ProxySG privilege escalation
A read only ProxySG administrator can gain full administrative control by sending CLI commands over HTTPS to the ProxySG.
All versions of ProxySG prior to 6.1 are vulnerable.
A read only administrator is limited to a small subset of commands that cannot change the configuration of the ProxySG. Privileges are limited in ProxySG for commands entered in the Management Console and the CLI. Sending commands via an HTTPS URL bypasses the privilege enforcement and allows a read only administrator to execute all administrative commands.
Disabling all read-only administrators will prevent this vulnerability from being exploited.
ProxySG 6.1 - a fix is available in SGOS 184.108.40.206. The fix is available to customers with a valid BlueTouch Online login from https://bto.bluecoat.com/download/product/5351.
ProxySG 5.5 - a fix is available in SGOS 220.127.116.11. The fix is available to customers with a valid BlueTouch Online login from https://bto.bluecoat.com/download/product/41.
ProxySG 5.4 - a fix is available in SGOS 18.104.22.168. The fix is available to customers with a valid BlueTouch Online login from bto.bluecoat.com/download/product/17.
ProxySG 5.3 - please upgrade to a later version.
ProxySG 4.3 - a fix is available in SGOS 22.214.171.124. The fix is available to customers with a valid BlueTouch Online login from https://bto.bluecoat.com/download/product/13.
ProxySG 4.2 - please upgrade to a later version.
For information on how to upgrade SGOS, please see KB3608.
The vulnerability was discovered by Jonathon Krier and Laurent Mathieu from Verizon Business Luxembourg and reported by Thierry Zoller from Verizon Business Luxembourg.
2012-01-17 Changed status to final.
2011-02-17 Update the SGOS 5.5 fix from SGOS 126.96.36.199 to 188.8.131.52 to reflect issues that affect SGOS 184.108.40.206. Updated SGOS 4.3 fix to reflect that the issue is resolved in SGOS 220.127.116.11. Also included link to KB3608 on how to update SGOS.
2010-11-04 Notification of a fix in patch release 18.104.22.168.
2010-11-01 Notification of a patch release to address the defect in 22.214.171.124.
2010-10-27 Notification of 126.96.36.199 patch release being promoted to a GA release.
2010-10-15 Notification of a fix in patch release 188.8.131.52.
2010-09-29 Notification of a fix in 184.108.40.206. Update of pages affected by the defect in 220.127.116.11.
2010-10-02 Added information about a defect in 18.104.22.168.
2010-09-01 Added a workaround.
2010-08-23 Ammended the discovery of the vulnerability to properly credit Jonathon Krier and Laurent Mathieu.
2010-08-16 Initial public release.