OS Command Injection in Blue Coat Advanced Secure Gateway and Content Analysis System
CVE-2016-9091

7.2HIGH

Key Information:

Vendor

Symantec Corporation

Status
Blue Coat Asg
Blue Coat Cas
Vendor
CVE Published:
5 April 2017

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC๐ŸŸฃ EPSS 36%

What is CVE-2016-9091?

The Blue Coat Advanced Secure Gateway (ASG) and Content Analysis System (CAS) are vulnerable to an OS command injection flaw. This weakness permits an authenticated malicious administrator to execute arbitrary OS commands with elevated system privileges, potentially leading to unauthorized access and manipulation of system operations. It is vital for users to apply available patches to protect against this significant vulnerability.

Affected Version(s)

Blue Coat ASG 6.6 prior to 6.6.5.4

Blue Coat CAS 1.3 prior to 1.3.7.4

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2016-9091 - Proof of Concept

CVE-2016-9091 - Proof of Concept

References

http://www.securityfocus.com/bid/97372
vdb-entryx_refsource_BID
https://www.exploit-db.com/exploits/41785/
exploitx_refsource_EXPLOIT-DB
https://www.exploit-db.com/exploits/41786/
exploitx_refsource_EXPLOIT-DB

EPSS Score

36% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.