Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
symantecSymantec Security ResponseSMNTC-1336
HistoryNov 24, 2015 - 8:00 a.m.

SA102 : Unifed Agent Configuration Changes are not Detected

2015-11-2408:00:00
Symantec Security Response
11

0.0004 Low

EPSS

Percentile

12.7%

JSON

SUMMARY

Configuration files for Unified Agent running in local enforcement mode can be modified by administrators on the client. Configuration files can be modified to unblock categories or to disable Unified Agent entirely.

AFFECTED PRODUCTS

Unified Agent

CVE |Affected Version(s)|Remediation
All CVEs | 4.7 and later | Not vulnerable, fixed in 4.7.1
4.6 (only in local enforcement mode) | Upgrade to 4.6.2
All versions prior to 4.6 (only in local enforcement mode) | Upgrade to later release with fixes.

ISSUES

CVE-2015-8482

Severity / CVSSv2 | Low / 2.1 (AV:L/AC:L/Au:N/C:N/I:P/A:N) References| SecurityFocus: BID 78068 / NVD: CVE-2015-8482 Impact | Unauthorized modification

Unified Agent in local enforcement mode receives policy and configuration from the Client Manager in ProxySG. Policy contains information such as the categories that will be blocked and configuration contains settings such as whether the Unified Agent is enabled. Policy and configuration settings are set by authorized ProxySG administrators.

Prior to Unified Agent 4.6.2, an administrator on the client could remove, add, or modify policy and configuration settings without those changes being detected (CVE-2015-8482). This capability could be exploited to unblock restricted content categories or even to disable the agent entirely. Malware acting as a user with administrative privileges could exploit this to enable connections to previously disallowed malicious sites.

Unified Agent 4.6.2 and later detects alterations of the policy and configuration settings and marks them as invalid. When an invalid policy or configuration is detected, Unified Agent will enter the customer defined failure mode. To resume normal operations, the client must connect to the ProxySG Client Manager to obtain valid configuration settings. Please see the Release Notes for 4.6.2 for more information about configuring failure mode and tamper resistance.

ACKNOWLEDGEMENTS

Reported by Nate Roberts with WipfliLLP

REVISION

2017-03-06 SA status moved to Final.
2015-11-24 initial public release
2015-12-14 This vulnerability has been reported in CVE-2015-8482.

CPENameOperatorVersion
unified agenteq4
unified agenteq4
unified agenteq4

Related

nessus 1
prion 1
nvd 1
cve 1
cvelist 1
nessus
nessus
Blue Coat Unified Agent < 4.6.2 Configuration File Manipulation Detection Failure
2016-09-09 00:00:00
prion
prion
Design/Logic Flaw
2015-12-07 20:59:00
nvd
nvd
CVE-2015-8482
2015-12-07 20:59:18
cve
cve
CVE-2015-8482
2022-10-03 16:16:01
cvelist
cvelist
CVE-2015-8482
2022-10-03 16:16:01

0.0004 Low

EPSS

Percentile

12.7%

JSON
Related for SMNTC-1336
nessus1prion1nvd1cve1cvelist1