Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2016.0066 SA126: OpenSSH Vulnerabilities January/April 2016 15 June 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Blue Coat products Operating System: Network Appliance Impact/Access: Root Compromise -- Existing Account Provide Misleading Information -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2016-1908 CVE-2015-8325 Member content until: Friday, July 15 2016 Reference: ESB-2016.1149 ESB-2016.0970 ESB-2016.0737 OVERVIEW Muiltiple Blue Coat products are affected by a vulnerability in OpenSSH: "The following products are vulnerable: Director Director 6.1 is vulnerable to CVE-2015-8325. Malware Analysis Appliance MAA 4.2 is vulnerable to CVE-2015-8325. Norman Shark Industrial Control System Protection ICSP 5.3 prior to 5.3.6 is vulnerable to CVE-2015-8325 and CVE-2016-1908. Norman Shark Network Protection NNP 5.3 prior to 5.3.6 is vulnerable to CVE-2015-8325 and CVE-2016-1908. Norman Shark SCADA Protection NSP 5.3 prior to 5.3.6 is vulnerable to CVE-2015-8325 and CVE-2016-1908. Security Analytics Security Analytics 6.6, 7.0, and 7.1 are vulnerable to CVE-2015-8325 and CVE-2016-1908. X-Series XOS XOS 9.7, 10.0, and 11.0 are vulnerable to CVE-2015-8325 and CVE-2016-1908. The following products contain a vulnerable version of OpenSSH, but are not vulnerable to known vectors of attack: Advanced Secure Gateway ASG 6.6 has a vulnerable version of OpenSSH. Content Analysis System CAS 1.2 and 1.3 have a vulnerable version of OpenSSH. Mail Threat Defense MTD 1.1 has a vulnerable version of OpenSSH. Management Center MC 1.5 has a vulnerable version of OpenSSH. PacketShaper PS 9.2 has a vulnerable version of OpenSSH. PacketShaper S-Series PS S-Series 11.2, 11.3, 11.4, and 11.5 have a vulnerable version of OpenSSH. PolicyCenter S-Series PC S-Series 1.1 has a vulnerable version of OpenSSH. Reporter Reporter 10.1 has a vulnerable version of OpenSSH. Reporter 9.4 and 9.5 are not vulnerable. SSL Visibility SSLV 3.8.4FC and 3.9 have a vulnerable version of OpenSSH." [1] IMPACT The vendor has provided the following information: "This Security Advisory addresses two OpenSSH vulnerabilities announced in January and April 2016. Blue Coat products that include a vulnerable version of OpenSSH and use the affected functionality are vulnerable. CVE-2015-8325 is a flaw in the SSH server implementation that allows a local, non-root user with shell access to execute arbitrary code with root privileges. The vulnerability is only exploitable when the SSH server accepts user-provided environment variables and uses the 'login' tool to authenticate users. CVE-2016-1908 is a flaw in the SSH client implementation that allows a remote attacker acting as a malicious SSH server to establish a trusted X11 connection with the SSH client when the client has requested only an untrusted connection. The trusted X11 connection allows the attacker to take screenshots and inject mouse movements and keypresses on the SSH client host."[1] MITIGATION The vendor recommends upgrading to a product version not affected by the vulnerability. [1] The following workarounds can be used where patches are unavailable: "By default, Director, MAA, ICSP, NNP, and NSP do not use the 'login' tool for user authentication and do not use PAM to read user-provided environment variables. Customers who leave this default behavior unchanged prevent attacks against these products using CVE-2015-8325. By default Security Analytics does not use the 'login' tool for user authentication and does not act as an SSH client. Customers who leave this default behavior unchanged prevent attacks against Security Analytics using CVE-2015-8325 and CVE-2016-1908." [1] REFERENCES [1] SA126: OpenSSH Vulnerabilities January/April 2016 https://bto.bluecoat.com/security-advisory/sa126 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBV2D2gox+lLeg9Ub1AQjrdQ/9G138gWUl3Mu5aNtdvVFim7Rlr4JfFp1u YnriNnMJ9X0s+w7dcn1jM5kYtJnf7KUgakQ6WrKvZJAA6w8nOSFZGfpfG009+G55 qtBrhTOr+WnjPwf9UkRLwf7ea/g2msWDX6c7t44x3p/PsRNMBApJg7Vw+8YAkI1L KptcjZwdmc6JM8/hwgcOS+lojrWNQ/KguFrjplqfpY0opMLS50p+hQqE3Wg3eY8X ehMMFJUxibKxJYSQQ2DNacvvso01j5rtdveXAOx581iKcpwk0MOxQNuEqgkFB6NN BbJRUF4bhNW5ob9gEOfTvCFlbGH1p3OA+HPssF0r4IKSZ+puSQXjwlnVCAg6/8MP xbmpRfLiKrgYEy2mdKTwNpZLaAGVU1eAHQZI0ghEJfCL5ZQPijNqZERYkB8xG7JA sTd+VfYtemJlTk8rxiDvY/yhtW9it+Xltk0YC6sd/t6KVjHOjgHKmn513mOoizZY DbNx6txtY7eg7C/jxwIBNRnqcUd0LZSOQmS3SSupCBNh4K4Kn/cV2VhPMSpN3Kpy BVA6byVolZRdCjuKBl1j0wHjdpAB+z8U1mbPNx6BwDhj9Q4tPN7F0DknxJpzCaEp D5GffxRwRFHLqDIaFM5FWTpsovtuRXiIs47xNKpGWt91Ys5LGpIXnjwSBD3Jgyru mlfekcpLAbs= =QYEW -----END PGP SIGNATURE-----