Blue Coat ProxySG local user changes contain a time and state vulnerability
2014-02-28T00:00:00
ID VU:221620 Type cert Reporter CERT Modified 2014-02-28T19:01:00
Description
Overview
Changes to Blue Coat ProxySG local users do not take effect immediately, giving an attacker with known credentials a window of opportunity to use those credentials even if the user was deleted or the password was changed. (CWE-361)
SGOS supports multiple types of authentication realms for authenticating administrative and proxy users. Most authentication realms use remote authentication databases. Locally defined users and user lists are in the local authentication realm. The local authentication realm is typically used for administrative and console access, but can be used for proxy users as well.
When local users change their password, are deleted, or are removed from or added to a user list, changes may take up to 15 minutes to take effect due to caching. If another password-related event (such as a correct login with the new password or a rejected login due to incorrect password) occurs, the time for changes to take effect may be shorter.
An attacker who knows the account password can exploit this gap to gain unauthorized administrative access through the Management Console, or the SSH or serial console if the local realm is used for console access. A deleted user would continue to have network access for up to 15 minutes.
An attacker with knowledge of existing credentials may be able to log in as that user even after the account was deleted. If the local realm is used for console access then the credentials may be used to compromise administrative access.
Solution
Apply an Update
Apply the appropriate patch for the affected version in use.
* ProxySG 6.5 – A fix is available in 6.5.4 and later.
* ProxySG 6.4 – A fix is not yet available as of 6.4.6.1.
* ProxySG 6.3 – Please upgrade to a later version.
* ProxySG 6.2 – A fix is not yet available as of 6.2.15.3.
* ProxySG 6.1 – A fix is not yet available as of 6.1.6.3.
* ProxySG 5.5 – A fix is not yet available as of 5.5.11.3.
* ProxySG 5.4 and earlier – Please upgrade to a later version.
If you are unable to upgrade, please consider the following workarounds.
After changing a password, immediately log in with the new password or attempt to log in with an incorrect password.
* After disabling an account, immediately attempt to use that account with an incorrect password.
* Use non-local realm authentication types such as LDAP, certificate, and SAML.
Vendor Information
221620
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Vendor has issued information
__ Sort by: Status Alphabetical
Expand all
Affected Unknown __ Unaffected
Javascript is disabled. Click here to view vendors.
__ Blue Coat Systems
Updated: February 28, 2014
Status
__ Affected
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Thanks to Blue Coat for reporting this vulnerability.
This document was written by Jared Allar.
Other Information
CVE IDs: | CVE-2014-2033
---|--- Date Public: | 2014-02-21 Date First Published: | 2014-02-28 Date Last Updated: | 2014-02-28 19:01 UTC Document Revision: | 7
{"id": "VU:221620", "hash": "ce6ccde4632a6a349697d03cf4253a18", "type": "cert", "bulletinFamily": "info", "title": "Blue Coat ProxySG local user changes contain a time and state vulnerability", "description": "### Overview \n\nChanges to Blue Coat ProxySG local users do not take effect immediately, giving an attacker with known credentials a window of opportunity to use those credentials even if the user was deleted or the password was changed. ([CWE-361](<https://cwe.mitre.org/data/definitions/361.html>))\n\n### Description \n\n[Blue Coat Security Advisory SA77](<https://kb.bluecoat.com/index?page=content&id=SA77>) states:\n\n_SGOS supports multiple types of authentication realms for authenticating administrative and proxy users. Most authentication realms use remote authentication databases. Locally defined users and user lists are in the local authentication realm. The local authentication realm is typically used for administrative and console access, but can be used for proxy users as well._ \n \n_When local users change their password, are deleted, or are removed from or added to a user list, changes may take up to 15 minutes to take effect due to caching. If another password-related event (such as a correct login with the new password or a rejected login due to incorrect password) occurs, the time for changes to take effect may be shorter._ \n \n_An attacker who knows the account password can exploit this gap to gain unauthorized administrative access through the Management Console, or the SSH or serial console if the local realm is used for console access. A deleted user would continue to have network access for up to 15 minutes._ \n \nAdditional details may be found in the full [Blue Coat Security Advisory](<https://kb.bluecoat.com/index?page=content&id=SA77>). \n \n--- \n \n### Impact \n\nAn attacker with knowledge of existing credentials may be able to log in as that user even after the account was deleted. If the local realm is used for console access then the credentials may be used to compromise administrative access. \n \n--- \n \n### Solution \n\n**Apply an Update** \n \nApply the appropriate patch for the affected version in use. \n\n\n * ProxySG 6.5 \u2013 A fix is available in 6.5.4 and later. \n * ProxySG 6.4 \u2013 A fix is not yet available as of 6.4.6.1.\n * ProxySG 6.3 \u2013 Please upgrade to a later version.\n * ProxySG 6.2 \u2013 A fix is not yet available as of 6.2.15.3.\n * ProxySG 6.1 \u2013 A fix is not yet available as of 6.1.6.3.\n * ProxySG 5.5 \u2013 A fix is not yet available as of 5.5.11.3.\n * ProxySG 5.4 and earlier \u2013 Please upgrade to a later version.\n \nIf you are unable to upgrade, please consider the following workarounds. \n--- \n \nAfter changing a password, immediately log in with the new password or attempt to log in with an incorrect password.\n\n * After disabling an account, immediately attempt to use that account with an incorrect password.\n * Use non-local realm authentication types such as LDAP, certificate, and SAML. \n--- \n \n### Vendor Information\n\n221620\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n__ Affected __ Unknown __ Unaffected \n\n**Javascript is disabled. Click here to view vendors.**\n\n### __ Blue Coat Systems \n\nUpdated: February 28, 2014 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 7.4 | AV:A/AC:M/Au:S/C:C/I:C/A:C \nTemporal | 6.1 | E:F/RL:OF/RC:C \nEnvironmental | 4.6 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References \n\n * [https://kb.bluecoat.com/index?page=content&id=SA77](<https://kb.bluecoat.com/index?page=content&id=SA77>)\n * <https://cwe.mitre.org/data/definitions/361.html>\n\n### Credit\n\nThanks to Blue Coat for reporting this vulnerability. \n\nThis document was written by Jared Allar. \n\n### Other Information\n\n**CVE IDs:** | [CVE-2014-2033](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2033>) \n---|--- \n**Date Public:** | 2014-02-21 \n**Date First Published:** | 2014-02-28 \n**Date Last Updated: ** | 2014-02-28 19:01 UTC \n**Document Revision: ** | 7 \n", "published": "2014-02-28T00:00:00", "modified": "2014-02-28T19:01:00", "cvss": {"score": 7.9, "vector": "AV:ADJACENT_NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.kb.cert.org/vuls/id/221620", "reporter": "CERT", "references": ["https://kb.bluecoat.com/index?page=content&id=SA77", "https://cwe.mitre.org/data/definitions/361.html"], "cvelist": ["CVE-2014-2033"], "lastseen": "2018-12-25T20:17:44", "history": [{"bulletin": {"id": "VU:221620", "hash": "5455be1cb8d6c40e0fee18dca17a8a7582663b235e325f76a44e425219235574", "type": "cert", "bulletinFamily": "info", "title": "Blue Coat ProxySG local user changes contain a time and state vulnerability", "description": "### Overview\n\nChanges to Blue Coat ProxySG local users do not take effect immediately, giving an attacker with known credentials a window of opportunity to use those credentials even if the user was deleted or the password was changed. ([CWE-361](<https://cwe.mitre.org/data/definitions/361.html>))\n\n### Description\n\n[Blue Coat Security Advisory SA77](<https://kb.bluecoat.com/index?page=content&id=SA77>) states: \n\n_SGOS supports multiple types of authentication realms for authenticating administrative and proxy users. Most authentication realms use remote authentication databases. Locally defined users and user lists are in the local authentication realm. The local authentication realm is typically used for administrative and console access, but can be used for proxy users as well._ \n \n_When local users change their password, are deleted, or are removed from or added to a user list, changes may take up to 15 minutes to take effect due to caching. If another password-related event (such as a correct login with the new password or a rejected login due to incorrect password) occurs, the time for changes to take effect may be shorter._ \n \n_An attacker who knows the account password can exploit this gap to gain unauthorized administrative access through the Management Console, or the SSH or serial console if the local realm is used for console access. A deleted user would continue to have network access for up to 15 minutes._ \n\n\nAdditional details may be found in the full [Blue Coat Security Advisory](<https://kb.bluecoat.com/index?page=content&id=SA77>). \n \n--- \n \n### Impact\n\nAn attacker with knowledge of existing credentials may be able to log in as that user even after the account was deleted. If the local realm is used for console access then the credentials may be used to compromise administrative access. \n \n--- \n \n### Solution\n\n**Apply an Update** \n \nApply the appropriate patch for the affected version in use. \n\n\n * ProxySG 6.5 \u2013 A fix is available in 6.5.4 and later. \n * ProxySG 6.4 \u2013 A fix is not yet available as of 6.4.6.1. \n * ProxySG 6.3 \u2013 Please upgrade to a later version. \n * ProxySG 6.2 \u2013 A fix is not yet available as of 6.2.15.3. \n * ProxySG 6.1 \u2013 A fix is not yet available as of 6.1.6.3. \n * ProxySG 5.5 \u2013 A fix is not yet available as of 5.5.11.3. \n * ProxySG 5.4 and earlier \u2013 Please upgrade to a later version.\n \nIf you are unable to upgrade, please consider the following workarounds. \n \n--- \n \nAfter changing a password, immediately log in with the new password or attempt to log in with an incorrect password. \n\n * After disabling an account, immediately attempt to use that account with an incorrect password. \n * Use non-local realm authentication types such as LDAP, certificate, and SAML. \n \n--- \n \n### Vendor Information \n\nVendor| Status| Date Notified| Date Updated \n---|---|---|--- \nBlue Coat Systems| | -| 28 Feb 2014 \nIf you are a vendor and your product is affected, [let us know](<mailto:cert@cert.org?Subject=VU%23221620 Vendor Status Inquiry>).\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 7.4 | AV:A/AC:M/Au:S/C:C/I:C/A:C \nTemporal | 6.1 | E:F/RL:OF/RC:C \nEnvironmental | 4.6 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND \n \n### References\n\n * [https://kb.bluecoat.com/index?page=content&id;=SA77](<https://kb.bluecoat.com/index?page=content&id=SA77>)\n * <https://cwe.mitre.org/data/definitions/361.html>\n\n### Credit\n\nThanks to Blue Coat for reporting this vulnerability.\n\nThis document was written by Jared Allar.\n\n### Other Information\n\n * CVE IDs: [CVE-2014-2033](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2033>)\n * Date Public: 21 Feb 2014\n * Date First Published: 28 Feb 2014\n * Date Last Updated: 28 Feb 2014\n * Document Revision: 7\n\n", "published": "2014-02-28T00:00:00", "modified": "2014-02-28T00:00:00", "cvss": {"score": 7.9, "vector": "AV:ADJACENT_NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.kb.cert.org/vuls/id/221620", "reporter": "CERT", "references": ["http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2033", "https://cwe.mitre.org/data/definitions/361.html", "https://cwe.mitre.org/data/definitions/361.html", "https://kb.bluecoat.com/index?page=content&id=SA77", "https://kb.bluecoat.com/index?page=content&id=SA77", "https://kb.bluecoat.com/index?page=content&id=SA77"], "cvelist": ["CVE-2014-2033", "CVE-2014-2033"], "lastseen": "2016-02-03T09:13:03", "history": [], "viewCount": 1, "enchantments": {"score": {"value": 7.2, "vector": "NONE"}}, "objectVersion": "1.4"}, "lastseen": "2016-02-03T09:13:03", "differentElements": ["description"], "edition": 1}, {"bulletin": {"id": "VU:221620", "hash": "232ccb38ab83fe3f435e2728268d05e7709bce164c2033e7a1a6cfc8634a23a7", "type": "cert", "bulletinFamily": "info", "title": "Blue Coat ProxySG local user changes contain a time and state vulnerability", "description": "### Overview\n\nChanges to Blue Coat ProxySG local users do not take effect immediately, giving an attacker with known credentials a window of opportunity to use those credentials even if the user was deleted or the password was changed. ([CWE-361](<https://cwe.mitre.org/data/definitions/361.html>))\n\n### Description\n\n[Blue Coat Security Advisory SA77](<https://kb.bluecoat.com/index?page=content&id=SA77>) states: \n\n_SGOS supports multiple types of authentication realms for authenticating administrative and proxy users. Most authentication realms use remote authentication databases. Locally defined users and user lists are in the local authentication realm. The local authentication realm is typically used for administrative and console access, but can be used for proxy users as well._ \n \n_When local users change their password, are deleted, or are removed from or added to a user list, changes may take up to 15 minutes to take effect due to caching. If another password-related event (such as a correct login with the new password or a rejected login due to incorrect password) occurs, the time for changes to take effect may be shorter._ \n \n_An attacker who knows the account password can exploit this gap to gain unauthorized administrative access through the Management Console, or the SSH or serial console if the local realm is used for console access. A deleted user would continue to have network access for up to 15 minutes._ \n \nAdditional details may be found in the full [Blue Coat Security Advisory](<https://kb.bluecoat.com/index?page=content&id=SA77>). \n \n--- \n \n### Impact\n\nAn attacker with knowledge of existing credentials may be able to log in as that user even after the account was deleted. If the local realm is used for console access then the credentials may be used to compromise administrative access. \n \n--- \n \n### Solution\n\n**Apply an Update** \n \nApply the appropriate patch for the affected version in use. \n\n\n * ProxySG 6.5 \u2013 A fix is available in 6.5.4 and later. \n * ProxySG 6.4 \u2013 A fix is not yet available as of 6.4.6.1. \n * ProxySG 6.3 \u2013 Please upgrade to a later version. \n * ProxySG 6.2 \u2013 A fix is not yet available as of 6.2.15.3. \n * ProxySG 6.1 \u2013 A fix is not yet available as of 6.1.6.3. \n * ProxySG 5.5 \u2013 A fix is not yet available as of 5.5.11.3. \n * ProxySG 5.4 and earlier \u2013 Please upgrade to a later version.\n \nIf you are unable to upgrade, please consider the following workarounds. \n \n--- \n \nAfter changing a password, immediately log in with the new password or attempt to log in with an incorrect password. \n\n * After disabling an account, immediately attempt to use that account with an incorrect password. \n * Use non-local realm authentication types such as LDAP, certificate, and SAML. \n \n--- \n \n### Vendor Information \n\nVendor| Status| Date Notified| Date Updated \n---|---|---|--- \nBlue Coat Systems| | -| 28 Feb 2014 \nIf you are a vendor and your product is affected, [let us know](<mailto:cert@cert.org?Subject=VU%23221620 Vendor Status Inquiry>).\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 7.4 | AV:A/AC:M/Au:S/C:C/I:C/A:C \nTemporal | 6.1 | E:F/RL:OF/RC:C \nEnvironmental | 4.6 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND \n \n### References\n\n * [https://kb.bluecoat.com/index?page=content&id;=SA77](<https://kb.bluecoat.com/index?page=content&id=SA77>)\n * <https://cwe.mitre.org/data/definitions/361.html>\n\n### Credit\n\nThanks to Blue Coat for reporting this vulnerability.\n\nThis document was written by Jared Allar.\n\n### Other Information\n\n * CVE IDs: [CVE-2014-2033](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2033>)\n * Date Public: 21 Feb 2014\n * Date First Published: 28 Feb 2014\n * Date Last Updated: 28 Feb 2014\n * Document Revision: 7\n\n", "published": "2014-02-28T00:00:00", "modified": "2014-02-28T00:00:00", "cvss": {"score": 7.9, "vector": "AV:ADJACENT_NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.kb.cert.org/vuls/id/221620", "reporter": "CERT", "references": ["http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2033", "https://cwe.mitre.org/data/definitions/361.html", "https://cwe.mitre.org/data/definitions/361.html", "https://kb.bluecoat.com/index?page=content&id=SA77", "https://kb.bluecoat.com/index?page=content&id=SA77", "https://kb.bluecoat.com/index?page=content&id=SA77"], "cvelist": ["CVE-2014-2033", "CVE-2014-2033"], "lastseen": "2018-08-02T21:56:40", "history": [], "viewCount": 1, "enchantments": {"score": {"value": 7.2, "vector": "NONE"}}, "objectVersion": "1.4"}, "lastseen": "2018-08-02T21:56:40", "differentElements": ["cvss"], "edition": 2}, {"bulletin": {"id": "VU:221620", "hash": "76dd7aa9172fc924e7ae56c030cc790c261a83dea8ca9e9bd999bbf840c38b36", "type": "cert", "bulletinFamily": "info", "title": "Blue Coat ProxySG local user changes contain a time and state vulnerability", "description": "### Overview\n\nChanges to Blue Coat ProxySG local users do not take effect immediately, giving an attacker with known credentials a window of opportunity to use those credentials even if the user was deleted or the password was changed. ([CWE-361](<https://cwe.mitre.org/data/definitions/361.html>))\n\n### Description\n\n[Blue Coat Security Advisory SA77](<https://kb.bluecoat.com/index?page=content&id=SA77>) states: \n\n_SGOS supports multiple types of authentication realms for authenticating administrative and proxy users. Most authentication realms use remote authentication databases. Locally defined users and user lists are in the local authentication realm. The local authentication realm is typically used for administrative and console access, but can be used for proxy users as well._ \n \n_When local users change their password, are deleted, or are removed from or added to a user list, changes may take up to 15 minutes to take effect due to caching. If another password-related event (such as a correct login with the new password or a rejected login due to incorrect password) occurs, the time for changes to take effect may be shorter._ \n \n_An attacker who knows the account password can exploit this gap to gain unauthorized administrative access through the Management Console, or the SSH or serial console if the local realm is used for console access. A deleted user would continue to have network access for up to 15 minutes._ \n \nAdditional details may be found in the full [Blue Coat Security Advisory](<https://kb.bluecoat.com/index?page=content&id=SA77>). \n \n--- \n \n### Impact\n\nAn attacker with knowledge of existing credentials may be able to log in as that user even after the account was deleted. If the local realm is used for console access then the credentials may be used to compromise administrative access. \n \n--- \n \n### Solution\n\n**Apply an Update** \n \nApply the appropriate patch for the affected version in use. \n\n\n * ProxySG 6.5 \u2013 A fix is available in 6.5.4 and later. \n * ProxySG 6.4 \u2013 A fix is not yet available as of 6.4.6.1. \n * ProxySG 6.3 \u2013 Please upgrade to a later version. \n * ProxySG 6.2 \u2013 A fix is not yet available as of 6.2.15.3. \n * ProxySG 6.1 \u2013 A fix is not yet available as of 6.1.6.3. \n * ProxySG 5.5 \u2013 A fix is not yet available as of 5.5.11.3. \n * ProxySG 5.4 and earlier \u2013 Please upgrade to a later version.\n \nIf you are unable to upgrade, please consider the following workarounds. \n \n--- \n \nAfter changing a password, immediately log in with the new password or attempt to log in with an incorrect password. \n\n * After disabling an account, immediately attempt to use that account with an incorrect password. \n * Use non-local realm authentication types such as LDAP, certificate, and SAML. \n \n--- \n \n### Vendor Information \n\nVendor| Status| Date Notified| Date Updated \n---|---|---|--- \nBlue Coat Systems| | -| 28 Feb 2014 \nIf you are a vendor and your product is affected, [let us know](<mailto:cert@cert.org?Subject=VU%23221620 Vendor Status Inquiry>).\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 7.4 | AV:A/AC:M/Au:S/C:C/I:C/A:C \nTemporal | 6.1 | E:F/RL:OF/RC:C \nEnvironmental | 4.6 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND \n \n### References\n\n * [https://kb.bluecoat.com/index?page=content&id;=SA77](<https://kb.bluecoat.com/index?page=content&id=SA77>)\n * <https://cwe.mitre.org/data/definitions/361.html>\n\n### Credit\n\nThanks to Blue Coat for reporting this vulnerability.\n\nThis document was written by Jared Allar.\n\n### Other Information\n\n * CVE IDs: [CVE-2014-2033](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2033>)\n * Date Public: 21 Feb 2014\n * Date First Published: 28 Feb 2014\n * Date Last Updated: 28 Feb 2014\n * Document Revision: 7\n\n", "published": "2014-02-28T00:00:00", "modified": "2014-02-28T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.kb.cert.org/vuls/id/221620", "reporter": "CERT", "references": ["http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2033", "https://cwe.mitre.org/data/definitions/361.html", "https://cwe.mitre.org/data/definitions/361.html", "https://kb.bluecoat.com/index?page=content&id=SA77", "https://kb.bluecoat.com/index?page=content&id=SA77", "https://kb.bluecoat.com/index?page=content&id=SA77"], "cvelist": ["CVE-2014-2033", "CVE-2014-2033"], "lastseen": "2018-08-30T20:36:14", "history": [], "viewCount": 1, "enchantments": {"score": {"value": 7.2, "vector": "NONE"}}, "objectVersion": "1.4"}, "lastseen": "2018-08-30T20:36:14", "differentElements": ["cvss"], "edition": 3}, {"bulletin": {"id": "VU:221620", "hash": "d5c13efa6cd6e7b431b1c66d863ac814", "type": "cert", "bulletinFamily": "info", "title": "Blue Coat ProxySG local user changes contain a time and state vulnerability", "description": "### Overview\n\nChanges to Blue Coat ProxySG local users do not take effect immediately, giving an attacker with known credentials a window of opportunity to use those credentials even if the user was deleted or the password was changed. ([CWE-361](<https://cwe.mitre.org/data/definitions/361.html>))\n\n### Description\n\n[Blue Coat Security Advisory SA77](<https://kb.bluecoat.com/index?page=content&id=SA77>) states: \n\n_SGOS supports multiple types of authentication realms for authenticating administrative and proxy users. Most authentication realms use remote authentication databases. Locally defined users and user lists are in the local authentication realm. The local authentication realm is typically used for administrative and console access, but can be used for proxy users as well._ \n \n_When local users change their password, are deleted, or are removed from or added to a user list, changes may take up to 15 minutes to take effect due to caching. If another password-related event (such as a correct login with the new password or a rejected login due to incorrect password) occurs, the time for changes to take effect may be shorter._ \n \n_An attacker who knows the account password can exploit this gap to gain unauthorized administrative access through the Management Console, or the SSH or serial console if the local realm is used for console access. A deleted user would continue to have network access for up to 15 minutes._ \n \nAdditional details may be found in the full [Blue Coat Security Advisory](<https://kb.bluecoat.com/index?page=content&id=SA77>). \n \n--- \n \n### Impact\n\nAn attacker with knowledge of existing credentials may be able to log in as that user even after the account was deleted. If the local realm is used for console access then the credentials may be used to compromise administrative access. \n \n--- \n \n### Solution\n\n**Apply an Update** \n \nApply the appropriate patch for the affected version in use. \n\n\n * ProxySG 6.5 \u2013 A fix is available in 6.5.4 and later. \n * ProxySG 6.4 \u2013 A fix is not yet available as of 6.4.6.1. \n * ProxySG 6.3 \u2013 Please upgrade to a later version. \n * ProxySG 6.2 \u2013 A fix is not yet available as of 6.2.15.3. \n * ProxySG 6.1 \u2013 A fix is not yet available as of 6.1.6.3. \n * ProxySG 5.5 \u2013 A fix is not yet available as of 5.5.11.3. \n * ProxySG 5.4 and earlier \u2013 Please upgrade to a later version.\n \nIf you are unable to upgrade, please consider the following workarounds. \n \n--- \n \nAfter changing a password, immediately log in with the new password or attempt to log in with an incorrect password. \n\n * After disabling an account, immediately attempt to use that account with an incorrect password. \n * Use non-local realm authentication types such as LDAP, certificate, and SAML. \n \n--- \n \n### Vendor Information \n\nVendor| Status| Date Notified| Date Updated \n---|---|---|--- \nBlue Coat Systems| | -| 28 Feb 2014 \nIf you are a vendor and your product is affected, [let us know](<mailto:cert@cert.org?Subject=VU%23221620 Vendor Status Inquiry>).\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 7.4 | AV:A/AC:M/Au:S/C:C/I:C/A:C \nTemporal | 6.1 | E:F/RL:OF/RC:C \nEnvironmental | 4.6 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND \n \n### References\n\n * [https://kb.bluecoat.com/index?page=content&id;=SA77](<https://kb.bluecoat.com/index?page=content&id=SA77>)\n * <https://cwe.mitre.org/data/definitions/361.html>\n\n### Credit\n\nThanks to Blue Coat for reporting this vulnerability.\n\nThis document was written by Jared Allar.\n\n### Other Information\n\n * CVE IDs: [CVE-2014-2033](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2033>)\n * Date Public: 21 Feb 2014\n * Date First Published: 28 Feb 2014\n * Date Last Updated: 28 Feb 2014\n * Document Revision: 7\n\n", "published": "2014-02-28T00:00:00", "modified": "2014-02-28T00:00:00", "cvss": {"score": 7.9, "vector": "AV:ADJACENT_NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.kb.cert.org/vuls/id/221620", "reporter": "CERT", "references": ["http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2033", "https://cwe.mitre.org/data/definitions/361.html", "https://cwe.mitre.org/data/definitions/361.html", "https://kb.bluecoat.com/index?page=content&id=SA77", "https://kb.bluecoat.com/index?page=content&id=SA77", "https://kb.bluecoat.com/index?page=content&id=SA77"], "cvelist": ["CVE-2014-2033", "CVE-2014-2033"], "lastseen": "2018-08-31T02:36:31", "history": [], "viewCount": 1, "enchantments": {"score": {"value": 7.2, "vector": "NONE"}}, "objectVersion": "1.4"}, "lastseen": "2018-08-31T02:36:31", "differentElements": ["cvelist", "description", "modified", "references"], "edition": 4}], "viewCount": 1, "enchantments": {"score": {"value": 7.2, "vector": "NONE"}, "vulnersScore": 7.2}, "objectVersion": "1.4", "_object_type": "robots.models.cert.CertBulletin", "_object_types": ["robots.models.cert.CertBulletin", "robots.models.base.Bulletin"]}
{"cve": [{"lastseen": "2018-12-13T12:06:49", "references": ["http://www.kb.cert.org/vuls/id/221620", "https://kb.bluecoat.com/index?page=content&id=SA77"], "description": "The caching feature in SGOS in Blue Coat ProxySG 5.5 through 5.5.11.3, 6.1 through 6.1.6.3, 6.2 through 6.2.15.3, 6.4 through 6.4.6.1, and 6.3 and 6.5 before 6.5.4 allows remote authenticated users to bypass intended access restrictions during a time window after account deletion or modification by leveraging knowledge of previously valid credentials.", "edition": 2, "reporter": "NVD", "published": "2014-03-02T12:55:02", "title": "CVE-2014-2033", "type": "cve", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2014-2033"], "scanner": [], "modified": "2018-12-12T11:59:37", "cpe": ["cpe:/o:bluecoat:proxysgos:6.1.6.3", "cpe:/o:bluecoat:proxysgos:5.5", "cpe:/o:bluecoat:proxysgos:6.2", "cpe:/o:bluecoat:proxysgos:6.3", "cpe:/o:bluecoat:proxysgos:6.2.15.3", "cpe:/o:bluecoat:proxysgos:5.5.11", "cpe:/o:bluecoat:proxysgos:6.1", "cpe:/o:bluecoat:proxysgos:6.5", "cpe:/o:bluecoat:proxysgos:6.4.6.1", "cpe:/o:bluecoat:proxysgos:6.4"], "id": "CVE-2014-2033", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2033", "cvss": {"score": 7.9, "vector": "AV:ADJACENT_NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T17:31:26", "_object_types": ["robots.models.base.Bulletin", "robots.models.seebug.SeebugBulletin"], "enchantments_done": [], "references": [], "description": "CVE ID:CVE-2014-2033\r\n\r\nBlue Coat ProxySG\u662f\u4e00\u6b3e\u4ee3\u7406\u8bbe\u5907\u5e73\u53f0\uff0c\u5e2e\u52a9\u4f01\u4e1a\u52a0\u901f\u548c\u4fdd\u62a4\u5206\u5e03\u5f0f\u7f51\u7edc\u4e2d\u7684\u5e94\u7528\u3002\r\n\r\nBlue Coat ProxySG SGOS\u4e2d\u7684\u7f13\u5b58\u529f\u80fd\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u5141\u8bb8\u8fdc\u7a0b\u901a\u8fc7\u9a8c\u8bc1\u7684\u7528\u6237\u5229\u7528\u4e4b\u524d\u5408\u6cd5\u7684\u8d26\u6237\u4fe1\u606f\uff0c\u5728\u8d26\u6237\u5220\u9664\u6216\u4fee\u6539\u65f6\u95f4\u7a97\u53e3\u4e2d\u7ed5\u8fc7\u8bbf\u95ee\u9650\u5236\uff0c\u672a\u6388\u6743\u8bbf\u95ee\u8bbe\u5907\u3002\n0\nBlue Coat ProxySG 5.5 - 5.5.11.3\r\nBlue Coat ProxySG 6.1 - 6.1.6.3\r\nBlue Coat ProxySG 6.2 - 6.2.15.3\r\nBlue Coat ProxySG 6.4 - 6.4.6.1\r\nBlue Coat ProxySG 6.3\r\nBlue Coat ProxySG 6.5\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nBlue Coat ProxySG\r\n-----\r\n\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u5382\u5546\u63d0\u4f9b\u7684\u5b89\u5168\u8865\u4e01\u4ee5\u4fee\u590d\u8be5\u6f0f\u6d1e\uff1a\r\nhttps://kb.bluecoat.com/index?page=content&id=SA77", "reporter": "Root", "published": "2014-03-07T00:00:00", "title": "Blue Coat ProxySG\u8bbf\u95ee\u9650\u5236\u7ed5\u8fc7\u6f0f\u6d1e", "type": "seebug", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2014-2033"], "_object_type": "robots.models.seebug.SeebugBulletin", "modified": "2014-03-07T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-61691", "id": "SSV:61691", "sourceData": "", "cvss": {"score": 7.9, "vector": "AV:ADJACENT_NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "", "status": "details"}], "nessus": [{"lastseen": "2019-01-16T20:18:03", "references": ["http://web.archive.org/web/20140323100022/https://kb.bluecoat.com/index?page=content&id=SA77"], "pluginID": "72726", "description": "The remote Blue Coat ProxySG device's SGOS self-reported version is\nprior to 6.5.4.0. It is, therefore, potentially affected by a race\ncondition issue during the time before the new changes take effect after\na local user account modification due to configuration caching. User\naccount modifications include password changes, user account deletion,\nor the addition or removal of a user account to a user list. \n\nNote that this issue only affects user accounts using local realm\nauthentication.", "edition": 7, "reporter": "Tenable", "published": "2014-02-27T00:00:00", "title": "Blue Coat ProxySG Local User Modification Race Condition", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "naslFamily": "Firewalls", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-2033"], "modified": "2018-11-15T00:00:00", "cpe": ["cpe:/o:bluecoat:sgos"], "id": "BLUECOAT_PROXY_SG_6_5_4.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=72726", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(72726);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2018/11/15 20:50:22\");\n\n script_cve_id(\"CVE-2014-2033\");\n script_bugtraq_id(66054);\n script_xref(name:\"CERT\", value:\"221620\");\n\n script_name(english:\"Blue Coat ProxySG Local User Modification Race Condition\");\n script_summary(english:\"Checks the Blue Coat ProxySG SGOS version\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"The remote device is potentially affected by a race condition issue.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Blue Coat ProxySG device's SGOS self-reported version is\nprior to 6.5.4.0. It is, therefore, potentially affected by a race\ncondition issue during the time before the new changes take effect after\na local user account modification due to configuration caching. User\naccount modifications include password changes, user account deletion,\nor the addition or removal of a user account to a user list. \n\nNote that this issue only affects user accounts using local realm\nauthentication.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://web.archive.org/web/20140323100022/https://kb.bluecoat.com/index?page=content&id=SA77\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to version 6.5.4.0 or refer to the vendor.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:bluecoat:sgos\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/02/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/02/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/02/27\");\n\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Firewalls\");\n\n script_dependencies(\"bluecoat_proxy_sg_version.nasl\");\n script_require_keys(\"Host/BlueCoat/ProxySG/Version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nversion = get_kb_item_or_exit(\"Host/BlueCoat/ProxySG/Version\");\nui_version = get_kb_item(\"Host/BlueCoat/ProxySG/UI_Version\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nreport_fix = NULL;\n\n# Select version for report\nif (isnull(ui_version)) report_ver = version;\nelse report_ver = ui_version;\n\n\nif (version =~ \"^6\\.5\\.\" && ver_compare(ver:version, fix:\"6.5.4.0\", strict:FALSE) == -1)\n{\n fix = '6.5.4.0';\n ui_fix = '6.5.4.0 Build 0';\n\n # Select fixed version for report\n if (isnull(ui_version)) report_fix = fix;\n else report_fix = ui_fix;\n}\nelse if (\n version =~ \"^6\\.4\\.([0-5]\\.[0-9]+|6\\.[01])($|[^0-9])\" ||\n version =~ \"^6\\.2\\.((([0-9]|1[0-4])\\.[0-9]+)|15\\.[0-3])($|[^0-9])\" ||\n version =~ \"^6\\.1\\.(([0-5]\\.[0-9]+)|6\\.[0-3])($|[^0-9])\" ||\n version =~ \"^5\\.5\\.((([0-9]|10)\\.[0-9]+)|(11\\.[0-3]))($|[^0-9])\"\n) report_fix = \"A fix is not yet available.\";\nelse if (\n version =~ \"^6\\.3\\.\" ||\n version =~ \"^5\\.[0-4]\\.\" ||\n version =~ \"^[0-4]\\.\"\n) report_fix = \"Upgrade to a later version.\";\n\nif (report_fix)\n{\n if (report_verbosity > 0)\n {\n report =\n '\\n Installed version : ' + report_ver +\n '\\n Fixed version : ' + report_fix +\n '\\n';\n security_hole(port:0, extra:report);\n }\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, 'Blue Coat ProxySG', version);\n", "cvss": {"score": 7.9, "vector": "AV:ADJACENT_NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
