CVE-2021-46825
📋 TL;DR
This HTTP desync vulnerability in Symantec ASG and ProxySG allows remote unauthenticated attackers to send crafted HTTP requests through the proxy, causing web server responses to be forwarded to unintended clients. This affects all organizations using vulnerable versions of these proxy products, potentially exposing sensitive data from other users.
💻 Affected Systems
- Symantec Advanced Secure Gateway (ASG)
- Symantec ProxySG
📦 What is this software?
Proxysg by Broadcom
Proxysg by Broadcom
⚠️ Risk & Real-World Impact
Worst Case
Attackers could intercept sensitive data (authentication tokens, session cookies, personal information) from other users' web sessions, leading to account compromise and data breaches.
Likely Case
Information disclosure where attackers can view other users' web traffic through the proxy, potentially capturing login credentials or sensitive data.
If Mitigated
Limited impact if proper network segmentation and monitoring are in place to detect anomalous HTTP traffic patterns.
🎯 Exploit Status
Requires attacker to be able to send HTTP requests through the vulnerable proxy and coordinate with other web clients communicating with the same backend server.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Consult Broadcom/Symantec security advisory for specific fixed versions
Vendor Advisory: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/20638
Restart Required: Yes
Instructions:
1. Review Broadcom Security Advisory 2. Download and apply the latest security update for your ASG/ProxySG version 3. Restart the proxy service 4. Verify the update was successful
🔧 Temporary Workarounds
Temporary HTTP request filtering
allConfigure the proxy to block or sanitize malformed HTTP requests that could trigger the desync condition
Consult product documentation for HTTP request filtering rules
🧯 If You Can't Patch
- Implement network segmentation to isolate proxy servers from untrusted networks
- Enable detailed HTTP traffic logging and monitoring for anomalous request patterns
🔍 How to Verify
Check if Vulnerable:
Check your ASG/ProxySG version against the affected versions listed in the Broadcom security advisoryCheck Version:
Consult product documentation for version check commands (typically via management interface or CLI)Verify Fix Applied:
Verify the installed version matches or exceeds the patched version specified in the advisory📡 Detection & Monitoring
Log Indicators:
- Unusual HTTP request patterns
- Multiple HTTP requests with malformed headers from single sources
- Unexpected response forwarding between different client sessions
Network Indicators:
- HTTP traffic with inconsistent request/response pairing
- Abnormal proxy behavior where responses go to wrong clients
SIEM Query:
Search for HTTP requests with unusual header patterns or desync indicators in proxy logs