Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Secure Web Gateway 12.2.13 Release Notes

New Features in the 12.2.x Release    

Below is a consolidated list of new features available across the different 12.2.x releases. For issues resolved as part of this release please see the Resolved Issue section

For information about how to upgrade to this release, see Upgrading to a new version – Main Release.   

Rebranding to Account for Transition    

Names of products, components, and other items have been rebranded to account for the transition from McAfee to Secure Web Gateway.

Rebranded SNMP SMI and MIB file with updated Org OID for Skyhigh Security    

As part of the rebranding, a new Object Identifier (OID) has been introduced for Org Skyhigh Security. We are updating the SNMP OID from .1.3.6.1.4.1.1230* to .1.3.6.1.4.1.59732*. You'll need to update your management software accordingly if they are referring to these OID. For more details, see Configure event monitoring with SNMP.

Trellix VX Integration to SWG   

The SWG 12.2.0 supports integration with Trellix Virtual Execution (VX). For more details, see Trellix Virtual Execution Integration to SWG.

Detection of OneNote files  

New Mediatype detection has been added for OneNote files to detect .one and .onepkg files. 

InsecureNetlogon   

Insecure NETLOGON channel is blocked by default. To explicitly allow Insecure NETLOGON, a new checkbox is provided in Windows Join Domain Dialogue. For more details, see InsecureNetlogon 

TCP Health Check   

Prior to this features, SWG would send live traffic to Next Hop Proxies to determine its health which resulted in delayed response in case Next Hop Proxy is not healthy. With this feature, SWG will have knowledge of the health of the Next Hop Proxies beforehand. For more details, see TCP Health Check for Next Hop Proxy.

Server Chunk Encoding   

A new check box option is provided in proxy control event settings, which allows to enforce chunk encoding transfer on server requests from SWG. For more details, see Server Side Chunk Encoding

Connect Response Based on HTTP-Protocol  

Connection Established response message always shows HTTP1.0 even if the HTTP Protocol header of the request was HTTP1.1. Now you can configure this under Proxy Control Event, where we can select to send back the Connection Established Response text based on the HTTP Protocol version received.   For more details, see Configure Connection Established Response based on HTTP Protocol Version.

Support to pipelined application/HTTP  

A new media type has been added to media type filtering for detection and Openers for pipelined Application/HTTP. 

New Properties for Multiline Base64  

To support the multiline Base-64, new properties are added in SWG

Support for kdbx-kdb-Filetype  

A new media type has been added to media type filtering to detect files of the kdbx and kdb types.

Client certificate authentication for HTML UI  

Client certificate authentication is now added for the HTML UI, For more details, see Client Certificate Authentication for HTML UI.

Configurable size limit of single XML attributesEdit section 

The configurable size limit of single XML attributes has been increased to reduce errors on startup when having large inline lists.

What's new in update 12.2.13    

Enhancements introduced in this release are as follows:

Kernel Upgrade

SWG Kernel has been updated from 4.19.256 to 4.19.319.

Support for Detection of New Media Types

SWG now supports the detection of both the UDF (Universal Disk Format) file (application/x-iso-udf-image)  and the DICOM  (application/dicom) media type.

Known Issues and Workaround 

For a list of issues that are currently known, see SWG 12.x.x Known Issues and Workaround.

Resolved Issues in the 12.2.13 Release     

NOTE:

  • Secure Web Gateway 12.2.13 is provided as a main release.    
  • If you have configured SWG in Transparent Router mode, ensure that your configuration follows the mandatory steps outlined in Skyhigh document before upgrading to SWG version 12.2.9 or later.

For information about how to upgrade to this release, see Upgrading to a new version – Main Release.   

The list of resolved issues is mentioned below.

JIRA issue numbers are provided in the reference columns.

Reference Description
WP-6079 Text extraction in PDF Opener has been improved
WP-6206 Outbound override previously worked consistently only with VIPs; it now works with all types of IP addresses
WP-6327 If the Proxy Control Filter is set to forbid HTTP/2 (H2) but an H2 connection is already established, the proxy should send an HTTP/1.1_REQUIRED reset to the client rather than ignoring the request.
WP-6386 A core crash was observed when SNHP was configured with the Proxy Style Request option disabled; this issue has now been resolved.
WP-6391 When you drag and drop a message from Outlook to your desktop, it was previously scanned and showed a BodyisCorrupted error. Now, the file is no longer showing as corrupted, and the scan indicates that no malware was found.

Vulnerabilities Fixed

 This Secure Web Gateway release includes updates addressing publicly disclosed CVEs, regardless of whether a CVE has been shown to impact customers.
The following medium and higher-level CVEs (CVSS 3.0 >= 4) were involved:

Reference CVE  Description
WP-6374 CVE-2023-35001 Linux Kernel nftables Out-Of-Bounds Read/Write Vulnerability; nft_byteorder poorly handled vm register contents when CAP_NET_ADMIN is in any user or network namespace
CVE-2023-35788 An issue was discovered in fl_set_geneve_opt in net/sched/cls_flower.c in the Linux kernel before 6.3.7. It allows an out-of-bounds write in the flower classifier code via TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets. This may result in denial of service or privilege escalation.
CVE-2023-4206 A use-after-free vulnerability in the Linux kernel's net/sched: cls_route component can be exploited to achieve local privilege escalation. When route4_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old example in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free. We recommend upgrading past commit b80b829e9e2c1b3f7aae34855e04d8f6ecafl3c8.
CVE-2023-4207 A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to achieve local privilege escalation. When fw_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free. We recommend upgrading past commit 76e42ae831991c828cffa8c37736ebfb831ad5ec. 
CVE-2023-4208  A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to achieve local privilege escalation. When u32_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free. We recommend upgrading past commit 3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81. 
CVE-2023-45871 An issue was discovered in drivers/net/ethernet/intel/igb/igb_main.c in the IGB driver in the Linux kernel before 6.5.3. A buffer size may not be adequate for frames larger than the MTU.
CVE-2023-4622 A use-after-free vulnerability in the Linux kernel's net/sched: sch_qfq component can be exploited to achieve local privilege escalation. When the plug qdisc is used as a class of the qfq qdisc, sending network packets triggers use-after-free in qfq_dequeue() due to the incorrect .peek handler of sch_plug and lack of error checking in agg_dequeue(). We recommend upgrading past commit 8fc134fee27f2263988ae38920bc03da416b03d8.
CVE-2023-4921 A use-after-free vulnerability in the Linux kernel's net/sched: sch_qfq component can be exploited to achieve local privilege escalation. When the plug qdisc is used as a class of the qfq qdisc, sending network packets triggers use-after-free in qfq_dequeue() due to the incorrect .peek handler of sch_plug and lack of error checking in agg_dequeue(). We recommend upgrading past commit 8fc134fee27f2263988ae38920bc03da416b03d8.
WP-6394 CVE-2024-3248 Less through 653 allows OS command execution via a newline character in the name of a file, because quoting is mishandled in filename.c. Exploitation typically requires use with attacker-controlled file names, such as the files extracted from an untrusted archive. Exploitation also requires the LESSOPEN environment variable, which is set by default in many common cases.
WP-6396 CVE-2024-7264 Libcurl's ASN1 parser code has the 'GTime2str()' function, used for parsing an ASN.1 Generalized Time field. If given a syntactically incorrect field, the parser might use -1 for the length of the *time fraction*, leading to a 'strlen()' getting performed on a pointer to a heap buffer area that is not (purposely) null-terminated. This flaw most likely leads to a crash, but can also lead to heap contents getting returned to the application when [CURLINFO_CERTINFO](http://curl.se/libcurl/c/CURLINFO.html) is used.

For resolved issues on the previous releases and other information, see Secure Web Gateway 12.2.x Release Notes 

  • Was this article helpful?