Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2016.0054.2 Multiple Blue Coat products are affected by vulnerabilities in OpenSSL 10 April 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Blue coat products Operating System: Network Appliance Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Access Privileged Data -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Provide Misleading Information -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2016-2176 CVE-2016-2109 CVE-2016-2108 CVE-2016-2107 CVE-2016-2106 CVE-2016-2105 CVE-2013-0169 Reference: ASB-2013.0113 ASB-2013.0069 ESB-2013.0183 ESB-2013.0177 ESB-2013.0161 Revision History: April 10 2018: Update from vendor: A fix for Reporter 9.5 is available in 9.5.4.1 May 10 2016: Initial Release OVERVIEW Multiple Blue Coat products are affected by vulnerabilities in OpenSSL: "Advanced Secure Gateway ASG 6.6 prior to 6.6.5.1 is vulnerable to CVE-2016-2105, CVE-2016-2106, CVE-2016-2107 (all supported hardware platforms), CVE-2016-2108, and CVE-2016-2109. ASG 6.7 is not vulnerable. Android Mobile Agent Android Mobile Agent 1.3 prior to 1.3.8 is vulnerable to CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2108, and CVE-2016-2109. BCAAA BCAAA 6.1 is vulnerable to CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2108, CVE-2016-2109, and CVE-2016-2176 when a Novell SSO realm is used. CacheFlow CacheFlow 3.4 prior to 3.4.2.7 is vulnerable to CVE-2016-2108 and CVE-2016-2109. Client Connector Client Connector 1.6 for Windows is vulnerable to CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2108, and CVE-2016-2109. Content Analysis System CAS 1.2 and 1.3 prior to 1.3.7.1 are vulnerable to CVE-2016-2105, CVE-2016-2106, CVE-2016-2107 (all supported hardware platforms), CVE-2016-2108, and CVE-2016-2109. CAS 2.1 and later releases are not vulnerable. Director Director 6.1 is vulnerable to CVE-2016-2105, CVE-2016-2106, CVE-2016-2108, CVE-2016-2109, and CVE-2016-2176. Mail Threat Defense MTD 1.1 is vulnerable to CVE-2016-2105, CVE-2016-2106, CVE-2016-2107 (all supported hardware platforms), CVE-2016-2108, and CVE-2016-2109. Malware Analysis Appliance MAA 4.2 prior to 4.2.11 is vulnerable to CVE-2016-2105, CVE-2016-2107 (all supported hardware platforms) and CVE-2016-2108. Management Center MC 1.5 is vulnerable to CVE-2016-2105, CVE-2016-2106, CVE-2016-2108, and CVE-2016-2109. MC 1.6 and later releases are not vulnerable. Norman Shark Industrial Control System Protection ICSP 5.3 prior to 5.3.6 is vulnerable to CVE-2016-2105, CVE-2016-2106, CVE-2016-2108, and CVE-2016-2109. They are also vulnerable to CVE-2016-2107 when running on an AESNI-capable hardware platform. See the Advisory Details section for more details. Norman Shark Network Protection NNP 5.3 prior to 5.3.6 is vulnerable to CVE-2016-2105, CVE-2016-2106, CVE-2016-2108, and CVE-2016-2109. They are also vulnerable to CVE-2016-2107 when running on an AESNI-capable hardware platform. See the Advisory Details section for more details. Norman Shark SCADA Protection NSP 5.3 prior to 5.3.6 is vulnerable to CVE-2016-2105, CVE-2016-2106, CVE-2016-2108, and CVE-2016-2109. They are also vulnerable to CVE-2016-2107 when running on an AESNI-capable hardware platform. See the Advisory Details section for more details. PacketShaper PS 9.2 prior to 9.2.13p2 is vulnerable to CVE-2016-2106 and CVE-2016-2109. PS 9.2 prior to 9.2.13p1 is also vulnerable to CVE-2016-2108. PacketShaper S-Series PS S-Series 11.2, 11.3, 11.4, and 11.5 prior to 11.5.3.2 are vulnerable to CVE-2016-2106, CVE-2016-2107 (all supported hardware platforms), and CVE-2016-2108. PS S-Series 11.6, 11.7, 1.8 and 1.9 are not vulnerable. PolicyCenter PC 9.2 prior to 9.2.13p2 is vulnerable to CVE-2016-2106 and CVE-2016-2109. PC 9.2 prior to 9.2.13p1 is also vulnerable to CVE-2016-2108. PolicyCenter S-Series PC S-Series 1.1 prior to 1.1.2.2 is vulnerable to CVE-2016-2106, CVE-2016-2107 (all supported hardware platforms), and CVE-2016-2108. ProxyAV ProxyAV 3.5 prior to 3.5.4.2 is vulnerable to CVE-2016-2105, CVE-2016-2106, CVE-2016-2108, CVE-2016-2109, and CVE-2016-2176. ProxyClient ProxyClient 3.4 for Windows is vulnerable to CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2108, and CVE-2016-2109. ProxySG ProxySG 6.5 prior to 6.5.9.8 and 6.6 prior to 6.6.4.1 are vulnerable to CVE-2016-2108 and CVE-2016-2109. They are also vulnerable to CVE-2016-2107 when running on an AESNI-capable hardware platform. See the Advisory Details section for more details. ProxySG 6.7 is not vulnerable. Reporter Reporter 9.4, 9.5 prior to 9.5.4.1, and 10.1 prior to 10.1.4.2 are vulnerable to CVE-2016-2105, CVE-2016-2106, CVE-2016-2108, and CVE-2016-2109. Reporter 9.5 and 10.1 are also vulnerable to CVE-2016-2107. Security Analytics Security Analytics 6.6, 7.0, and 7.1 are vulnerable to CVE-2016-2105, CVE-2016-2106, CVE-2016-2108, and CVE-2016-2109. Security Analytics 6.6 and 7.1 are also vulnerable to CVE-2016-2107 when running on an AESNI-capable hardware platform. See the Advisory Details section for more details. Security Analytics 7.2 and 7.3 are not vulnerable. SSL Visibility SSLV 3.8, 3.8.4FC prior to 3.8.4FC-55, and 3.9 prior to 3.9.3.6 are vulnerable to CVE-2016-2105, CVE-2016-2106, CVE-2016-2108, and CVE-2016-2109. They are also vulnerable to CVE-2016-2107 when running on an AESNI-capable hardware platform. See the Advisory Details section for more details. SSLV 3.10 and later versions are not vulnerable. Unified Agent UA 4.1 and 4.6 are vulnerable to CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, and CVE-2016-2109. UA 4.1 is also vulnerable to CVE-2016-2108. UA 4.7 is not vulnerable. X-Series XOS XOS 9.7, 10.0, and 11.0 are vulnerable to CVE-2016-2105, CVE-2016-2106, CVE-2016-2108, and CVE-2016-2109. They are also vulnerable to CVE-2016-2107 when running on an AESNI-capable hardware platform. See the Advisory Details section for more details." [1] IMPACT The vendor has provided the following information about the vulnerability: "CVE-2016-2105 is a flaw in the Base64 encoding module that allows a remote attacker to supply large input data and trigger a heap overflow, resulting in denial of service and possible arbitrary code execution. CVE-2016-2106 is a flaw in the generic symmetric encryption/decryption module that allows a remote attacker to supply large input data and trigger a heap overflow, resulting in denial of service and possible arbitrary code execution. CVE-2016-2107 is a flaw introduced as part of the fix for CVE-2013-0169 (Lucky13). A remote man-in-the-middle (MITM) attacker can exploit this vulnerability to perform a padding oracle attack and decrypt intercepted TLS traffic when the TLS sessions use AES CBC cipher suites and the server supports AESNI. The CVSS v2 score for CVE-2016-2107 listed in this Security Advisory is published by the National Vulnerability Database (NVD). The effective CVSS v2 score my be higher for Blue Coat products if the decrypted plaintext contains cookie or password information. CVE-2016-2108 is a flaw in the ASN.1 encoder that allows a remote attacker to send a crafted X.509 certificate and trigger a buffer underflow on the target if it parses and re-encodes the certificate. The attack is also possible if the crafted X.509 certificate is signed using RSA and the target verifies the RSA signature. Exploiting this vulnerability can result in denial of service through memory corruption and possible arbitrary code execution. CVE-2016-2109 is a flaw in the ASN.1 decoder that allows a remote attacker to send crafted ASN.1 data and trigger excessive memory allocation on the target. This can result in denial of service through memory depletion. CVE-2016-2176 is an overread flaw in X.509 certificate ASN.1 string parsing on EBCDIC systems. A remote attacker can exploit this vulnerability using crafted X.509 certificates to obtain arbitrary data from the target's memory stack." [1] MITIGATION The vendor recommends upgrading to versions unaffected by the vulnerability. [1] REFERENCES [1] SA123: OpenSSL Vulnerabilities 3-May-2016 https://bto.bluecoat.com/security-advisory/sa123 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWswayIx+lLeg9Ub1AQgrKRAAg5UIhBzZYfLYrkMdsZyV9klZkb9c1eje mpE5tdbwaxYlwv4X4/qsn/VEH7NjcN1Hf1+enSzXOey6SGTnB4rKZjK6lls05Bg5 OC01Lqljck0EwTMeKQvzRpBgT8UwbfC5V0g22oaQTBSFVjql5903XGkcIfC0PVR7 TwjFcPl8LiRsOocopovnanHQd3RLRsCdFtWwhkmqqeIiM9IZ5c95PV0cNK760PW/ EPxk2BYaLVcfBGSDLw1U3h0yO2u5N8QYEF9farNrHeFv7KhHm3xzf4Pyqs6uafqV 71rlnK1uxkBjKoATd5u4lectMVaaohII5CzmRvusamVSoNMpD16Pm+F0bhNW9/4E j7BfLt8L1NuuRtylrTvVQpqZwv9CfZHYJ9mIQPyk2lnS0GyRiLG78MVanSC3mKJw X0dgDawCHrfL9INqjHPQvIftJ3UyOtLuBX/GgdFpyLlRbHs/YoPEabo+lHRV3mm6 xQz04dZL0NsGPYW10K/EXRo9bfH/LNEzUAbxqvJLGtjJBg3hzS00vPT0xT9E3t6p CkLozPd+cbjZip/md2LPEbIafE9rgcACZHYUGNZNCNbI8Omw6xoenKVfRXrpND6a bYZmKFishANPEZNUmEAVPgN0QtLucEkq+C6Kgk7FH5ThwRhZx81AW1lC7MGS6qA0 SIjjsCBHbtQ= =Ny+B -----END PGP SIGNATURE-----