Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2016.0072 Multiple vulnerabilities have been identified in Blue Coat products 8 July 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Blue coat products Operating System: Network Appliance Virtualisation Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2016-3191 CVE-2016-1283 CVE-2015-8395 CVE-2015-8394 CVE-2015-8393 CVE-2015-8392 CVE-2015-8391 CVE-2015-8390 CVE-2015-8389 CVE-2015-8388 CVE-2015-8387 CVE-2015-8386 CVE-2015-8385 CVE-2015-8384 CVE-2015-8383 CVE-2015-8382 CVE-2015-8381 CVE-2015-8380 Member content until: Sunday, August 7 2016 Reference: ASB-2016.0024 ESB-2016.1333 ESB-2016.1168 ESB-2016.0366 ESB-2016.0300 ESB-2016.0255 OVERVIEW Multiple vulnerabilities have been identified in several Blue Coat products: "Advanced Secure Gateway ASG 6.6 is vulnerable to all CVEs. The vulnerabilities are only exploitable when a malicious authenticated administrator with write access adds crafted regular expressions to policy. CacheFlow CacheFlow 3.4 is vulnerable to CVE-2015-8382, CVE-2015-8386, CVE-2015-8387, CVE-2015-8390, and CVE-2015-8394. Director Director 6.1 is vulnerable to CVE-2015-8382 and CVE-2015-8386. The vulnerabilities are only exploitable when a malicious authenticated administrator passes crafted regular expressions as arguments to CLI commands. Norman Shark Network Protection NNP 5.3 prior to 5.3.6 is vulnerable to CVE-2015-8382, CVE-2015-8385, CVE-2015-8387, CVE-2015-8388, CVE-2015-8390, CVE-2015-8393, and CVE-2015-8394. ProxySG ProxySG 6.5 is vulnerable to CVE-2015-8382, CVE-2015-8385, CVE-2015-8386, CVE-2015-8387, CVE-2015-8388, CVE-2015-8390, CVE-2015-8394, and CVE-2016-3191. ProxySG 6.6 is vulnerable to all CVEs. The vulnerabilities are only exploitable when a malicious authenticated administrator with write access adds crafted regular expressions to policy. Security Analytics Security Analytics is vulnerable to CVE-2015-8382, CVE-2015-8386, CVE-2015-8387, CVE-2015-8390, and CVE-2015-8394. X-Series XOS XOS 9.7, 10.0, and 11.0 are vulnerable to CVE-2015-8382, CVE-2015-8385, CVE-2015-8386, CVE-2015-8388, and CVE-2016-3191. The following products contain vulnerable versions of the PCRE or GLib2 libraries, but are not vulnerable to known vectors of attack: Content Analysis System CAS 1.3 has vulnerable versions of PCRE and GLib2. Mail Threat Defense MTD 1.1 has vulnerable versions of PCRE and GLib2. Management Center MC 1.5 has vulnerable versions of PCRE and GLib2. Norman Shark Industrial Control System Protection ICSP 5.3 prior to 5.3.6 has a vulnerable version of PCRE. Norman Shark SCADA Protection NSP 5.3 prior to 5.3.6 has a vulnerable version of PCRE. PacketShaper PS 9.2 has a vulnerable version of PCRE. PacketShaper S-Series PS S-Series 11.2, 11.3, 11.4, 11.5, and 11.6 have vulnerable versions of PCRE and GLib2. PolicyCenter PC 9.2 has a vulnerable version of PCRE. PolicyCenter S-Series PC S-Series 1.1 has vulnerable versions of PCRE and GLib2. Reporter Reporter 10.1 has vulnerable versions of PCRE and GLib2. SSL Visibility SSLV 3.8.4FC and 3.9 have a vulnerable version of PCRE." [1] IMPACT The vendor has provided the following information: "CVE-2015-8380 is a flaw in regular expression execution that allows a remote attacker to cause a heap-based buffer overflow via a crafted regular expression, resulting in denial of service or unspecified other impact. CVE-2015-8381 is a flaw in group reference handling that allows a remote attacker to cause a heap-based buffer overflow via a crafted regular expression, resulting in denial of service or unspecified other impact. CVE-2015-8382 is a flaw in regular expression execution that allows a remote attacker to obtain sensitive information from the target's memory or cause denial of service through application crashes. CVE-2015-8383 is a flaw in repeated conditional group handling that allows a remote attacker to cause a buffer overflow via a crafted regular expression, resulting in denial of service or unspecified other impact. CVE-2015-8384 is a flaw in recursive back reference handling that allows a remote attacker to cause a buffer overflow via a crafted regular expression, resulting in denial of service or unspecified other impact. CVE-2015-8385 is a flaw in forward reference handling that allows a remote attacker to cause a buffer overflow via a crafted regular expression, resulting in denial of service or unspecified other impact. CVE-2015-8386 is a flaw in lookbehind assertion and mutually recursive subpattern handling that allows a remote attacker to cause a buffer overflow via a crafted regular expression, resulting in denial of service or unspecified other impact. CVE-2015-8387 is a flaw in subroutine call handling that allows a remote attacker to cause an integer overflow via a crafted regular expression, resulting in denial of service or unspecified other impact. CVE-2015-8388 ia a flaw in unmatched closing parenthesis handling that allows a remote attacker to cause a buffer overflow via a crafted regular expression, resulting in denial of service or unspecified other impact. CVE-2015-8389 is a flaw in pattern handling that allows a remote attacker to cause infinite recursion via a crafted regular expression, resulting in denial of service or unspecified other impact. CVE-2015-8390 is a flaw in character class handling that allows a remote attacker to cause uninitialized memory reads via a crafted regular expression, resulting in denial of service or unspecified other impact. CVE-2015-8391 is a flaw in nesting handling that allows a remote attacker to cause excessive CPU consumption via a crafted regular expression, resulting in denial of service or unspecified other impact. CVE-2015-8392 is a flaw in substring handling that allows a remote attacker to cause a buffer overflow and unintended recursion via a crafted regular expression, resulting in denial of service or unspecified other impact. CVE-2015-8393 is a flaw in the pcregrep utility that allows a remote attacker to obtain sensitive information via a crafted binary file. CVE-2015-8394 is a flaw in condition handling that allows a remote attacker to cause an integer overflow via a crafted regular expression, resulting in denial of service or unspecified other impact. CVE-2015-8395 is a flaw in reference handling that allows a remote attacker to cause denial of service or unspecified other impact via a crafted regular expression. CVE-2016-1283 is a flaw in named subgroup handling that allows a remote attacker to cause heap-based buffer overflow via a crafted regular expression, resulting in denial of service or unspecified other impact. CVE-2016-3191 is a flaw in substring and nested parenthesis handling that allows a remote attacker to cause stack-based buffer overflow via a crafted regular expression, resulting in arbitrary code execution or denial of service." [1] MITIGATION Users should apply patches where available. For products without patches, the vendor has recommended the following workarounds: "These CVEs can be exploited in ASG and ProxySG 6.6 only by authenticated administrator users with write access. Restricting the administrator users that have write access reduces the threat of exploiting the vulnerabilities. These CVEs can be exploited in ASG, Director, and ProxySG only through their management interfaces. Allowing only machines, IP addresses and subnets from a trusted network to access the management interface reduces the threat of exploiting the vulnerabilities." [1] REFERENCES [1] SA128: Multiple PCRE Vulnerabilities https://bto.bluecoat.com/security-advisory/sa128 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBV38HQIx+lLeg9Ub1AQhDNQ/+PXKoh49WoA8mArPSd97ZsAJmPL5FGo1i HpB9JwnyQghLMaL6bdge8NzaZDXgRznygW28qATv1/MN7qYWMUw6lw2beETP0xEx dLIU2E8BlzmxLiXDLDQ/ZXWnc52auWEzjPDtRmOcQAE4kBsLJIeTZX+9ZMaaij2f gxwGZMBXj5ks7gXPzKhLCft+U4juI6lPFEGUCLDOtVbaZnbQXNkBDUHBrDVn0D30 zQb/HUVpYa6sTQzMeFuiiKSL0Ri8UgBCq7Byj3HMhEsuNAYx7ADcitHYZcRVtYYi fEmf+aKcQDkpmobtUp9Rq+z/IcJe92F1TFM8yHbL+FWjJTG9RcMIXQpJ+C4Vru+W 9RZ5GAZM4p2txRASZfzsrYwgOywjVf2t26mmBJYPSHp8mP/AD36sWYNw8j5ea4zw NtM+eKobsF/xZdBC4Islc+FjXbvUkazJQfdCQW9Y93Nbdmkm3cwTZOhC3xAP6AQl I5KXSWGyvgRZwHKv/0ZqGSa3M3SsW6Ka4Qo8Xj6KSFVDFpFelsSssD1I+KG4KePo Pd3ajXK06h/cnDBdSY7Y8NTI6J3NDddosSABvafp0cpHf4Je1L9Xi109QQssd0Zi WMMAp8T294dbtAh+BL0GdcqaMkBOcj6GqmBtd/Vrt1chRuYGLHhhNtwCihcu1U/y 1S4hhEE4zv0= =3Yi0 -----END PGP SIGNATURE-----