When configured to authenticate network users with a SAML authentication realm, Symantec ASG and ProxySG incorrectly handle SAML responses that have XML nodes with comments. A remote attacker can modify a valid SAML response without invalidating its cryptographic signature to bypass SAML authentication security controls.
The following products are vulnerable:
CVE |Affected Version(s)|Remediation
All CVEs | 6.7 | Upgrade to 6.7.4.130.
6.6 | Upgrade to 6.6.5.17.
CVE |Affected Version(s)|Remediation
All CVEs | 6.7 | Upgrade to 6.7.4.130.
6.6 | Upgrade to 6.6.5.17.
6.5 | Upgrade to 6.5.10.14.
ASG and ProxySG are only vulnerable when authenticating network users in intercepted proxy traffic with a SAML authentication realm. This vulnerability does not affect administrator user authentication for the ASG and ProxySG management consoles.
The following products are not vulnerable:
Android Mobile Agent
AuthConnector
BCAAA
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
Content Analysis
Director
General Auth Connector Login Application
HSM Agent for the Luna SP
IntelligenceCenter
IntelligenceCenter Data Collector
K9
Mail Threat Defense
Malware Analysis
Management Center
PacketShaper
PacketShaper S-Series
PolicyCenter
PolicyCenter S-Series
ProxyAV
ProxyAV ConLog and ConLogXP
ProxyClient
Reporter Security Analytics
SSL Visibility
X-Series XOS
Unified Agent
The following products are under investigation:
Norman Shark Industrial Control System Protection
Severity / CVSSv2 | Medium / 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N) References| SecurityFocus: BID 104282 / NVD: CVE-2018-5241 Impact| Security control bypass Description | ASG and ProxySG have a SAML authentication bypass vulnerability. The appliances can be configured with a SAML authentication realm to authenticate network users in intercepted proxy traffic. When parsing SAML responses, ASG and ProxySG incorrectly handle XML nodes with comments. A remote attacker can modify a valid SAML response without invalidating its cryptographic signature. This may allow the attacker to bypass user authentication security controls in ASG and ProxySG.
Duo Finds SAML Vulnerabilities Affecting Multiple Implementations - <https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations>
CERT VU#475445 - <https://www.kb.cert.org/vuls/id/475445>
2018-11-06 A fix for ProxySG 6.5 is available in 6.5.10.14. Advisory Status moved to Closed.
2018-08-04 A fix for ProxySG 6.6 and ASG 6.6 is available in 6.6.5.17. Director is not vulnerable. Added SecurityFocus reference.
2018-07-23 A fix for ProxySG 6.7 and ASG 6.7 is available in 6.7.4.130.
2018-06-04 Security Analytics is not vulnerable.
2018-05-25 initial public release