ProxySG vulnerability mapping to vulnerabilities found using Qualys scanners.

book

Article ID: 171134

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

The purpose of this article is to provide explanations for some vulnerabilities found when using the Qualys vulnerability scanner (one of the most popular scanners out there) against a ProxySG.

Resolution

-CacheFlow CacheOS(BlueCoat) HTTP HOST Proxy Vulnerability:

This is not a vulnerability, it's expected behavior. Refer to this Security Advisor for more information:

https://www.symantec.com/security-center/network-protection-security-advisories/SA29

 

-CONNECT Method Allowed in HTTP Server Or HTTP Proxy Server Vulnerability:

We are dealing with a proxy server which deals with different kind of protocols which are sometime tunneled over the proxy. They use HTTP Method of "CONNECT" to get through the proxy. Typical example is HTTPS. Through an explicit proxy, browser uses CONNECT method to get to an https website. We can't deny this blindly.

Reference this article for more information: https://support.symantec.com/en_US/article.TECH81561.html

 

-SSL/TLS Server Factoring RSA Export Keys (FREAK) vulnerability:

This vulnerability is covered in the following Security Advisory: https://www.symantec.com/security-center/network-protection-security-advisories/SA91

 

-SSLv3.0/TLSv1.0 Protocol Weak CBC Mode Server Side Vulnerability (BEAST):

This is related to vulnerability CVE-2011-3389

A possible workaround is to enable only TLS 1.1 and 1.2 in the ProxySG default device profile, however, as some sites support only TLS 1.0 this may be undesirable.

 

-TCP Connections Established to Open Port(s) on the Host via HTTP Proxy:

The CONNECT vulnerability is most likely being reported because proxy will respond with a 200 OK. When protocol detection is enabled on the SG, it responds with a "200 OK" to all CONNECT requests, but it doesn't actually open a connection to the upstream server unless the client sends the start of an SSL handshake. Attempts to tunnel non-SSL data over CONNECT are denied by default. This is just a false positive.

 

-Unauthenticated/Open Web Proxy Detected:

This is merely informational. More information can be found here:

https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm