ProxySG vulnerability mitigation of CVE-2013-2566, CVE-2014-3566, CVE-2016-2183, SSLv3

search cancel

ProxySG vulnerability mitigation of CVE-2013-2566, CVE-2014-3566, CVE-2016-2183, SSLv3

book

Article ID: 253549

calendar_today

Updated On:

Products

ASG-S500 ProxySG Software - SGOS ISG Content Analysis ISG Proxy

Issue/Introduction

Customer has found that ProxySG is vulnerable to CVEs:

CVE-2014-3566 DES-CBC3 can disabled as prescribed in the Security Best Practices doc.
CVE-2016-2183- DES-CBC3 can disabled as prescribed in the Security Best Practices doc.
CVE-2013-2566- RC4 can disabled as prescribed in the Security Best Practices doc.

Environment

Release : 6.7.5.18

Cause

All the CVEs are related to SSLV3. SSLV3 is enabled by default in Proxy config and customer needs to decide if it's needed as per Security Best Practices doc.

Resolution

Add CPL code to ProxySG:

CVE-2014-3566

<SSL>
client.connection.negotiated_ssl_version=(SSLV3) force_exception(silent_denied)
server.connection.negotiated_ssl_version=(SSLV3) force_exception(silent_denied)

Disable TLSv1 or SSLv3 on ProxySG appliance - https://knowledge.broadcom.com/external/article?articleId=169097

CVE-2016-2183- DES-CBC3 can disabled as prescribed in the Security Best Practices doc.
CVE-2013-2566- RC4 can disabled as prescribed in the Security Best Practices doc.

<SSL>
client.connection.negotiated_cipher.strength=(Export) exception(silent_denied)
client.connection.negotiated_cipher=(exp-des-cbc-sha,exp-rc4-md5)exception(silent_denied)
server.connection.negotiated_cipher.strength=(Export) exception(silent_denied)
server.connection.negotiated_cipher=(exp-des-cbc-sha,exp-rc4-md5) exception(silent_denied)

ProxySG - How to disable export grade ciphers to prevent FREAK attack - https://knowledge.broadcom.com/external/article?articleId=168481

Moreover, it is advised to follow all Security Best Practices to mitigate any vulnerability related to SSLV3:

Please make sure that the SSLV3 is disabled in Proxy > Configuration > SSL >> SSL client according to Security Best Practices - https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/proxysg/7-3/securityBP/SSL-Proxy-Best-Practices.html
Please check if you have a SSLV3 disabled in your Reverse Proxy listener: - https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/proxysg/7-3/introduction/configuring-and-managing-an-https-reverse-proxy/creating-an-https-reverse-proxy-service.html
Please check if you have Proxy > Configuration > SSL > SSL Client configured to do not use SSLV3 - https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/proxysg/7-3/introduction/managing-ssl-traffic/editing-an-ssl-client.html
Please check if your Proxy > Configuration > SSL > SSL-Device-Profiles are configured according to - Security Best Practices - https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/proxysg/7-3/securityBP/SSL-Proxy-Best-Practices.html

Additional Information

Collecting evidence:

start the pcap trace on ProxySG with ip filter of the device
perform vulnerability scan with the 3rd party tool
stop the pcap trace
take the vulnerability scan report

PCAP SSLV3 filters to check if there are any SSLV3 handshakes

Wireshark filter: ssl.handshake.ciphersuite
Wireshark filter: ssl.record.version==0x0300
TSHARK filter: tcp[((tcp[12]>>4)*4)+9:2]=0x0300
SSLV3 handshake - 0x0300 - no sign of usage

Feedback

thumb_up Yes

thumb_down No