CVE-2023-23955
📋 TL;DR
This Server-Side Request Forgery vulnerability in Broadcom's Advanced Secure Gateway and Content Analysis allows attackers to make the vulnerable server send unauthorized requests to internal or external systems. Organizations using affected versions of these security products are at risk, potentially exposing internal network resources or enabling data exfiltration.
💻 Affected Systems
- Advanced Secure Gateway
- Content Analysis
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could pivot through the vulnerable system to access internal services, exfiltrate sensitive data, or use the system as a proxy for attacks against other targets.
Likely Case
Unauthorized access to internal services or APIs, potential data leakage from systems reachable by the vulnerable server.
If Mitigated
Limited impact if network segmentation restricts the vulnerable system's access to sensitive resources and proper input validation is in place.
🎯 Exploit Status
SSRF typically requires some level of access or ability to trigger the vulnerable functionality; CVSS 8.1 suggests significant impact potential.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.3.13.1 for Advanced Secure Gateway, 3.1.6.0 for Content Analysis
Vendor Advisory: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/22217
Restart Required: Yes
Instructions:
1. Download appropriate patch version from Broadcom support portal. 2. Backup current configuration. 3. Apply patch following vendor documentation. 4. Restart services. 5. Verify functionality.
🔧 Temporary Workarounds
Network Segmentation
allRestrict outbound network access from vulnerable systems to only necessary destinations
Input Validation
allImplement strict validation of user-supplied URLs and network destinations
🧯 If You Can't Patch
- Implement strict network egress filtering to limit what systems the vulnerable server can reach
- Monitor for unusual outbound connections from the vulnerable system
🔍 How to Verify
Check if Vulnerable:
Check current version via product admin interface or CLI; compare against vulnerable versions listed in advisory.Check Version:
Product-specific CLI commands vary; consult vendor documentation for version checking.Verify Fix Applied:
Confirm version is 7.3.13.1 or higher for Advanced Secure Gateway, or 3.1.6.0 or higher for Content Analysis.📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP/HTTPS requests from the security appliance
- Requests to internal IP ranges or unexpected domains
Network Indicators:
- Unexpected traffic patterns from security appliance to internal systems
- Appliance making requests to unusual external destinations
SIEM Query:
source_ip="[appliance_ip]" AND (dest_ip IN [internal_ranges] OR dest_domain NOT IN [allowed_domains])