CVE-2022-2310
📋 TL;DR
CVE-2022-2310 is an authentication bypass vulnerability in Skyhigh Secure Web Gateway (SWG) that allows remote attackers to access the administration interface as super user without valid credentials. This affects organizations using Skyhigh SWG main releases 10.x, 9.x, 8.x, and controlled release 11.x. Attackers gain complete control over the SWG appliance.
💻 Affected Systems
- Skyhigh Secure Web Gateway (SWG)
📦 What is this software?
Secure Web Gateway by Skyhighsecurity
Secure Web Gateway by Skyhighsecurity
Secure Web Gateway by Skyhighsecurity
Secure Web Gateway by Skyhighsecurity
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the SWG appliance allowing attackers to intercept, modify, or block all web traffic, deploy malware, steal credentials, and pivot to internal networks.
Likely Case
Unauthorized administrative access leading to configuration changes, traffic interception, and potential data exfiltration.
If Mitigated
Limited impact if SWG is isolated in a management network with strict access controls and monitoring.
🎯 Exploit Status
The vulnerability involves whitelisting authentication bypass methods and weak crypto, suggesting relatively straightforward exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.2.12, 9.2.23, 8.2.28, or 11.2.1 depending on release track
Vendor Advisory: https://kcm.trellix.com/corporate/index?page=content&id=SB10384
Restart Required: Yes
Instructions:
1. Download the appropriate patch from Skyhigh/Trellix support portal. 2. Backup current configuration. 3. Apply the patch following vendor instructions. 4. Restart the SWG appliance. 5. Verify the patch was successful.
🔧 Temporary Workarounds
Restrict Admin Interface Access
allLimit access to the SWG admin interface to specific trusted IP addresses or networks only.
Configure firewall rules to restrict access to SWG admin interface (typically port 443) to management network only
Disable Remote Admin Access
allTemporarily disable remote administrative access if possible and use local console access only.
Disable remote admin interface in SWG configuration if supported
🧯 If You Can't Patch
- Isolate the SWG appliance in a dedicated management network with strict firewall rules
- Implement network segmentation to limit the SWG's ability to access sensitive internal resources
🔍 How to Verify
Check if Vulnerable:
Check SWG version in admin interface under System > About or via CLI. Compare against affected versions.Check Version:
Check via SWG admin interface or vendor-specific CLI commandsVerify Fix Applied:
Verify version is 10.2.12, 9.2.23, 8.2.28, or 11.2.1 or higher. Test authentication bypass attempts should fail.📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts followed by successful admin login from unexpected IPs
- Configuration changes made by unknown users
- Admin login events outside normal hours
Network Indicators:
- Unusual traffic patterns to/from SWG admin interface
- Traffic from SWG to unexpected internal destinations
SIEM Query:
source="swg_logs" AND (event_type="admin_login" AND result="success" AND user="superuser") OR (event_type="config_change" AND user NOT IN ["authorized_users"])