Authentication Bypass in ASG and ProxySG

Summary

The Symantec Advanced Secure Gateway (ASG) and ProxySG web management consoles are susceptible to an authentication bypass vulnerability. An unauthenticated attacker can execute arbitrary CLI commands, view/modify the appliance configuration and policy, and shutdown/restart the appliance.

Affected Product(s)

Advanced Secure Gateway (ASG)

CVE |Supported Version(s)|Remediation
CVE-2021-30648 | 6.6 | No longer under maintenance. Upgrade to 6.7.5.12
6.7 | Upgrade to 6.7.5.12 (recommended) or 6.7.4.17
7.2 | Upgrade to 7.2.7.2
7.3 | Upgrade to 7.3.3.3

ProxySG

CVE |Supported Version(s)|Remediation
CVE-2021-30648 | 6.5 | No longer under maintenance. Upgrade to 6.7.5.12 (recommended). A fix is also available in 6.5.10.16.
6.6 | No longer under maintenance. Upgrade to 6.7.5.12 (recommended). A fix is also available in 6.6.5.19.
6.7 | Upgrade to 6.7.5.12 (recommended), 6.7.4.17, or 6.7.3.15
7.2 | Upgrade to 7.2.7.2
7.3 | Upgrade to 7.3.3.3

**Additional Product Information **

At the time of this advisory’s publication, Broadcom is not aware of any evidence that CVE-2021-30648 is actively exploited in the wild.

Successful exploitation of CVE-2021-30648 to modify appliance configuration/policy, shut down or restart the appliance results in Event Log messages logged on ASG and ProxySG. Event Log messages starting with "Config admin at <remote-IP-address> ‘unknown’ " are considered to be indicators of compromise (IOCs).

For example:
2021-01-01 17:42:27-00:00UTC “Config admin at <remote-IP-address> ‘unknown’, enabled NTP” 0 140002:7D
2021-01-01 18:00:42-00:00UTC “Config admin at <remote-IP-address> ‘unknown’, installed new Local Policy File” 0 140002:7D
2021-01-01 01:45:36-00:00UTC “Config admin at <remote-IP-address> ‘unknown’, initiated restart regular” 0 140002:7D

Exploiting this vulnerability to execute CLI commands that do not modify the appliance configuration/policy, shut down or restart the appliance may not result in logging the same Event Log messages.

Issue Details

CVE-2021-30648

Severity / CVSS v3.1: | Critical / 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) References:| NVD: CVE-2021-30648 Impact:| Security control bypass Description: | An authentication bypass vulnerability in the ASG and ProxySG web management consoles allows a remote unauthenticated attacker to send crafted HTTP/HTTPS requests that bypass user authentication. The attacker can exploit this vulnerability to execute arbitrary CLI commands (through the web management console) in enable or configuration mode, view/modify the appliance configuration and policy, and shutdown/restart the appliance.

Mitigation

CVE-2021-30648 is exploitable in ASG and ProxySG only if the attacker can send HTTP/HTTPS requests to the web management console. Customers can mitigate this vulnerability using existing network infrastructure, such as network partitioning and firewalls, to restrict access to the web management console to a trusted network.

CVE-2021-30648 is not exploitable to perform arbitrary code execution. ASG and ProxySG only provide a restricted CLI and not a general operating system shell. The CLI commands an attacker can execute are restricted to the commands provided by the CLI.

Revisions

2021-06-29 initial public release