-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT Security Bulletin
SA126: OpenSSH Vulnerabilities January/April 2016
15 June 2016
AusCERT Security Bulletin Summary
Product: Blue Coat products
Operating System: Network Appliance
Impact/Access: Root Compromise -- Existing Account
Provide Misleading Information -- Remote with User Interaction
CVE Names: CVE-2016-1908 CVE-2015-8325
Member content until: Friday, July 15 2016
Muiltiple Blue Coat products are affected by a vulnerability in
"The following products are vulnerable:
Director 6.1 is vulnerable to CVE-2015-8325.
Malware Analysis Appliance
MAA 4.2 is vulnerable to CVE-2015-8325.
Norman Shark Industrial Control System Protection
ICSP 5.3 prior to 5.3.6 is vulnerable to CVE-2015-8325 and
Norman Shark Network Protection
NNP 5.3 prior to 5.3.6 is vulnerable to CVE-2015-8325 and
Norman Shark SCADA Protection
NSP 5.3 prior to 5.3.6 is vulnerable to CVE-2015-8325 and
Security Analytics 6.6, 7.0, and 7.1 are vulnerable to CVE-2015-8325
XOS 9.7, 10.0, and 11.0 are vulnerable to CVE-2015-8325 and
The following products contain a vulnerable version of OpenSSH, but
are not vulnerable to known vectors of attack:
Advanced Secure Gateway
ASG 6.6 has a vulnerable version of OpenSSH.
Content Analysis System
CAS 1.2 and 1.3 have a vulnerable version of OpenSSH.
Mail Threat Defense
MTD 1.1 has a vulnerable version of OpenSSH.
MC 1.5 has a vulnerable version of OpenSSH.
PS 9.2 has a vulnerable version of OpenSSH.
PS S-Series 11.2, 11.3, 11.4, and 11.5 have a vulnerable version of
PC S-Series 1.1 has a vulnerable version of OpenSSH.
Reporter 10.1 has a vulnerable version of OpenSSH. Reporter 9.4 and
9.5 are not vulnerable.
SSLV 3.8.4FC and 3.9 have a vulnerable version of OpenSSH." 
The vendor has provided the following information:
"This Security Advisory addresses two OpenSSH vulnerabilities
announced in January and April 2016. Blue Coat products that include
a vulnerable version of OpenSSH and use the affected functionality
CVE-2015-8325 is a flaw in the SSH server implementation that allows
a local, non-root user with shell access to execute arbitrary code
with root privileges. The vulnerability is only exploitable when the
SSH server accepts user-provided environment variables and uses the
'login' tool to authenticate users.
CVE-2016-1908 is a flaw in the SSH client implementation that allows
a remote attacker acting as a malicious SSH server to establish a
trusted X11 connection with the SSH client when the client has
requested only an untrusted connection. The trusted X11 connection
allows the attacker to take screenshots and inject mouse movements
and keypresses on the SSH client host."
The vendor recommends upgrading to a product version not affected by
the vulnerability. 
The following workarounds can be used where patches are unavailable:
"By default, Director, MAA, ICSP, NNP, and NSP do not use the
'login' tool for user authentication and do not use PAM to read
user-provided environment variables. Customers who leave this
default behavior unchanged prevent attacks against these products
By default Security Analytics does not use the 'login' tool for user
authentication and does not act as an SSH client. Customers who
leave this default behavior unchanged prevent attacks against
Security Analytics using CVE-2015-8325 and CVE-2016-1908." 
 SA126: OpenSSH Vulnerabilities January/April 2016
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: firstname.lastname@example.org
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----