-	28 Feb 2014

If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group	Score	Vector
Base	7.4	AV:A/AC:M/Au:S/C:C/I:C/A:C
Temporal	6.1	E:F/RL:OF/RC:C
Environmental	4.6	CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

https://kb.bluecoat.com/index?page=content&id=SA77
https://cwe.mitre.org/data/definitions/361.html

Credit

Thanks to Blue Coat for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

CVE IDs:CVE-2014-2033
Date Public:21 Feb 2014
Date First Published:28 Feb 2014
Date Last Updated:28 Feb 2014
Document Revision:7

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/221620

CWE : Common Weakness Enumeration

%	Id	Name
100 %	CWE-264	Permissions, Privileges, and Access Controls

CPE : Common Platform Enumeration

Type	Description	Count
Application	Bluecoat Proxysgos cpe:2.3:a:bluecoat:proxysgos:5.4:::::::*	1
Os	Bluecoat Proxysgos cpe:2.3:o:bluecoat:proxysgos:6.5:::::::* cpe:2.3:o:bluecoat:proxysgos:6.4:::::::* cpe:2.3:o:bluecoat:proxysgos:6.3:::::::* cpe:2.3:o:bluecoat:proxysgos:6.2:::::::* cpe:2.3:o:bluecoat:proxysgos:6.1:::::::* cpe:2.3:o:bluecoat:proxysgos:5.5:::::::* cpe:2.3:o:bluecoat:proxysgos:5.3:::::::* cpe:2.3:o:bluecoat:proxysgos::::::::	8

Information Assurance Vulnerability Management (IAVM)

Date	Description
2014-03-13	IAVM : 2014-B-0030 - Blue Coat ProxySG Security Bypass Vulnerability Severity : Category I - VMSKEY : V0046297

Nessus® Vulnerability Scanner

Date	Description
2014-02-27	Name : The remote device is potentially affected by a race condition issue. File : bluecoat_proxy_sg_6_5_4.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.

Date	Informations
2014-03-04 13:21:18	Multiple Updates
2014-03-03 21:25:20	Multiple Updates
2014-03-02 21:24:21	Multiple Updates
2014-02-28 21:19:36	First insertion

Global Informations

Type	Count
CWE ID(s)	1
CPE ID(s)	9
IAVM(s)	1
Nessus® Exploit(s)	1

	Related
7.9	CVE-2014-2033
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 1 more Alert(s)