Symantec Security ResponseSMNTC-1432SA162: Multiple ASG and ProxySG Vulnerabilities
0.018 Low
EPSS
Percentile
88.3%
SUMMARY
The Symantec ASG and ProxySG management consoles are susceptible to several vulnerabilities. A remote attacker, with access to the management console, can cause denial of service through management console application crashes. A malicious appliance administrator can also inject arbitrary JavaScript code into the management console and target other administrator users with malicious code.
AFFECTED PRODUCTS
Advanced Secure Gateway (ASG)
CVE |Affected Version(s)|Remediation
CVE-2016-10258
CVE-2017-13677 | 6.7 | Upgrade to 6.7.3.1.
6.6 | Upgrade to 6.6.5.14.
CVE-2017-13678 | 6.7 | Upgrade to 6.7.3.7 or 6.7.4.107.
6.6 | Upgrade to 6.6.5.14.
ProxySG
CVE |Affects Version(s)|Remediation
CVE-2016-10258
CVE-2017-13677 | 6.7 | Upgrade to 6.7.3.1.
6.6 | Upgrade to 6.6.5.14.
6.5 | Upgrade to 6.5.10.8.
CVE-2017-13678 | 6.7 | Upgrade to 6.7.3.7 or 6.7.4.107.
6.6 | Upgrade to 6.6.5.14.
6.5 | Upgrade to 6.5.10.8.
ADDITIONAL PRODUCT INFORMATION
These vulnerabilities can only be exploited through the ASG and ProxySG management interfaces. Symantec recommends that customers deploy ASG and ProxySG in a secure network and restrict access to the management interfaces. Not deploying the appliances in a secure network or restricting management interface access increases the threat of exploiting the vulnerabilities.
ISSUES
CVE-2016-10258
Severity / CVSSv2 | Low / 2.7 (AV:A/AC:L/Au:S/C:N/I:P/A:N) References| SecurityFocus: BID 103685 / NVD: CVE-2016-10258 Impact| Unrestricted file upload Description | A malicious appliance administrator can upload arbitrary malicious files to the management console and trick another administrator user into downloading and executing malicious code.
CVE-2017-13677
Severity / CVSSv2 | Medium / 6.1 (AV:A/AC:L/Au:N/C:N/I:N/A:C) References| SecurityFocus: BID 103685 / NVD: CVE-2017-13677 Impact| Denial of service Description | A remote attacker can use crafted HTTP/HTTPS requests to cause denial-of-service through management console application crashes.
CVE-2017-13678
Severity / CVSSv2 | Low / 3.8 (AV:A/AC:M/Au:S/C:P/I:P/A:N) References| SecurityFocus: BID 103685 / NVD: CVE-2017-13678 Impact| Cross Site Scripting (XSS) Description | A malicious appliance administrator can inject arbitrary JavaScript code in the management console web client application.
MITIGATION
These vulnerabilities can only be exploited through the ASG and ProxySG management interfaces. Symantec recommends that customers deploy ASG and ProxySG in a secure network and restrict access to the management interfaces.
ACKNOWLEDGEMENTS
Symantec would like to thank:
- Jakub Pałaczyński and Pawel Bartunek for reporting CVE-2016-10258
- Robert Jaroszuk @ RBS Security for reporting CVE-2017-13677 and CVE-2017-13678.
REVISION
2020-12-09 Advisory status moved to Closed.
2018-05-03 A fix for CVE-2017-13678 in ASG 6.7 and ProxySG 6.7 is available in 6.7.3.7.
2018-04-10 initial public release
| CPE | Name | Operator | Version |
|---|---|---|---|
| advanced secure gateway (asg) | eq | 6 | |
| advanced secure gateway (asg) | eq | 6 | |
| advanced secure gateway (asg) | eq | 6 | |
| advanced secure gateway (asg) | eq | 6 | |
| proxysg | eq | 6 | |
| proxysg | eq | 6 | |
| proxysg | eq | 6 | |
| proxysg | eq | 6 | |
| proxysg | eq | 6 | |
| proxysg | eq | 6 |
Related
