Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2016.0066
SA126: OpenSSH Vulnerabilities January/April 2016
15 June 2016
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Blue Coat products
Operating System: Network Appliance
Impact/Access: Root Compromise -- Existing Account
Provide Misleading Information -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2016-1908 CVE-2015-8325
Member content until: Friday, July 15 2016
Reference: ESB-2016.1149
ESB-2016.0970
ESB-2016.0737
OVERVIEW
Muiltiple Blue Coat products are affected by a vulnerability in
OpenSSH:
"The following products are vulnerable:
Director
Director 6.1 is vulnerable to CVE-2015-8325.
Malware Analysis Appliance
MAA 4.2 is vulnerable to CVE-2015-8325.
Norman Shark Industrial Control System Protection
ICSP 5.3 prior to 5.3.6 is vulnerable to CVE-2015-8325 and
CVE-2016-1908.
Norman Shark Network Protection
NNP 5.3 prior to 5.3.6 is vulnerable to CVE-2015-8325 and
CVE-2016-1908.
Norman Shark SCADA Protection
NSP 5.3 prior to 5.3.6 is vulnerable to CVE-2015-8325 and
CVE-2016-1908.
Security Analytics
Security Analytics 6.6, 7.0, and 7.1 are vulnerable to CVE-2015-8325
and CVE-2016-1908.
X-Series XOS
XOS 9.7, 10.0, and 11.0 are vulnerable to CVE-2015-8325 and
CVE-2016-1908.
The following products contain a vulnerable version of OpenSSH, but
are not vulnerable to known vectors of attack:
Advanced Secure Gateway
ASG 6.6 has a vulnerable version of OpenSSH.
Content Analysis System
CAS 1.2 and 1.3 have a vulnerable version of OpenSSH.
Mail Threat Defense
MTD 1.1 has a vulnerable version of OpenSSH.
Management Center
MC 1.5 has a vulnerable version of OpenSSH.
PacketShaper
PS 9.2 has a vulnerable version of OpenSSH.
PacketShaper S-Series
PS S-Series 11.2, 11.3, 11.4, and 11.5 have a vulnerable version of
OpenSSH.
PolicyCenter S-Series
PC S-Series 1.1 has a vulnerable version of OpenSSH.
Reporter
Reporter 10.1 has a vulnerable version of OpenSSH. Reporter 9.4 and
9.5 are not vulnerable.
SSL Visibility
SSLV 3.8.4FC and 3.9 have a vulnerable version of OpenSSH." [1]
IMPACT
The vendor has provided the following information:
"This Security Advisory addresses two OpenSSH vulnerabilities
announced in January and April 2016. Blue Coat products that include
a vulnerable version of OpenSSH and use the affected functionality
are vulnerable.
CVE-2015-8325 is a flaw in the SSH server implementation that allows
a local, non-root user with shell access to execute arbitrary code
with root privileges. The vulnerability is only exploitable when the
SSH server accepts user-provided environment variables and uses the
'login' tool to authenticate users.
CVE-2016-1908 is a flaw in the SSH client implementation that allows
a remote attacker acting as a malicious SSH server to establish a
trusted X11 connection with the SSH client when the client has
requested only an untrusted connection. The trusted X11 connection
allows the attacker to take screenshots and inject mouse movements
and keypresses on the SSH client host."[1]
MITIGATION
The vendor recommends upgrading to a product version not affected by
the vulnerability. [1]
The following workarounds can be used where patches are unavailable:
"By default, Director, MAA, ICSP, NNP, and NSP do not use the
'login' tool for user authentication and do not use PAM to read
user-provided environment variables. Customers who leave this
default behavior unchanged prevent attacks against these products
using CVE-2015-8325.
By default Security Analytics does not use the 'login' tool for user
authentication and does not act as an SSH client. Customers who
leave this default behavior unchanged prevent attacks against
Security Analytics using CVE-2015-8325 and CVE-2016-1908." [1]
REFERENCES
[1] SA126: OpenSSH Vulnerabilities January/April 2016
https://bto.bluecoat.com/security-advisory/sa126
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBV2D2gox+lLeg9Ub1AQjrdQ/9G138gWUl3Mu5aNtdvVFim7Rlr4JfFp1u
YnriNnMJ9X0s+w7dcn1jM5kYtJnf7KUgakQ6WrKvZJAA6w8nOSFZGfpfG009+G55
qtBrhTOr+WnjPwf9UkRLwf7ea/g2msWDX6c7t44x3p/PsRNMBApJg7Vw+8YAkI1L
KptcjZwdmc6JM8/hwgcOS+lojrWNQ/KguFrjplqfpY0opMLS50p+hQqE3Wg3eY8X
ehMMFJUxibKxJYSQQ2DNacvvso01j5rtdveXAOx581iKcpwk0MOxQNuEqgkFB6NN
BbJRUF4bhNW5ob9gEOfTvCFlbGH1p3OA+HPssF0r4IKSZ+puSQXjwlnVCAg6/8MP
xbmpRfLiKrgYEy2mdKTwNpZLaAGVU1eAHQZI0ghEJfCL5ZQPijNqZERYkB8xG7JA
sTd+VfYtemJlTk8rxiDvY/yhtW9it+Xltk0YC6sd/t6KVjHOjgHKmn513mOoizZY
DbNx6txtY7eg7C/jxwIBNRnqcUd0LZSOQmS3SSupCBNh4K4Kn/cV2VhPMSpN3Kpy
BVA6byVolZRdCjuKBl1j0wHjdpAB+z8U1mbPNx6BwDhj9Q4tPN7F0DknxJpzCaEp
D5GffxRwRFHLqDIaFM5FWTpsovtuRXiIs47xNKpGWt91Ys5LGpIXnjwSBD3Jgyru
mlfekcpLAbs=
=QYEW
-----END PGP SIGNATURE-----