The vulnerability for the HTTPS proxy has been assigned Cisco bug ID
CSCdx05705, which modifies the default settings to ensure the administrator
must specify permitted traffic.
The ability to handle proxied requests was added in version 2.2.0 of
the Cache Engine software. More details are provided in the Release Notes at
In addition to caching pages from remote web servers, the cache
software also has the ability to cache data for other proxy servers using a
variety of supported protocols such as FTP and HTTPS. This function is enabled
by default. Since proxied HTTPS services may be available on a variety of
ports, the device can be instructed by a client to open a TCP connection to any
reachable IP address and port.
The following warning is displayed during configuration and the boot
process when the Cache Engine running version 2.x is configured as an HTTPS
proxy server without transparent redirection:
It is recommended to set restrictions that allow or deny HTTPS traffic to
Destination Ports. Default settings may not provide the desired security level.
This warning is not displayed when the device operated in transparent
mode and is not shown in any case when running software versions 3.x and 4.x.
This issue has been resolved by changing the default behavior when
HTTPS proxy is enabled so that connections are limited based on the destination
port numbers and connections to ports less than 1024 (excluding 443 and 563)
The vulnerability for the HTTP proxy has been assigned Cisco bug ID
CSCeb19815, which introduces the new "http destination-port <deny|allow>
<all|port ranges>" command and modifies the default settings to ensure
the administrator must specify permitted traffic.
The HTTP proxy vulnerability has been resolved by changing the default
behavior so that the HTTP connections are limited based on the destination port
numbers and connections to reserved ports (1-79 and 88-1024) are denied.