CVE-2024-6398
📋 TL;DR
An information disclosure vulnerability in McAfee Secure Web Gateway (SWG) allows customized block page content to be leaked to third-party websites due to Same Origin Policy bypass. This affects SWG versions 12.x before 12.2.10 and 11.x before 11.2.24. The risk is limited because default security policies typically block access to risky websites where this could be exploited.
💻 Affected Systems
- McAfee Secure Web Gateway (SWG)
📦 What is this software?
Secure Web Gateway by Skyhighsecurity
Secure Web Gateway by Skyhighsecurity
⚠️ Risk & Real-World Impact
Worst Case
Sensitive information from customized block pages (potentially including internal URLs, policy names, or custom messages) could be exfiltrated to malicious third-party websites.
Likely Case
Limited information disclosure of non-sensitive block page customization details to websites that users would normally be blocked from accessing anyway.
If Mitigated
Minimal to no impact as default URL categorization and GTI policies prevent access to risky sites where exploitation could occur.
🎯 Exploit Status
Exploitation requires specific browser scenarios and user interaction with malicious websites that would typically be blocked by default policies.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 12.2.10 for 12.x, 11.2.24 for 11.x
Vendor Advisory: https://thrive.trellix.com/s/article/000013694
Restart Required: Yes
Instructions:
1. Download appropriate patch version from McAfee support portal. 2. Backup current configuration. 3. Apply patch following McAfee SWG update procedures. 4. Restart SWG services/appliance.
🔧 Temporary Workarounds
Remove sensitive customizations from block pages
allReview and remove any sensitive information from customized block page templates
Access SWG admin interface > Policy > Block Pages > Edit customizations
Ensure default security policies are active
allVerify URL categorization and GTI (Global Threat Intelligence) are enabled in all policies
Access SWG admin interface > Policy > Verify URL Categorization and GTI settings
🧯 If You Can't Patch
- Review and sanitize all block page customizations to remove sensitive information
- Ensure strict URL filtering policies are in place to block access to uncategorized and high-risk websites
🔍 How to Verify
Check if Vulnerable:
Check SWG version in admin interface: System > About. If version is 12.x < 12.2.10 or 11.x < 11.2.24, system is vulnerable.Check Version:
ssh admin@swg-host 'show version' or check via SWG web admin interfaceVerify Fix Applied:
Verify version shows 12.2.10 or higher for 12.x branch, or 11.2.24 or higher for 11.x branch.📡 Detection & Monitoring
Log Indicators:
- Unusual block page rendering patterns
- Multiple block events to same third-party domains
Network Indicators:
- Unexpected data transmission to third-party websites from block page contexts
SIEM Query:
source="swg" AND (event_type="block_page" AND dest_domain NOT IN allowed_domains)