i have issue from my customer about vulnerability of ProxySG my customer have ProxySG S200-30 SGOS 126.96.36.199
they send about data of vulnerability you can see from picture as below
they find CVE-2000-0649 , CVE-2016-2017 , CVE-2016-6329 , CVE-2016-2183 on that appliance.
for CVE-2016-2017 i checked on symantec support follow this link >> https://www.symantec.com/security-center/network-protection-security-advisories/SA123
i cut information concern about proxySG from that link
ProxySG 6.5 prior to 188.8.131.52 and 6.6 prior to 184.108.40.206 are vulnerable to CVE-2016-2108 and CVE-2016-2109. They are also vulnerable to CVE-2016-2107 when running on an AESNI-capable hardware platform. See the Advisory Details section for more details. ProxySG 6.7 is not vulnerable.
ProxySG 6.6 - a fix is available in 220.127.116.11 but my customer use SGOS 18.104.22.168 why still find this vulnerability.
plese kindly to provide how to fix this issue or work around.
so CVE-2016-6329 , CVE-2016-2183 . i will work around follow this link >> https://www.symantec.com/security-center/network-protection-security-advisories/SA133
Got the below on searching the CVEs
CVE-2000-0649 - This should be a false positive. This vulnerability is specifically with IIS and ProxySG doesn't use that. For better clarity, needs more information on against what they have run the scan. Better to check this over a TAC case
CVE-2016-2107 - Padding oracle in AES-NI CBC MAC check - Fixed in 22.214.171.124,126.96.36.199 - Possibly a false positive
CVE-2016-6329 - ProxySG is not vulnerable to CVE-2016-6329 because it doesn't ship with OpenVPN or support VPN connections, other than the VPN connections tunneled/bypassed through ProxySG.
CVE-2016-2183 - Sweet32: birthday attacks against 3DES - Fixed in 188.8.131.52, 184.108.40.206
Thank you so much you always help and advise me so much.
about this CVE
yes i read on support guide already this CVE fix in 220.127.116.11
but my customer use SGOS 18.104.22.168 why still find this Vulnerability ?
My customer is Bank. I must clearly to explain for them.
This could be a false positive from the scanner. Not all the detections are right hence we call it false positive. If customer is in need to confirm this, do raise a TAC case with us with detailed scanner report to check.
ok thank you so much for your help.
My Customer would like to confirm this issue. please recommend to me about what do i have to request from customer ?
for attachment open case to TAC.
In my experience most testers are relying on version details and such and report something vulnerable when it is not just because the think the version reported might be vulnerable.
So I would demand a detailed report from the auditor showing an actual vulnerability being detected and not just some automated script checking version responses.
I support Hugo's update on this. Request customer to get detailed sacn report from the VAPT team (Scanning) get create a new case with that requesing assistance in confirmation. They may ask you for more details for confirmation.
thank you for your help.
thank you so much.