Initial Publication Date: Advisory Status: Advisory Severity: CVSS Base Score:Legacy ID
26 Oct 2017 Closed High CVSS v2: 8.0 SA146
The ProxySG and ASG management consoles do not, under certain circumstances, correctly authorize administrator users. A malicious administrator with read-only access can exploit this vulnerability to access management console functionality that requires read-write access privileges.
Advanced Secure Gateway (ASG)
Not vulnerable, fixed in 18.104.22.168
Upgrade to 22.214.171.124.
Upgrade to 126.96.36.199.
Upgrade to 188.8.131.52.
Upgrade to 184.108.40.206.
Additional Product Information
The ProxySG and ASG management consoles provide a web-based interface for authenticated administrators to configure, manage, and monitor the respective appliance. Both products define separate read-only and read-write authorization levels for authenticated administrators. Read-only administrators can only view appliance settings and policy configuration, but not modify them. They can also perform limited troubleshooting tasks. Read-write administrators have full access to the appliance settings and policy configuration. They can also perform all management tasks available through the management console.
The ProxySG and ASG management consoles do not, under certain circumstances, correctly check the authorization of read-only administrator users. A malicious administrator with read-only access can exploit this vulnerability to access management console functionality that requries read-write access privileges.
Thanks to Jakub Pałaczyński and Pawel Bartunek for reporting this vulnerability.
2017-11-25 SA status moved to Final
2017-11-09 Symantec recommends ProxySG 6.5 customers to upgrade to 220.127.116.11 or a later release to get the vulnerability fixes.
2017-10-26 initial public release
This is machine translated content
Login to Subscribe
Please login to set up your
Would you like to be subscribed to future notifications for this article?
For security reasons, your link to this document has expired. Please click on the attachment link to access this file.
The attachment that you are looking for no longer exists.
There has been an issue retrieving your attachment. Please try again.
Currently server is down.
Didn't find the article you were looking for? Try these resources.