Blue Coat issued a patch that mitigates vulnerabilities with its SSL Visibility appliance which could allow a remote attack.
SSL Visibility is a management program for encrypted traffic flowing in and out of a network, allowing its evaluation for threats, data loss prevention and other types of risks.
Models of the product affected by the security holes include SV800, SV1800, SV2800, and SV3800, running software versions 3.6.x through 3.8.3.
An advisory from the CERT (Computer Emergency Response Team) division at Carnegie Mellon University warns of a cross-site request forgery (CSRF) problem (CVE-2015-2852) that could end up exploited if an attacker tricks a logged-in user to access a malicious request.
The consequence of that action could be the attacker would be able to perform actions in the context of the victim’s session.
Another issue, labeled CVE-2015-2854, refers to failure to enforce the same-origin policy in the X-Frame-Options response headers, opening the door for clickjacking attacks by embedding a page in an iFrame and presenting it to the user under a seemingly innocuous form, such as button or a link.
The CERT advisory also mentions a problem, CVE-2015-2853, that can lead to hijacking a user’s session by obtaining or setting the ID, since this action takes place prior to authentication and no invalidation occurs at the time of login.
The fourth hole found in Blue Coat’s product is an information disclosure type, labeled CVE-2015-2855. “Sensitive cookies do not have either the Secure or HttpOnly flags set. An attacker capable of sniffing network traffic can intercept or manipulate a victim user’s session ID,” said the CERT description.
Mitigation of these risks is possible by applying the latest software update from the vendor, SSL Visibility 3.8.4, released May 11.
FishNet Security’s consultant Tim MalcomVetter gets the credit for discovering the problems.
CVE-2015-2852 has a severity score of 6.8 out of 10 as per the standard Common Vulnerability Scoring System (CVSS).