Security Advisory SA131 addresses TCP session hijacking vulnerabilities in operating systems that implement the defenses against TCP blind in-window attacks described in RFC 5961. ProxySG in both forward and reverse proxy deployments can provide limited protection to customer networks against session hijacking attacks.
When configured to intercept or tunnel TCP connections, ProxySG breaks the client (C) <—> server (S) connections into two separate C <—> SG and SG <—> S connections. We consider the following attacks made possible by CVE-2016-5696:
Note that the connection pooling functionality in forward proxy deployments can modify the 1-to-1 relationship between C <—> SG and SG <—> S connections.
All ProxySG deployments
Forward proxy deployments
Reverse proxy deployments