Initial Publication Date: Advisory Status: Advisory Severity: CVSS Base Score:Legacy ID
22 Oct 2010 Closed High CVSS v2: 9.3 SA46
A remote attacker can use URL links and/or malicious scripts to execute ProxyAV commands if the administrator has an active session in the ProxyAV management console.
All ProxyAV products prior to 220.127.116.11 are vulnerable.
ProxyAV 3.2 - a fix is available in 18.104.22.168 or later versions.
ProxyAV 3.1 and earlier - please upgrade to a later version.
An attacker who lures a ProxyAV administrator to browse a malicious website can use Cross-Site Request Forgery (CSRF or XSRF) to submit commands to ProxyAV and gain control of the appliance. Commands that the attacker can submit include changing the password, changing the policy, and restarting the appliance.
CVSS v2 base score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
ProxyAV has implemented the following measures to provide better protection from CSRF attacks:
When changing the administrator password, the current password must be entered.
When disabling authentication, the current password must be entered.
All requests that modify or set configuration are submitted through POST.
The session timeout is enforced across all supported browsers (Internet Explorer version 6.0 and above and Firefox version 3.6 and above).
A logout option has been provided in the management console that will terminate the session.
Customers can limit the impact of this vulnerablity in these ways:
Ensure the session timeout value is set to a value greater than 0 to enforce automatic session expiration. By default this value is set to 10 minutes.
Manage ProxyAV using a dedicated machine that does not connect to any other internal or external websites.
Use only supported browsers to access the management console.
When management tasks have been completed, log out of the session using the newly supplied logout option.