CVE-2021-30648

Q: What is the severity of CVE-2021-30648?

CVE-2021-30648 has a CVSS score of 9.8 (CRITICAL). CVE-2021-30648 is an authentication bypass vulnerability in Symantec Advanced Secure Gateway (ASG) and ProxySG web management consoles. Unauthenticated attackers can execute arbitrary CLI commands, modify configurations, and restart appliances. Organizations using affected versions of these products are at risk.

9.8 CRITICAL

Remote Code Execution Authentication Bypass

📋 TL;DR

CVE-2021-30648 is an authentication bypass vulnerability in Symantec Advanced Secure Gateway (ASG) and ProxySG web management consoles. Unauthenticated attackers can execute arbitrary CLI commands, modify configurations, and restart appliances. Organizations using affected versions of these products are at risk.

💻 Affected Systems

Products:

Symantec Advanced Secure Gateway (ASG)
Symantec ProxySG

Versions: ASG 6.7 and earlier, ProxySG 6.7 and earlier

Operating Systems: Appliance OS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects web management console interfaces. The vulnerability is present in default configurations.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the security gateway allowing attackers to intercept all traffic, install persistent backdoors, disable security policies, and use the appliance as a pivot point into the internal network.

🟠

Likely Case

Attackers modify security policies to bypass filtering, exfiltrate sensitive configuration data, or cause service disruption by restarting appliances.

🟢

If Mitigated

Limited impact if management interfaces are properly segmented and access-controlled, though the vulnerability still exists in the software.

🌐 Internet-Facing: HIGH - Management consoles exposed to the internet can be directly exploited by any attacker without authentication.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this, but requires network access to management interfaces.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires network access to the management interface but no authentication. Public exploit code exists.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: ASG 6.7.4.1 and later, ProxySG 6.7.4.2 and later

Vendor Advisory: https://support.broadcom.com/security-advisory/content/security-advisories/0/SYMSA18331

Restart Required: Yes

Instructions:

1. Download the appropriate patch from Broadcom support portal. 2. Apply patch via management console or CLI. 3. Restart the appliance as required. 4. Verify the patch was successfully applied.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict access to management interfaces to trusted administrative networks only

Configure firewall rules to block external access to management ports (default: 8082, 8443)

Access Control Lists

all

Implement IP-based access controls on management interfaces

Use appliance ACLs to restrict management console access to specific source IPs

🧯 If You Can't Patch

Immediately restrict network access to management interfaces using firewall rules
Implement multi-factor authentication for administrative access and monitor for unauthorized configuration changes

🔍 How to Verify

Check if Vulnerable:

Check appliance version via CLI: 'show version' or via web console. If version is ASG/ProxySG 6.7 or earlier, the system is vulnerable.

Check Version:

show version

Verify Fix Applied:

Verify version is ASG 6.7.4.1+ or ProxySG 6.7.4.2+ using 'show version' command. Test authentication requirements on management interface.

📡 Detection & Monitoring

Log Indicators:

Unauthenticated access to /admin/ endpoints
CLI commands executed from unauthenticated sessions
Configuration changes from unknown IP addresses

Network Indicators:

Unusual traffic patterns to management ports (8082, 8443) from external sources
Multiple failed authentication attempts followed by successful access

SIEM Query:

source_ip NOT IN (admin_networks) AND destination_port IN (8082, 8443) AND http_status=200

📊 Metadata

CVE ID: CVE-2021-30648

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-287

Published: June 30, 2021

Last Updated: November 21, 2024

🔗 References

https://support.broadcom.com/security-advisory/content/security-advisories/0/SYMSA18331 Vendor Advisory
https://support.broadcom.com/security-advisory/content/security-advisories/0/SYMSA18331 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Symantec Advanced Secure Gateway 500 10 Firmware by Broadcom

Symantec Advanced Secure Gateway 500 10 Firmware by Broadcom

Symantec Advanced Secure Gateway 500 10 Firmware by Broadcom

Symantec Advanced Secure Gateway 500 10 Firmware by Broadcom

Symantec Advanced Secure Gateway S200 30 Firmware by Broadcom

Symantec Advanced Secure Gateway S200 30 Firmware by Broadcom

Symantec Advanced Secure Gateway S200 30 Firmware by Broadcom

Symantec Advanced Secure Gateway S200 30 Firmware by Broadcom

Symantec Advanced Secure Gateway S200 40 Firmware by Broadcom

Symantec Advanced Secure Gateway S200 40 Firmware by Broadcom

Symantec Advanced Secure Gateway S200 40 Firmware by Broadcom

Symantec Advanced Secure Gateway S200 40 Firmware by Broadcom

Symantec Advanced Secure Gateway S400 20 Firmware by Broadcom

Symantec Advanced Secure Gateway S400 20 Firmware by Broadcom

Symantec Advanced Secure Gateway S400 20 Firmware by Broadcom

Symantec Advanced Secure Gateway S400 20 Firmware by Broadcom

Symantec Advanced Secure Gateway S400 30 Firmware by Broadcom

Symantec Advanced Secure Gateway S400 30 Firmware by Broadcom

Symantec Advanced Secure Gateway S400 30 Firmware by Broadcom

Symantec Advanced Secure Gateway S400 30 Firmware by Broadcom

Symantec Advanced Secure Gateway S400 40 Firmware by Broadcom

Symantec Advanced Secure Gateway S400 40 Firmware by Broadcom

Symantec Advanced Secure Gateway S400 40 Firmware by Broadcom

Symantec Advanced Secure Gateway S400 40 Firmware by Broadcom

Symantec Advanced Secure Gateway S500 20 Firmware by Broadcom

Symantec Advanced Secure Gateway S500 20 Firmware by Broadcom

Symantec Advanced Secure Gateway S500 20 Firmware by Broadcom

Symantec Advanced Secure Gateway S500 20 Firmware by Broadcom

Symantec Proxysg by Broadcom

Symantec Proxysg by Broadcom

Symantec Proxysg by Broadcom

Symantec Proxysg by Broadcom

Symantec Proxysg by Broadcom

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Network Segmentation

Access Control Lists

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities