cbcvebase.
CVE-2016-9091
published 2017-04-05

CVE-2016-9091: Blue Coat Advanced Secure Gateway (ASG) 6.6 before 6.6.5.4 and Content Analysis System (CAS) 1.3 before 1.3.7.4 are susceptible to an OS command injection…

PriorityP354high7.2CVSS 3.0
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
10.13%
95.1th percentile
Blue Coat Advanced Secure Gateway (ASG) 6.6 before 6.6.5.4 and Content Analysis System (CAS) 1.3 before 1.3.7.4 are susceptible to an OS command injection vulnerability. An authenticated malicious administrator can execute arbitrary OS commands with elevated system privileges.

Affected

4 ranges
VendorProductVersion rangeFixed in
bluecoatadvanced_secure_gateway<= 6.6.5.2
bluecoatcontent_analysis_system_software<= 1.3.7.3
symantec_corporationblue_coat_asg
symantec_corporationblue_coat_cas

Detection & IOCsextracted from sources · hover to see the quote

port8082
url/avenger/rest/report-email/send
url/avenger/rest/version
url/cas/v1/tickets
url/avenger/j_spring_cas_security_check
snort
alert http any any -> $HOME_NET 8082 (msg:"ET EXPLOIT BlueCoat CAS v1.3.7.1 Report Email Command Injection attempt"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/report-email/send"; nocase; http.request_body; content:"/dev-report-overview.html"; nocase; content:"|3B|"; distance:0; pcre:"/\/dev-report-overview\.html[^\"]*?\x3b/i"; reference:cve,2016-9091; reference:url,www.exploit-db.com/exploits/41785/; reference:url,bto.bluecoat.com/security-advisory/sa138; classtype:web-application-attack; sid:2024234; rev:4; metadata:affected_product HTTP_Server, attack_target Web_Server, created_at 2017_04_21, cve CVE_2016_9091, deployment Internal, performance_impact Moderate, confidence High, signature_severity Major, updated_at 2024_03_07, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)
  • Detect POST requests to /report-email/send on port 8082 containing '/dev-report-overview.html' followed by a semicolon (0x3B) in the request body — the canonical injection point for CVE-2016-9091.
  • Monitor for sudo execution of mv_troubleshooting.sh or flush_dns.sh by the 'tomcat' user, which indicates the local privilege escalation stage of the exploit.
  • Alert on unauthenticated GET requests to /avenger/rest/version, which is used by the exploit's check() function to fingerprint vulnerable BlueCoat CAS versions before launching the attack.
  • The exploit authenticates via CAS ticket-granting service at /cas/v1/tickets then redeems the ticket at /avenger/j_spring_cas_security_check; sequential POST→GET to these endpoints from the same source IP is a strong pre-exploitation signal.
  • The exploit requires the session to be running as user 'tomcat'; detect process spawning (e.g., shell, meterpreter) from the tomcat UID on BlueCoat appliances as a post-exploitation indicator.
  • ·The Metasploit module's check() function hard-codes the vulnerable version as '1.3.7.1' read from /etc/clp-release; the actual vulnerable range is CAS 1.3 prior to 1.3.7.4 and ASG 6.6 prior to 6.6.5.4, so the module may miss other vulnerable versions.
  • ·The OS command injection exploit requires an authenticated session with 'administrator' group privileges; users in the 'Readonly' group cannot exploit this vulnerability.
  • ·The privilege escalation module requires a pre-existing tomcat-level shell session and sudo access for the tomcat user to mv_troubleshooting.sh; it is a post-exploitation module, not a standalone RCE.
  • ·The exploit module notes inconsistent timing behaviour that may cause failures: 'Exploit failed: Rex::TimeoutError Operation timed out.'

CVSS provenance

nvdv3.07.2HIGHCVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.