SSL Visibility Appliance may generate illegal RST packets


SSL Visibility Appliance provided by Blue Coat Systems, Inc. is used as a transparent proxy for encrypted traffic management.
It is reported that the appliance generates RST packets with incorrect sequence numbers when it receives HTTPS requests from certain web browsers. When the web server behind the appliance fails to treat these incorrect RST packets, it keeps the encrypted session indefinitely.
This behavior may be used to cause a denial-of-service (DoS) condition on the server side.
According to the developer, this issue does not affect the appliance.

NTT-ME CORPORATION Cyber Security Center reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 7.2 (High) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: Low
CVSS V2 Severity:
Base Metrics 5.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products

Blue Coat Systems, Inc.
  • SSL Visibility Appliance 3.8.4FC, 3.9, 3.10, and 3.11 prior to

SSL Visibility Appliance 4.0 is not affected.

A denial-of-service (DoS) attack to a server may be conducted by an unauthenticated remote attacker.

[Update the Appliance]
Update to the latest version according to the information provided by the developer.
Vendor Information

Blue Coat Systems, Inc.
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2016-10259

  1. JVN : JVN#91438377
  2. National Vulnerability Database (NVD) : CVE-2016-10259
Revision History

  • [2017/05/24]
      Web page was published
      Vendor Information : Link was modified