Stack overflow in BCAAA
BCAAA is vulnerable to a stack overflow attack. An attacker could exploit this vulnerability to inject malicious code that can be run remotely and used to gain complete control of the Windows Server. BCAAA is used by ProxySG and ProxyOne.
The following products are vulnerable:
All versions of BCAAA associated with ProxySG releases 4.2.3, 4.3, 5.2, 5.3, 5.4, 5.5, and 6.1 available prior to April 21, 2011 or with a build number less than 60258 are vulnerable. The BCAAA version number cannot be used to determine if the BCAAA service has been fixed.
All versions of BCAAA associated with ProxyOne are vulnerable.
The synchronization feature of BCAAA was introduced in ProxySG versions 4.2 and 5.2. A BCAAA build associated with prior releases is not vulnerable.
ProxySG and ProxyOne require BCAAA to be deployed on a separate Windows Server machine. The best indication of whether the installed BCAAA is vulnerable is by examining the build number. The build number of BCAAA can be determined by looking at the properties of the BCAAA executable file. The file version property displays a four digit version number followed by the build number. Any build number prior to 60258 is vulnerable.
Port 16102 is only used to synchronize single sign-on information between BCAAA instances. When a vulnerable build of BCAAA is installed, the port may be configured to be open even if synchronization is not enabled. Large packets sent to this port will result in a stack overflow. In most cases, the process that belongs to the BCAAA service will crash. Specially crafted packets could result in the BCAAA service executing code provided in the packet.
The BCAAA service must be installed such that it has the ‘Log on as a service’ right. In certain configurations, the BCAAA service must also have the ‘Act as part of the operating system’ right. This makes the BCAAA service a highly privileged user. An attacker could use these rights to gain control of the Windows Server on which the BCAAA service is installed or to access the AD Domain of which the BCAAA service is a member.
Early support for the synchronization feature did not automatically enable port 16102 when BCAAA was installed. In order to enable the port, the administrator had to change the BCAAA configuration file (sso.ini) to indicate that BCAAA should perform a Domain Controller Query (DCQ) for Windows SSO. The builds of BCAAA associated with the following ProxySG versions must have both EnableSyncServer=1 and DCQEnabled=1 uncommented in the configuration file to enable port 16102:
ProxySG 4.2: 184.108.40.206 and later
ProxySG 4.3: all releases
ProxySG 5.2: all releases
ProxySG 5.3: 220.127.116.11 and 18.104.22.168 and earlier
ProxySG 5.4: 22.214.171.124 and earlier
Later builds that support data synchronization for both Windows SSO and Novell SSO enable port 16102 by default when BCAAA is installed. Port 16102 is enabled only if EnableSyncServer=1 is uncommented in the configuration file. The DCQEnabled configuration setting is only used to determine whether or not DCQ should be enabled and is not used to determine if the port should be enabled. The builds of BCAAA associated with the following ProxySG versions set EnableSyncServer=1 by default when installed and therefore enable port 16102 by default:
ProxySG 5.3: 126.96.36.199 and later except for 188.8.131.52 which does require both settings to be enabled.
ProxySG 5.4: 184.108.40.206 and later
ProxySG 5.5: all releases
ProxySG 6.1: all releases
Upgrading BCAAA does not overwrite the previous sso.ini configuration file. Customers must change the configuration file manually to disable the port.
Blue Coat encourages customers who do not use the synchronization feature to disable port 16102 as described in the Workarounds section below.
Blue Coat recommends that the BCAAA service be deployed behind the firewall. If the BCAAA service is deployed outside of the firewall, note that the CVSS v2 base score increases to 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C).
Customers who do not synchronize single sign-on information between BCAAA instances should disable port 16102 in the. To disable port 16102:
- Open the configuration file sso.ini file in a text editor.
- Locate the section SSOSyncSetup (the defaults are listed below).
- Change the value of EnableSyncServer to 0 (EnableSyncServer=0).
- Save the file.
- Restart the BCAAA service.
ProxyOne installations that do not synchronize single sign-on information can safely disable port 16102. To disable the port, follow the instructions for ProxySG above.
The vulnerability exists only in BCAAA. An update to the latest version of BCAAA for your SGOS version is required. An update to SGOS is encouraged, but not required.
The vulnerability fix addresses the stack overflow and disables port 16102 by default for new installations. Existing .ini files for BCAAA will not be overwritten. Blue Coat encourages customers with existing BCAAA installations to disable port 16102 if the synchronization feature is not in use. For instructions on how to disable the port, see the Workarounds section above.
ProxySG 6.2 - a fix is available in the BCAAA associated with 220.127.116.11. The fix is available to customers with a valid BlueTouch Online login from bto.bluecoat.com/download/product/7375.
ProxySG 6.1 - a fix is available in the BCAAA associated with 18.104.22.168. The fix is available to customers with a valid BlueTouch Online login from bto.bluecoat.com/download/product/5351.
ProxySG 5.5 - a fix is available in the BCAAA associated with 22.214.171.124. The fix is available to customers with a valid BlueTouch Online login from bto.bluecoat.com/download/product/41.
ProxySG 5.4 - a fix is available in the BCAAA associated with 126.96.36.199. The fix is available to customers with a valid BlueTouch Online login from bto.bluecoat.com/download/product/17.
ProxySG 5.3 - please use the BCAAA associated with 188.8.131.52.
ProxySG 4.3 - a fix is available in the BCAAA associated with 184.108.40.206. The fix is available to customers with a valid Blue Touch Online login from https://bto.bluecoat.com/download/product/13.
A fix will not be provided.
The vulnerability was discovered and reported to Blue Coat Systems by Paul Harrington of NGS Secure. Many thanks to both Paul and NGS Secure for their help.
For more information on BCAAA, see the "Using BCAAA" chapter of the SGOS Administration Guide, located at https://bto.bluecoat.com/documentation/pubs/ProxySG.
2013-08-28 Included link to the SGOS 220.127.116.11 fix, removed interim fix. Marked status as Final.
2012-01-18 Notificaiton that ProxyOne will not be fixed.
2012-01-17 Notification that the BCAAA from 18.104.22.168 can be used with 5.3.
2011-05-25 Notification of fix in a patch release of ProxySG version 22.214.171.124.
2011-05-23 Updated to specify that only the process used by BCAAA will crash if the vulnerability is exploited, not the Windows Server. Clarified which builds of BCAAA have the port enabled by default when installed. Updated to reflect that the BCAAA associated with ProxySG 126.96.36.199 has the fix.
2011-05-06 Updated to reflect a fix delivered for ProxySG 188.8.131.52 and to clarify which builds of BCAAA are vulnerable.
2011-05-02 Updated to reflect that the BCAAA associated with ProxySG 184.108.40.206 has the fix.
2011-04-27 Initial public release