ProxyAV Cross Site Request Forgery vulnerability
A remote attacker can use URL links and/or malicious scripts to execute ProxyAV commands if the administrator has an active session in the ProxyAV management console.
All ProxyAV products prior to 220.127.116.11 are vulnerable.
An attacker who lures a ProxyAV administrator to browse a malicious website can use Cross Site Request Forgery (CSRF or XSRF) to submit commands to ProxyAV and gain control of the appliance. Commands that the attacker can submit include changing the password, changing the policy, and restarting the appliance.
ProxyAV has implemented the following measures to provide better protection from CSRF attacks:
- When changing the administrator password, the current password must be entered.
- When disabling authentication, the current password must be entered.
- All requests that modify or set configuration are submitted through POST.
- The session timeout is enforced across all supported browsers (Internet Explorer version 6.0 and above and Firefox version 3.6 and above).
- A logout option has been provided in the management console that will terminate the session.
Customers can limit the impact of this vulnerablity in these ways:
- Ensure the session timeout value is set to a value greater than 0 to enforce automatic session expiration. By default this value is set to 10 minutes.
- Manage ProxyAV using a dedicated machine that does not connect to any other internal or external websites.
- Use only supported browsers to access the management console.
- When management tasks have been completed, log out of the session using the newly supplied logout option.
ProxyAV 3.2 - a fix is available in 18.104.22.168 or later versions. The fix is available to customers with a valid BlueTouch Online login from https://bto.bluecoat.com/download/product/4.
ProxyAV 3.1 and earlier - please upgrade to a later version.
2012-01-12 Minor edit that later versions contain the fix as well.
2012-01-11 Added URL for download.
2011-09-06 Marked status as final. No further fixes will be released.
2010-10-22 Initial public release