Multiple Vulnerabilities in Blue Coat SSL Visibility Appliance

Multiple Vulnerabilities in Blue Coat SSL Visibility Appliance

Blue Coat, formerly known as Cache Flow is a provider of security and networking solutions from United States. US-CERT has reported that Blue Coat SSL Visibility Appliance SV800, SV1800, SV2800, and SV3800, using versions 3.6x-3.8.3 contain multiple vulnerabilities.

Vulnerabilities and CVE

Discovered vulnerabilities allow a remote, unauthenticated cyber attacker to obtain another user’s session ID, spoof a victim user’s session, and perform actions with the same permissions of a victim user. In order to learn more details please continue reading.

CWE-352: Cross-Site Request Forgery (CSRF) – CVE-2015-2852

Cross-site request forgery vulnerabilitiy or CSRF is present in Blue Coat SSL Visibility Appliance. CSRF allows cyber attacker to trigger the malicious request during an active session conducted by the victim, thus giving a cyber attacker to conduct actions with the same permissions as a victim user.

CWE-384: Session Fixation – CVE-2015-2853

A user’s session ID is set prior to authentication, and is not invalidated or changed at the time of authentication. An attacker capable of obtaining or setting a session ID can hijack a victim user’s session.

CWE-20: Improper Input Validation – CVE-2015-2854

X-Frame-Options response headers are not enforced with same origin policy by Blue Coat SSL Visibility Appliance. This vulnerability allows a cyber attacker to conduct clickjacking attacks via a crafted web page.

CWE-200: Information Exposure – CVE-2015-2855

Sensitive cookies do not have either the Secure or HttpOnly flags set. An attacker capable of sniffing network traffic can intercept or manipulate a victim user’s session ID.


Fortunately Blue Coat team  have already released a patch in the version 3.8.4 update

It is also recommended to conduct following procedures:

  • Limit access to the SSL Visibility management port to trusted clients with limited access to the outside internet.  SSLV can be configured to limit the IP addresses capable of accessing the management port.
  • Limit administrative capabilities by assigning distinct roles for different types of administrators.
  • Use ProxySG and WebPulse to block access to malicious websites from clients.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.