Initial Publication Date: Advisory Status: Advisory Severity: CVSS Base Score:Legacy ID
29 May 2015 Closed High CVSS v2: 8.3 SA96
The SSL Visibility Appliance is susceptible to multiple web-based vulnerabilities in the administration console. The console is accessible only through the dedicated administration port. A remote attacker can use these vulnerabilities to obtain administrative access to the SSL Visibility Appliance.
SSL Visibility (SSLV)
3.8.4FC and later
Not vulnerable, fixed in 3.8.4FC-17
Upgrade to 3.8.4.
Upgrade to later release with fixes.
Upgrade to later release with fixes
The SSL Visibility Appliance provides a web-based administration console (the WebUI) from which an authorized administrator can configure and manage the product. Access to the WebUI is only through an HTTPS connection to the dedicated management port. Administrative access to read, create, and modify information is limited by the administrator’s role (Manage Appliance, Manage Policy, Manage PKI, and Auditor).
A remote attacker’s access is limited by the capabilities granted to the administrator. The attacker can only perform operations in the WebUI that the administrator could perform. The WebUI can be used to read and modify information such as configuration, audit logs, authorized users, and the health and status of the appliance. It can also can be used to reboot the appliance.
The WebUI is vulnerable to cross site request forgery (CSRF). A remote attacker can gain access to the WebUI by persuading an administrator to visit a malicious website using spear phishing emails or other social engineering techniques. If the administrator is already authenticated to the SSL Visibility appliance, the remote attacker can use the existing session to perform actions as the administrator without the administrator’s knowledge.
The WebUI is vulnerable to session fixation. The session ID is set prior to authentication and is not changed or invalidated after authentication. An attacker can hijack an administrator's session by obtaining their session ID and creating a cookie.
The WebUI is vulnerable to clickjacking due to improper validation of the request origin. SSLV does not enforce the same origin policy in X-Frame Options response headers. A remote attacker can gain access to the WebUI by persuading an administrator to visit a malicious website using spear phishing emails or other social engineering techniques. Even if the administrator is not authenticated, the remote attacker can use hidden iframes to trick the administrator into authenticating.
The WebUI is vulnerable to cookie theft attacks. A remote attacker can use the lack of the httponly and secure flags to obtain the administrator’s cookie. An attacker can obtain cookies by capturing network traffic. The cookie can be used by the attacker to act as the administrator.
Limit access to the SSL Visibility management port to trusted clients with limited access to the outside internet. SSLV can be configured to limit the IP addresses capable of accessing the management port.
Limit administrative capabilities by assigning distinct roles for different types of administrators.
Use ProxySG and WebPulse to block access to malicious websites from clients.
Thank you to Tim MalcomVetter from FishNet Security for reporting the vulnerabilities, and to CERT-CC for coordinating the disclosure.