Initial Publication Date: Advisory Status: Advisory Severity: CVSS Base Score:Legacy ID
17 Dec 2015 Closed Low CVSS v2: 3.3 SA107
The URL displayed by ProxySG and ASG in a coaching page may differ from the actual URL that the user will be directed to after clicking Accept. A user who clicks on a specially crafted URL can be directed to an undesired or possibly malicious web site.
Advanced Secure Gateway
Upgrade to 18.104.22.168.
Upgrade to 22.214.171.124.
Upgrade to 126.96.36.199.
The fix in ProxySG provides an updated default coaching policy to address this vulnerability. Customers who previously customized their coaching policies must customize the new default coaching policy to protect against this vulnerability.
An administrator can configure ProxySG and ASG to display a notification page in users’ web browsers when certain conditions are met. When a notification page is displayed, the user must click the Accept button to gain access to the web content. Notification pages are designed to provide web compliance as well as to coach users. A coaching page displays when a user visits a web site that is blocked by content filtering policy. The page explains why the site is blocked, the consequences of un-authorized access, and a link to the site if business purposes warrants access. A coaching page is configured to display each time a user visits a new web page that is barred by content filtering policy; however, you can also configure this page to appear at different time intervals. A user returning to a web page that was previously accepted by the user may or may not provide a coaching page depending on how the policy is configured.
Under normal circumstances, ProxySG and ASG direct the user’s web browser to the web site displayed in the coaching page when the Accept button is clicked. However, if a user has clicked on a specially crafted URL, there are two URLs: one in clear text, and another that is specially encoded. If the clear text URL triggers the proxy device to display a coaching page, the user will see only the clear text URL on the coaching page. In this case, if the user clicks the Accept button, the user’s web browser will be directed to the specially encoded URL.
ProxySG and ASG will enforce all configured policy and protections that apply to the specially encoded URL. For example, if the proxy device determines that the specially encoded URL is categorized as malware and the proxy device is configured to block access to such URLs, access to the specially encoded URL will be blocked and the content will not be delivered to the user’s browser.
If the content provided by the specially encoded URL is not blocked by the proxy device, the content will be delivered to the user’s browser. The content may be undesired or malicious.
The fix in ProxySG provides a new coaching policy which will prevent the user's web browser from being directed to a different URL. Customers who previosly customized their coaching policies must customize the new default coaching policy to protect against this vulnerability.
For more information about configuring notification pages, refer to the "Notify User" section in Chapter 3 of Blue Coat Systems ProxySG Visual Policy Manager Reference and Advanced Policy Tasks available on BTO.
Coaching pages can be disabled, but this option is not recommended. ProxySG and ASG will enforce configured policy and protections that apply to the specially encoded URL and will block content that should not be delivered to the user’s browser.
Review the categories that are blocked and ensure that users are not allowed to access content that is undesired and/or dangerous such as Malware, Phishing, and Botnet.
Thanks to Patrick ‘mts0n’ Mattsson from Knowit Secure AB for reporting the vulnerability.
2016-07-13 fix is available for SGOS 6.6 and ASG 6.6; SA status moved to Final
2016-01-18 Added CVE number
2015-12-21 ASG is 6.6 also vulnerable and a fix is pending.
2015-12-17 initial public release
This is machine translated content
Login to Subscribe
Please login to set up your
Would you like to be subscribed to future notifications for this article?
For security reasons, your link to this document has expired. Please click on the attachment link to access this file.
The attachment that you are looking for no longer exists.
There has been an issue retrieving your attachment. Please try again.
Currently server is down.
Didn't find the article you were looking for? Try these resources.