When configured to intercept or tunnel TCP connections, ProxySG breaks the client (C) <—> server (S) connections into two separate C <—> SG and SG <—> S connections. We consider the following attacks made possible by CVE-2016-5696:
- client-side reset attack: an attacker resetting the C <—> SG TCP connection
- server-side reset attack: an attacker resetting the SG <—> S TCP connection
- client-side injection attack: an attacker injecting data in the C <—> SG TCP connection
- server-side injection attack: an attacker injecting data in the SG <—> S TCP connection
Note that the connection pooling functionality in forward proxy deployments can modify the 1-to-1 relationship between C <—> SG and SG <—> S connections.
All ProxySG deployments
- The client-side reset and injection attacks are only possible if the client host acts as a TCP server which accepts connections or if the attacker can trick the client into connecting to a server they control. This should not be common.
- If the attacker resets the TCP connection on one side of ProxySG (e.g. C <—> SG), ProxySG in some cases may reset the TCP connection on the other side (e.g. SG <—> S).
Forward proxy deployments
- The attacker is inside the corporate network where ProxySG is deployed:
- ProxySG provides protection against the server-side reset and injection attack if all TCP traffic between the attacker and the server goes through ProxySG.
- The attacker is outside the corporate network:
- ProxySG provides protection against the client-side reset and injection attacks if all TCP traffic between the attacker and the client goes through ProxySG.
- ProxySG does not protect against the server-side reset and injection attacks.
Reverse proxy deployments
- The attacker is inside the corporate network:
- ProxySG provides protection against the client-side reset and injection attacks if all TCP traffic between the attacker and client goes through ProxySG.
- ProxySG does not protect against the server-side reset and injection attack.
- The attacker is outside the corporate network:
- ProxySG provides protection against the server-side reset and injection attacks if all TCP traffic between the attacker and server goes through ProxySG.