ProxySG vulnerability mitigation of CVE-2013-2566, CVE-2014-3566, CVE-2016-2183, SSLv3
search cancel

ProxySG vulnerability mitigation of CVE-2013-2566, CVE-2014-3566, CVE-2016-2183, SSLv3


Article ID: 253549


Updated On:


ASG-S500 ProxySG Software - SGOS ISG Content Analysis ISG Proxy


Customer has found that ProxySG is vulnerable to CVEs:


Release :


All the CVEs are related to SSLV3. SSLV3 is enabled by default in Proxy config and customer needs to decide if it's needed as per Security Best Practices doc.


Add CPL code to ProxySG:


client.connection.negotiated_ssl_version=(SSLV3) force_exception(silent_denied)
server.connection.negotiated_ssl_version=(SSLV3) force_exception(silent_denied)

Disable TLSv1 or SSLv3 on ProxySG appliance -



client.connection.negotiated_cipher.strength=(Export) exception(silent_denied)
server.connection.negotiated_cipher.strength=(Export) exception(silent_denied)
server.connection.negotiated_cipher=(exp-des-cbc-sha,exp-rc4-md5) exception(silent_denied)


ProxySG - How to disable export grade ciphers to prevent FREAK attack - 


Moreover, it is advised to follow all Security Best Practices to mitigate any vulnerability related to SSLV3:

Additional Information

Collecting evidence:

  • start the pcap trace on ProxySG with ip filter of the device
  • perform vulnerability scan with the 3rd party tool 
  • stop the pcap trace
  • take the vulnerability scan report

PCAP SSLV3 filters to check if there are any SSLV3 handshakes

Wireshark filter: ssl.handshake.ciphersuite
Wireshark filter: ssl.record.version==0x0300
TSHARK filter: tcp[((tcp[12]>>4)*4)+9:2]=0x0300
SSLV3 handshake - 0x0300   -  no sign of usage