SafeSquid for Linux SWG safesquid-2020.0213.1725.3-swg-standard released
Posted: Sat Feb 15, 2020 12:27 pm
- Integration with multiple Active Directory Services
SafeSquid supports integration with multiple Active Directories.
Users can specify all the the domains and their respecive Active Directories in the UI for LDAP configuration.
SafeSquid automatically generates the keytabs required to accomplish the integration, enabling Kerberos/SSO authentication for all the users across the domains.
Users that have multiple Active Directory services but use the same instance of SafeSquid discovered that the keytab was produced only for the first Directory Service listed in the configuration.
The flaw was rooted in a shell script that SafeSquid invokes to produce the keytabs.
This script is executed only to produce the keytabs.
The bug is now fixed, and users can seamlessly integrate with multiple Active Directory services.
The fix also makes the domain name assigned to host, during the initial setup non-critical.
However users need to ensure the domain controllers are time-sync'd.
In a future release the mechanism should be able to raise better alerts and diagnostic information for such discrepencies. - SSL Trusted Root Cerificate Chain Optimization
The mechanism of generating SSL certificates for HTTPS inspection was updated with the release of SafeSquid SWG-2019.1115.1826.3
Ensuring fidelity of SSL certificates in a load balanced cluster, was an important feature of this release.
The mechanism uses intermediate CA, and serves the entire certificate chain to clients ensuring protocol adherence.
It was discovered that SafeSquid could inadvertently load the entire chain multiple times that could overwhelm the clients.
As a result users could be presented with protocol violation alerts by the web browsers, and required to refresh web pages.
SafeSquid now re-orders the chain, eliminating such violation. - config.xml upload vulnerability
SafeSquid UI facilitates upload of configuration.
Users are expected to upload a valid xml file structured as per confg.xml.
Uploading unacceptably structured files, resulted in invocation of SafeSquid's ASSERT method, leading to process termination.
The mechanism has now been altered to validate usability of the uploaded configuration file.
Non-xml files will now be detected and seamlessly ignored. - xx--password URL Command vulnerability
Users discovered the URL command xx--password could be abused to cause abnormal termination of the SafeSquid process.
A logical flaw was discovered to be the root cause of the vulnerability, and has been fixed.