Security Advisory SA131: Using ProxySG to Protect Customer Networks

Article Id: 169205
Status: Published
Updated On: 23-05-2017 09:33
Legacy Id: TECH246053
Products:
ProxySG Software - SGOS
Issue/Introduction:

Security Advisory SA131 addresses TCP session hijacking vulnerabilities in operating systems that implement the defenses against TCP blind in-window attacks described in RFC 5961. ProxySG in both forward and reverse proxy deployments can provide limited protection to customer networks against session hijacking attacks.

Resolution:

When configured to intercept or tunnel TCP connections, ProxySG breaks the client (C) <—> server (S) connections into two separate C <—> SG and SG <—> S connections. We consider the following attacks made possible by CVE-2016-5696:

  • client-side reset attack: an attacker resetting the C <—> SG TCP connection
  • server-side reset attack: an attacker resetting the SG <—> S TCP connection
  • client-side injection attack: an attacker injecting data in the C <—> SG TCP connection
  • server-side injection attack: an attacker injecting data in the SG <—> S TCP connection

Note that the connection pooling functionality in forward proxy deployments can modify the 1-to-1 relationship between C <—> SG and SG <—> S connections.

All ProxySG deployments

  • The client-side reset and injection attacks are only possible if the client host acts as a TCP server which accepts connections or if the attacker can trick the client into connecting to a server they control. This should not be common.
  • If the attacker resets the TCP connection on one side of ProxySG (e.g. C <—> SG), ProxySG in some cases may reset the TCP connection on the other side (e.g. SG <—> S).

Forward proxy deployments

  • The attacker is inside the corporate network where ProxySG is deployed:
    • ProxySG provides protection against the server-side reset and injection attack if all TCP traffic between the attacker and the server goes through ProxySG.
  • The attacker is outside the corporate network:
    • ProxySG provides protection against the client-side reset and injection attacks if all TCP traffic between the attacker and the client goes through ProxySG.
    • ProxySG does not protect against the server-side reset and injection attacks.

Reverse proxy deployments

  • The attacker is inside the corporate network:
    • ProxySG provides protection against the client-side reset and injection attacks if all TCP traffic between the attacker and client goes through ProxySG.
    • ProxySG does not protect against the server-side reset and injection attack.
  • The attacker is outside the corporate network:
    • ProxySG provides protection against the server-side reset and injection attacks if all TCP traffic between the attacker and server goes through ProxySG.