Sign-up

ID

VAR-201403-0228


CVE

CVE-2014-2033


TITLE

Blue Coat ProxySG local user changes contain a time and state vulnerability

Trust: 0.8

sources: CERT/CC: VU#221620

DESCRIPTION

The caching feature in SGOS in Blue Coat ProxySG 5.5 through 5.5.11.3, 6.1 through 6.1.6.3, 6.2 through 6.2.15.3, 6.4 through 6.4.6.1, and 6.3 and 6.5 before 6.5.4 allows remote authenticated users to bypass intended access restrictions during a time window after account deletion or modification by leveraging knowledge of previously valid credentials. (CWE-361). Blue Coat Provided by ProxySG Contains a vulnerability with a time lag between the change of the authentication information and the reflection. Blue Coat Provided by ProxySG Since the old authentication information is stored in the cache, the maximum time from the change of the authentication information to the reflection 15 Vulnerability with a time difference of about minutes (CWE-361) Exists. In addition, if other password-related processing such as login with a new account or denial of authentication due to an incorrect password is performed, this time difference will be reduced. CWE-361: Time and State https://cwe.mitre.org/data/definitions/361.htmlEven if the authentication information is changed, the maximum 15 You may be logged in with your old account for a minute. Blue Coat ProxySG is a set of secure Web gateway devices from Blue Coat, USA. The device provides user authentication, web filtering, data loss protection and more to control all web traffic. Blue Coat ProxySG has a security vulnerability in the SGOS caching feature

Trust: 3.15

sources: NVD: CVE-2014-2033 // CERT/CC: VU#221620 // JVNDB: JVNDB-2014-001544 // CNVD: CNVD-2014-01436 // BID: 66054

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2014-01436

AFFECTED PRODUCTS

vendor:bluecoatmodel:proxysgosscope:eqversion:6.3

Trust: 1.6

vendor:bluecoatmodel:proxysgosscope:gteversion:6.1

Trust: 1.0

vendor:bluecoatmodel:proxysgosscope:gteversion:6.4

Trust: 1.0

vendor:bluecoatmodel:proxysgosscope:lteversion:6.2.15.3

Trust: 1.0

vendor:bluecoatmodel:proxysgosscope:gteversion:6.5

Trust: 1.0

vendor:bluecoatmodel:proxysgosscope:lteversion:6.4.6.1

Trust: 1.0

vendor:bluecoatmodel:proxysgosscope:gteversion:6.2

Trust: 1.0

vendor:bluecoatmodel:proxysgosscope:ltversion:6.5.4

Trust: 1.0

vendor:bluecoatmodel:proxysgosscope:gteversion:5.5

Trust: 1.0

vendor:bluecoatmodel:proxysgosscope:lteversion:5.5.11.3

Trust: 1.0

vendor:bluecoatmodel:proxysgosscope:lteversion:6.1.6.3

Trust: 1.0

vendor:blue coatmodel: - scope: - version: -

Trust: 0.8

vendor:blue coatmodel:proxysgscope:ltversion:6.5.4 earlier

Trust: 0.8

vendor:bluemodel:coat proxysgscope:lteversion:<=5.5.11

Trust: 0.6

vendor:bluemodel:coat proxysgscope:lteversion:<=6.1.6.3

Trust: 0.6

vendor:bluemodel:coat proxysgscope:lteversion:<=6.2.15.3

Trust: 0.6

vendor:bluemodel:coat proxysgscope:lteversion:<=6.4.6.1

Trust: 0.6

vendor:bluemodel:coat proxysgscope:lteversion:<=6.5

Trust: 0.6

vendor:bluemodel:coat proxysgscope:eqversion:6.4

Trust: 0.6

vendor:bluemodel:coat proxysgscope:eqversion:6.3

Trust: 0.6

vendor:bluemodel:coat proxysgscope:eqversion:6.2

Trust: 0.6

vendor:bluemodel:coat proxysgscope:eqversion:6.1

Trust: 0.6

vendor:bluemodel:coat proxysgscope:eqversion:5.5

Trust: 0.6

vendor:bluecoatmodel:proxysgosscope:eqversion:6.4

Trust: 0.6

vendor:bluecoatmodel:proxysgosscope:eqversion:5.5

Trust: 0.6

vendor:bluecoatmodel:proxysgosscope:eqversion:6.2

Trust: 0.6

vendor:bluecoatmodel:proxysgosscope:eqversion:6.4.6.1

Trust: 0.6

vendor:bluecoatmodel:proxysgosscope:eqversion:6.5

Trust: 0.6

vendor:bluecoatmodel:proxysgosscope:eqversion:6.1

Trust: 0.6

vendor:bluecoatmodel:proxysgosscope:eqversion:5.5.11

Trust: 0.6

vendor:bluecoatmodel:proxysgosscope:eqversion:6.1.6.3

Trust: 0.6

vendor:bluecoatmodel:proxysgosscope:eqversion:6.2.15.3

Trust: 0.6

vendor:bluemodel:coat systems proxysgscope:eqversion:6.5

Trust: 0.3

vendor:bluemodel:coat systems proxysgscope:eqversion:6.4

Trust: 0.3

vendor:bluemodel:coat systems proxysgscope:eqversion:6.3

Trust: 0.3

vendor:bluemodel:coat systems proxysgscope:eqversion:6.2

Trust: 0.3

vendor:bluemodel:coat systems proxysgscope:eqversion:6.1

Trust: 0.3

vendor:bluemodel:coat systems proxysgscope:eqversion:5.5

Trust: 0.3

vendor:bluemodel:coat systems proxysgscope:eqversion:5.4

Trust: 0.3

vendor:bluemodel:coat systems proxysgscope:neversion:6.5.4

Trust: 0.3

vendor:bluemodel:coat systems proxysgscope:neversion:5.5.113

Trust: 0.3

vendor:bluemodel:coat systems proxysgscope:neversion:6.4.6.1

Trust: 0.3

vendor:bluemodel:coat systems proxysgscope:neversion:6.2.15.3

Trust: 0.3

vendor:bluemodel:coat systems proxysgscope:neversion:6.1.6.3

Trust: 0.3

sources: CERT/CC: VU#221620 // CNVD: CNVD-2014-01436 // BID: 66054 // JVNDB: JVNDB-2014-001544 // CNNVD: CNNVD-201403-020 // NVD: CVE-2014-2033

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2014-2033
value: HIGH

Trust: 1.6

nvd@nist.gov: CVE-2014-2033
value: HIGH

Trust: 1.0

CNVD: CNVD-2014-01436
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201403-020
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2014-2033
severity: HIGH
baseScore: 7.9
vectorString: AV:A/AC:M/AU:N/C:C/I:C/A:C
accessVector: ADJACENT_NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 5.5
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

NVD: CVE-2014-2033
severity: HIGH
baseScore: 7.4
vectorString: NONE
accessVector: ADJACENT NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 4.4
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2014-01436
severity: HIGH
baseScore: 7.4
vectorString: AV:A/AC:M/AU:S/C:C/I:C/A:C
accessVector: ADJACENT_NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 4.4
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

sources: CERT/CC: VU#221620 // CNVD: CNVD-2014-01436 // JVNDB: JVNDB-2014-001544 // CNNVD: CNNVD-201403-020 // NVD: CVE-2014-2033

PROBLEMTYPE DATA

problemtype:CWE-264

Trust: 1.8

problemtype:CWE-361

Trust: 0.8

problemtype:CWE-Other

Trust: 0.8

sources: CERT/CC: VU#221620 // JVNDB: JVNDB-2014-001544 // NVD: CVE-2014-2033

THREAT TYPE

specific network environment

Trust: 0.6

sources: CNNVD: CNNVD-201403-020

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201403-020

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-001544

EXPLOIT AVAILABILITY
sources:
            
            
            CERT/CC: VU#221620

PATCH
title:Bluecoat Knowledge Base - Changes to ProxySG local users are delayedurl:https://kb.bluecoat.com/index?page=content&id=SA77
Trust: 0.8
title:Blue Coat ProxySG vulnerable patchurl:https://www.cnvd.org.cn/patchInfo/show/44054
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2014-01436 // 
            
            
            
            JVNDB: JVNDB-2014-001544

EXTERNAL IDS
db:CERT/CCid:VU#221620
Trust: 4.1
db:NVDid:CVE-2014-2033
Trust: 3.3
db:JVNid:JVNVU93097036
Trust: 0.8
db:JVNDBid:JVNDB-2014-001544
Trust: 0.8
db:CNVDid:CNVD-2014-01436
Trust: 0.6
db:CNNVDid:CNNVD-201403-020
Trust: 0.6
db:BIDid:66054
Trust: 0.3
sources:
            
            
            CERT/CC: VU#221620 // 
            
            
            
            CNVD: CNVD-2014-01436 // 
            
            
            
            BID: 66054 // 
            
            
            
            JVNDB: JVNDB-2014-001544 // 
            
            
            
            CNNVD: CNNVD-201403-020 // 
            
            
            
            NVD: CVE-2014-2033

REFERENCES
url:http://www.kb.cert.org/vuls/id/221620
Trust: 3.3
url:https://kb.bluecoat.com/index?page=content&id=sa77
Trust: 2.7
url:https://cwe.mitre.org/data/definitions/361.html
Trust: 0.8
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-2033
Trust: 0.8
url:http://jvn.jp/vu/jvnvu93097036/index.html
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-2033
Trust: 0.8
url:http://www.bluecoat.com/products/sg
Trust: 0.3
sources:
            
            
            CERT/CC: VU#221620 // 
            
            
            
            CNVD: CNVD-2014-01436 // 
            
            
            
            BID: 66054 // 
            
            
            
            JVNDB: JVNDB-2014-001544 // 
            
            
            
            CNNVD: CNNVD-201403-020 // 
            
            
            
            NVD: CVE-2014-2033

CREDITS
The vendor reported this issue.
Trust: 0.3
sources:
            
            
            BID: 66054

SOURCES
db:CERT/CCid:VU#221620
db:CNVDid:CNVD-2014-01436
db:BIDid:66054
db:JVNDBid:JVNDB-2014-001544
db:CNNVDid:CNNVD-201403-020
db:NVDid:CVE-2014-2033

LAST UPDATE DATE
2024-11-23T22:35:16.395000+00:00

SOURCES UPDATE DATE
db:CERT/CCid:VU#221620date:2014-02-28T00:00:00
db:CNVDid:CNVD-2014-01436date:2014-03-05T00:00:00
db:BIDid:66054date:2014-02-25T00:00:00
db:JVNDBid:JVNDB-2014-001544date:2014-03-04T00:00:00
db:CNNVDid:CNNVD-201403-020date:2014-03-04T00:00:00
db:NVDid:CVE-2014-2033date:2024-11-21T02:05:30.180

SOURCES RELEASE DATE
db:CERT/CCid:VU#221620date:2014-02-28T00:00:00
db:CNVDid:CNVD-2014-01436date:2014-03-05T00:00:00
db:BIDid:66054date:2014-02-25T00:00:00
db:JVNDBid:JVNDB-2014-001544date:2014-03-04T00:00:00
db:CNNVDid:CNNVD-201403-020date:2014-03-04T00:00:00
db:NVDid:CVE-2014-2033date:2014-03-02T17:55:02.893