Risk of stealing user sessions and clickjacking

May 30, 2015 06:06 GMT  ·  By

Security flaws affecting Blue Coat’s SSL Visibility appliance could allow a remote attacker to assume the identity of a legitimate user and execute actions enjoying the same rights as the victim.

SSL Visibility is designed as a management solution for encrypted traffic flowing in and out of a network, allowing its evaluation for threats, data loss prevention and other types of risks.

Significant vulnerabilities identified

Models of the product affected by the security holes include SV800, SV1800, SV2800, and SV3800, running software versions 3.6.x through 3.8.3.

An advisory on Friday from the CERT (Computer Emergency Response Team) division at Carnegie Mellon University warns of a cross-site request forgery (CSRF) problem (CVE-2015-2852) that could be exploited if a logged-in user is tricked to access a malicious request; the consequence would be that the attacker can perform actions in the context of the victim’s session.

Another identified flaw (CVE-2015-2854) refers to failure to enforce the same-origin policy in the X-Frame-Options response headers, opening the door for clickjacking attacks by embedding a page in an iFrame and presenting it to the user under a seemingly innocuous form, such as button or a link.

The advisory from CERT also informs of a glitch (CVE-2015-2853) that can lead to hijacking a user’s session by obtaining or setting the ID, since this action is carried out prior to authentication and no invalidation occurs at the time of login.

The fourth weakness uncovered in Blue Coat’s product is an information disclosure type and is currently tracked as CVE-2015-2855. “Sensitive cookies do not have either the Secure or HttpOnly flags set. An attacker capable of sniffing network traffic can intercept or manipulate a victim user's session ID,” reads its description from CERT.

Patch available from the vendor

Mitigation of these risks is possible by applying the latest software update from the vendor, SSL Visibility 3.8.4, released on May 11. Credited for discovering the problems is FishNet Security’s consultant Tim MalcomVetter.

A severity score of 6.8 out of 10 has been calculated for CVE-2015-2852, as per the standard Common Vulnerability Scoring System (CVSS).