Security Advisory SA131: Using ProxySG to Protect Customer Networks

book

Article ID: 169205

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Security Advisory SA131 addresses TCP session hijacking vulnerabilities in operating systems that implement the defenses against TCP blind in-window attacks described in RFC 5961. ProxySG in both forward and reverse proxy deployments can provide limited protection to customer networks against session hijacking attacks.

Resolution

When configured to intercept or tunnel TCP connections, ProxySG breaks the client (C) <—> server (S) connections into two separate C <—> SG and SG <—> S connections. We consider the following attacks made possible by CVE-2016-5696:

  • client-side reset attack: an attacker resetting the C <—> SG TCP connection
  • server-side reset attack: an attacker resetting the SG <—> S TCP connection
  • client-side injection attack: an attacker injecting data in the C <—> SG TCP connection
  • server-side injection attack: an attacker injecting data in the SG <—> S TCP connection

Note that the connection pooling functionality in forward proxy deployments can modify the 1-to-1 relationship between C <—> SG and SG <—> S connections.

All ProxySG deployments

  • The client-side reset and injection attacks are only possible if the client host acts as a TCP server which accepts connections or if the attacker can trick the client into connecting to a server they control. This should not be common.
  • If the attacker resets the TCP connection on one side of ProxySG (e.g. C <—> SG), ProxySG in some cases may reset the TCP connection on the other side (e.g. SG <—> S).

Forward proxy deployments

  • The attacker is inside the corporate network where ProxySG is deployed:
    • ProxySG provides protection against the server-side reset and injection attack if all TCP traffic between the attacker and the server goes through ProxySG.
  • The attacker is outside the corporate network:
    • ProxySG provides protection against the client-side reset and injection attacks if all TCP traffic between the attacker and the client goes through ProxySG.
    • ProxySG does not protect against the server-side reset and injection attacks.

Reverse proxy deployments

  • The attacker is inside the corporate network:
    • ProxySG provides protection against the client-side reset and injection attacks if all TCP traffic between the attacker and client goes through ProxySG.
    • ProxySG does not protect against the server-side reset and injection attack.
  • The attacker is outside the corporate network:
    • ProxySG provides protection against the server-side reset and injection attacks if all TCP traffic between the attacker and server goes through ProxySG.