Secure One Services Group

Hi all

i have issue from my customer about vulnerability of ProxySG my customer have ProxySG S200-30 SGOS 6.6.4.3

they send about data of vulnerability you can see from picture as below

they find CVE-2000-0649  , CVE-2016-2017 , CVE-2016-6329 , CVE-2016-2183 on that appliance.

for CVE-2016-2017 i checked on symantec support  follow this link >>  https://www.symantec.com/security-center/network-protection-security-advisories/SA123

i cut information concern about proxySG from that link

ProxySG
ProxySG 6.5 prior to 6.5.9.8 and 6.6 prior to 6.6.4.1 are vulnerable to CVE-2016-2108 and CVE-2016-2109.  They are also vulnerable to CVE-2016-2107 when running on an AESNI-capable hardware platform.  See the Advisory Details section for more details.  ProxySG 6.7 is not vulnerable.

Patches: 

ProxySG
ProxySG 6.6 - a fix is available in 6.6.4.1   but my customer use SGOS 6.6.4.3 why still find this vulnerability.

plese kindly to provide how to fix this issue or work around.

so CVE-2016-6329 , CVE-2016-2183 . i will work around follow this link >> https://www.symantec.com/security-center/network-protection-security-advisories/SA133

Best Regards,

Chakuttha R.

Hi Chakuttha,

                  Got the below on searching the CVEs

CVE-2000-0649 - This should be a false positive. This vulnerability is specifically with IIS and ProxySG doesn't use that. For better clarity, needs more information on against what they have run the scan. Better to check this over a TAC case

CVE-2016-2107 - Padding oracle in AES-NI CBC MAC check - Fixed in 6.6.4.1,6.5.9.8 - Possibly a false positive

CVE-2016-6329 - ProxySG is not vulnerable to CVE-2016-6329 because it doesn't ship with OpenVPN or support VPN connections, other than the VPN connections tunneled/bypassed through ProxySG.

CVE-2016-2183 - Sweet32: birthday attacks against 3DES - Fixed in 6.6.5.2, 6.6.9.12

Hi Aravind,

Thank you so much you always help and advise me so much.

about this CVE

CVE-2016-2107 - Padding oracle in AES-NI CBC MAC check - Fixed in 6.6.4.1,6.5.9.8 - Possibly a false positive

yes i read on support guide already this CVE fix in 6.6.4.1

but my customer use SGOS 6.6.4.3 why still find this Vulnerability ?

My customer is Bank. I must clearly to explain for them.

Best Regards,

Chakuttha R.

Hi Chakuttha,

              This could be a false positive from the scanner. Not all the detections are right hence we call it false positive. If customer is in need to confirm this, do raise a TAC case with us with detailed scanner report to check.

ok thank you so much  for your help.

Best Regards,

Chakuttha R.

Hi Aravind

My Customer would like to confirm this issue. please recommend to me about what do i have to request from customer ?

for attachment open case to TAC.

Best Regards,

Chakuttha R.

In my experience most testers are relying on version details and such and report something vulnerable when it is not just because the think the version reported might be vulnerable.

So I would demand a detailed report from the auditor showing an actual vulnerability being detected and not just some automated script checking version responses.

Hi Chakuttha,

                 I support Hugo's update on this. Request customer to get detailed sacn report from the VAPT team (Scanning) get create a new case with that requesing assistance in confirmation. They may ask you for more details for confirmation.

thank you for your help.

thank you so much.