ProxyAV Cross Site Request Forgery vulnerability

Back to all Security AdvisoriesSubscribe
Security Advisories ID: 
SA46
Published Date: 
October 22, 2010
Advisory Status: 
Final
Advisory Severity: 
High
CVSS v2 base score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVE Number: 
There are no CVEs for the vulnerability.

A remote attacker can use URL links and/or malicious scripts to execute ProxyAV commands if the administrator has an active session in the ProxyAV management console.

Affected Products: 

All ProxyAV products prior to 3.2.6.1 are vulnerable.

Advisory Details: 

An attacker who lures a ProxyAV administrator to browse a malicious website can use Cross Site Request Forgery (CSRF or XSRF) to submit commands to ProxyAV and gain control of the appliance.  Commands that the attacker can submit include changing the password, changing the policy, and restarting the appliance.

ProxyAV has implemented the following measures to provide better protection from CSRF attacks:

  • When changing the administrator password, the current password must be entered.
  • When disabling authentication, the current password must be entered.
  • All requests that modify or set configuration are submitted through POST.
  • The session timeout is enforced across all supported browsers (Internet Explorer version 6.0 and above and Firefox version 3.6 and above).
  • A logout option has been provided in the management console that will terminate the session.
Workarounds: 

Customers can limit the impact of this vulnerablity in these ways:

  • Ensure the session timeout value is set to a value greater than 0 to enforce automatic session expiration.  By default this value is set to 10 minutes.
  • Manage ProxyAV using a dedicated machine that does not connect to any other internal or external websites.
  • Use only supported browsers to access the management console.
  • When management tasks have been completed, log out of the session using the newly supplied logout option.
Patches: 

ProxyAV 3.2 - a fix is available in 3.2.6.1 or later versions.  The fix is available to customers with a valid BlueTouch Online login from https://bto.bluecoat.com/download/product/4.

ProxyAV 3.1 and earlier - please upgrade to a later version.

Advisory History: 

2012-01-12 Minor edit that later versions contain the fix as well.
2012-01-11 Added URL for download.
2011-09-06 Marked status as final.  No further fixes will be released.
2010-10-22 Initial public release

Feedback