Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2015.0007.3
Multiple vulnerabilities identified in Blue Coat products using OpenSSL
23 January 2015
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Blue Coat Director
Blue Coat Management Center
Blue Coat Malware Analysis Appliance
Blue Coat Malware Analyzer G2
Blue Coat Norman Shark Industrial Control System Protection
Blue Coat Norman Shark Network Protection
Blue Coat Norman Shark SCADA Protection
Blue Coat ProxyAV
Blue Coat ProxySG
Blue Coat Security Analytics Platform
Blue Coat SSL Visibility
Blue Coat X-Series XOS
Blue Coat Content Analysis System
Operating System: Network Appliance
VMware ESX Server
Windows
Linux variants
Impact/Access: Access Privileged Data -- Remote/Unauthenticated
Modify Arbitrary Files -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2014-5139 CVE-2014-3568 CVE-2014-3567
CVE-2014-3513 CVE-2014-3512 CVE-2014-3511
CVE-2014-3510 CVE-2014-3509 CVE-2014-3508
CVE-2014-3507 CVE-2014-3506 CVE-2014-3505
CVE-2014-2506
Member content until: Wednesday, February 18 2015
Revision History: January 23 2015: Corrected product tag
January 23 2015: Added product Blue Coat Content Analysis System
January 19 2015: Initial Release
OVERVIEW
Multiple vulnerabilities have been identified in Blue Coat products
using OpenSSL versions 0.9.8, 1.0.0 and 1.0.1.
Blue Coat advises "A remote attacker may exploit these
vulnerabilities to downgrade to TLS v1.0, leak information, write
arbitrary data to memory, cause a buffer overflow, or cause a
denial-of-service" [1] and "A remote attacker may exploit these
vulnerabilities to allow remote attackers to cause a denial of
service due to memory consumption, or to downgrade to an SSL v3
handshake". [2]
IMPACT
Blue Coat provides the following details regarding the
vulnerabilities:
"CVE-2014-3505 is a flaw in the DTLS implementation that allows an
attacker to force memory to be freed twice, resulting in a crash.
CVE-2014-3506 is a flaw in the DTLS implementation that allows an
attacker to use large amounts of memory, resulting in slowdowns
and/or a crash.
CVE-2014-3507 is a flaw in the DTLS implementation that allows an
attacker to leak memory, resulting in slowdowns and/or a crash.
CVE-2014-3508 allows an attacker to obtain information from the
stack if pretty printing output is echoed to the attacker.
CVE-2014-3509 allows a malicious server to crash or overwrite memory
by sending Elliptic Curve Supported Point Formats Extension data.
CVE-2014-3510 is a flaw in the DTLS client implementation that
allows an attacking server to send data that will result in a crash
due to a null pointer.
CVE-2014-3511 is a flaw in the SSL/TLS server implementaiton that
allows an attacking client to force a downgrade to the TLS 1.0
protocol even if higher protocol versions are supported by the
client and server.
CVE-2014-3512 is a flaw in the SRP implementation that allows a
malicious client or server to send invalid parameters that will
result in a buffer overflow.
CVE-2014-5139 allows a malicious server to crash a client by
specifying an SRP ciphersuite, even if the ciphersuite was not
negotiated with the client". [1]
"CVE-2014-3513 is a flaw in the DTLS SRTP implementation that allows
an attacker to cause a denial-of-service due to memory consumption.
CVE-2014-3567 is a flaw in the implementation of session tickets
that allows an attacker to cause a denial-of-service due to memory
consumption.
CVE-2014-3568 allows an attacker to force clients and servers to
downgrade to SSL v3, even if the version of OpenSSL was built such
that SSL v3 should not be allowed." [2]
MITIGATION
Blue Coat has provided the following fixes which address
CVE-2014-3505, CVE-2014-2506, CVE-2014-3507, CVE-2014-3508,
CVE-2014-3509, CVE-2014-3510, CVE-2014-3511, CVE-2014-3512 and
CVE-2014-5139:
Product Affected version Fix
Malware Analysis Appliance MAA 4.1.x 4.1.4
ProxySG SGOS 6.2.x 6.2.16.1
SGOS 6.5.x 6.5.2.10
Security Analytics Platform SA 7.1.x 7.1.5
SSL Visibility SSLV 3.7 3.7.4
Content Analysis System CAS 1.1 1.1.5.5 [1]
Blue Coat has also provided fixes which address CVE-2014-3513,
CVE-2014-3567 and CVE-2014-3568:
Product Affected version Fix
Malware Analysis Appliance MAA 4.x 4.2.1
Management Center MC 1.x 1.2
Content Analysis System CAS 1.1 1.2.3.1 [2]
REFERENCES
[1] OpenSSL Security Advisory 06-Aug-2014
https://bto.bluecoat.com/security-advisory/sa85
[2] OpenSSL Security Advisory 15-Oct-2014
https://bto.bluecoat.com/security-advisory/sa87
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVMHp4hLndAQH1ShLAQJhEA//fcP2lZDs7Jn6HTWOI661W1iM6C/lH8LK
SAIsnzYnY/wvjF8rT1HjFbIXPDhrTIzE9m8v9m34v+4IUVGPTOCNCU4ov2ejsrCa
FH6SCeychispuLHMTo3JUjChvRswcCXWlOd83dOOp4d76SavejIY2b594E15+s5b
urPQ87zacUeRxogUPBBTYeS/NexmMKDm+sCzVut6CwrQBWhMgEhjy58tTlReht9D
5A4TNXnEMtwMlBewC3roC7hForU39TCJCQawQ6/ft91CtgUV3t8B2HXQ3rO56sUp
f6aL3An3YS7kD1k8nJCIsLV9dFMdxOroxzC7VJqkfQ8jikF/v7/9LHp0V2RvMIQj
pAJxRaN4dGid2gHUCrUFEg5dBBHYG3Uj9IysraeCgPr95E6ugYogWhohCekdR6mR
TxbENas4fW/Ev1froRA1JImQYrdLbzESQwRK4uVDBLBFCserhz6tZcSijDloPRZ/
WGzMKRmSMTNlMO/MbwM+63vQl5DhvG4kPRCFF7OMTjmJZD34WfKL7Igdxert9yZq
dC1DIzri7HyGBGVK5iL98JvzIp5DrA5sxbZ+BdNAb8INZ8jFY/pjX+JPz3VJiZMz
nRq4gzu/nMGGYjAYTzZFkjQggrwHIjwKT+sLPsef7DixDe8KQDED7QNwSeKDhdcu
eznfHEAl/Rg=
=mCz0
-----END PGP SIGNATURE-----