Initial Publication Date: Advisory Status: Advisory Severity: CVSS Base Score:Legacy ID
18 Feb 2014 Closed High CVSS v2: 7.4 SA77
Locally defined users on the ProxySG appliance who have been deleted or whose passwords have been changed can continue to log in to appliance for a brief period of time. An attacker with knowledge of the password for such a user can exploit this window to gain full administrative access to the appliance if the local realm is used for console access.
All versions of SGOS prior to 6.5.4 are vulnerable. This issue applies to both FIPS and non-FIPS modes.
ProxySG 6.5 – A fix is available in 6.5.4 and later. A fix is available in 126.96.36.199 an later patch releases of 6.5.2. ProxySG 6.4 – A fix is available in 188.8.131.52 and later. ProxySG 6.3 – Please upgrade to a later version. ProxySG 6.2 – A fix is available in 184.108.40.206 and later. ProxySG 6.1 – A fix will not be provided. Please upgrade to a later version that has the vulnerability fix. ProxySG 5.5 – A fix is available in 220.127.116.11 and later.. ProxySG 5.4 and earlier – Please upgrade to a later version.
CVE-2014-2033 - CVSS v2 base score: 7.9 (AV:A/AC:M/Au:N/C:C/I:C/A:C)
SGOS supports multiple types of authentication realms for authenticating administrative and proxy users. Most authentication realms use remote authentication databases. Locally defined users and user lists are in the local authentication realm. The local authentication realm is typically used for administrative and console access, but can be used for proxy users as well.
When local users change their password, are deleted, or are removed from or added to a user list, changes may take up to 15 minutes to take effect due to caching. If another password-related event (such as a correct login with the new password or a rejected login due to incorrect password) occurs, the time for changes to take effect may be shorter.
An attacker who knows the account password can exploit this gap to gain unauthorized administrative access through the Management Console, or the SSH or serial console if the local realm is used for console access. A deleted user would continue to have network access for up to 15 minutes.
There are several ways to avoid this problem for releases that are not yet patched:
After changing a password, immediately log in with the new password or attempt to log in with an incorrect password.
After disabling an account, immediately attempt to use that account with an incorrect password.
Use non-local realm authentication types such as LDAP, certificate, and SAML.
2015-01-27 A fix will not be provided for 6.1. Marked as Final.
2014-12-22 Fix is available in 18.104.22.168.
2014-12-18 Fix available in 22.214.171.124
2014-10-02 Updated severity from Medium to High due to CVSS base score.
2014-03-25 Updated 6.4 and 6.2 details.
2014-02-25 Corrected 6.2, 6.4, and 6.5 details.
2014-02-18 Initial public release
This is machine translated content
Login to Subscribe
Please login to set up your
Would you like to be subscribed to future notifications for this article?
For security reasons, your link to this document has expired. Please click on the attachment link to access this file.
The attachment that you are looking for no longer exists.
There has been an issue retrieving your attachment. Please try again.
Currently server is down.
Didn't find the article you were looking for? Try these resources.