The Symantec ASG and ProxySG management consoles are susceptible to several vulnerabilities. A remote attacker, with access to the management console, can cause denial of service through management console application crashes. A malicious appliance administrator can also inject arbitrary JavaScript code into the management console and target other administrator users with malicious code.
CVE |Affected Version(s)|Remediation
CVE-2016-10258
CVE-2017-13677 | 6.7 | Upgrade to 6.7.3.1.
6.6 | Upgrade to 6.6.5.14.
CVE-2017-13678 | 6.7 | Upgrade to 6.7.3.7 or 6.7.4.107.
6.6 | Upgrade to 6.6.5.14.
CVE |Affects Version(s)|Remediation
CVE-2016-10258
CVE-2017-13677 | 6.7 | Upgrade to 6.7.3.1.
6.6 | Upgrade to 6.6.5.14.
6.5 | Upgrade to 6.5.10.8.
CVE-2017-13678 | 6.7 | Upgrade to 6.7.3.7 or 6.7.4.107.
6.6 | Upgrade to 6.6.5.14.
6.5 | Upgrade to 6.5.10.8.
These vulnerabilities can only be exploited through the ASG and ProxySG management interfaces. Symantec recommends that customers deploy ASG and ProxySG in a secure network and restrict access to the management interfaces. Not deploying the appliances in a secure network or restricting management interface access increases the threat of exploiting the vulnerabilities.
Severity / CVSSv2 | Low / 2.7 (AV:A/AC:L/Au:S/C:N/I:P/A:N) References| SecurityFocus: BID 103685 / NVD: CVE-2016-10258 Impact| Unrestricted file upload Description | A malicious appliance administrator can upload arbitrary malicious files to the management console and trick another administrator user into downloading and executing malicious code.
Severity / CVSSv2 | Medium / 6.1 (AV:A/AC:L/Au:N/C:N/I:N/A:C) References| SecurityFocus: BID 103685 / NVD: CVE-2017-13677 Impact| Denial of service Description | A remote attacker can use crafted HTTP/HTTPS requests to cause denial-of-service through management console application crashes.
Severity / CVSSv2 | Low / 3.8 (AV:A/AC:M/Au:S/C:P/I:P/A:N) References| SecurityFocus: BID 103685 / NVD: CVE-2017-13678 Impact| Cross Site Scripting (XSS) Description | A malicious appliance administrator can inject arbitrary JavaScript code in the management console web client application.
These vulnerabilities can only be exploited through the ASG and ProxySG management interfaces. Symantec recommends that customers deploy ASG and ProxySG in a secure network and restrict access to the management interfaces.
Symantec would like to thank:
2020-12-09 Advisory status moved to Closed.
2018-05-03 A fix for CVE-2017-13678 in ASG 6.7 and ProxySG 6.7 is available in 6.7.3.7.
2018-04-10 initial public release
CPE | Name | Operator | Version |
---|---|---|---|
advanced secure gateway (asg) | eq | 6 | |
advanced secure gateway (asg) | eq | 6 | |
advanced secure gateway (asg) | eq | 6 | |
advanced secure gateway (asg) | eq | 6 | |
proxysg | eq | 6 | |
proxysg | eq | 6 | |
proxysg | eq | 6 | |
proxysg | eq | 6 | |
proxysg | eq | 6 | |
proxysg | eq | 6 |