Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2016.0072
Multiple vulnerabilities have been identified in Blue Coat products
8 July 2016
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Blue coat products
Operating System: Network Appliance
Virtualisation
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2016-3191 CVE-2016-1283 CVE-2015-8395
CVE-2015-8394 CVE-2015-8393 CVE-2015-8392
CVE-2015-8391 CVE-2015-8390 CVE-2015-8389
CVE-2015-8388 CVE-2015-8387 CVE-2015-8386
CVE-2015-8385 CVE-2015-8384 CVE-2015-8383
CVE-2015-8382 CVE-2015-8381 CVE-2015-8380
Member content until: Sunday, August 7 2016
Reference: ASB-2016.0024
ESB-2016.1333
ESB-2016.1168
ESB-2016.0366
ESB-2016.0300
ESB-2016.0255
OVERVIEW
Multiple vulnerabilities have been identified in several Blue Coat
products:
"Advanced Secure Gateway
ASG 6.6 is vulnerable to all CVEs. The vulnerabilities are only
exploitable when a malicious authenticated administrator with write
access adds crafted regular expressions to policy.
CacheFlow
CacheFlow 3.4 is vulnerable to CVE-2015-8382, CVE-2015-8386,
CVE-2015-8387, CVE-2015-8390, and CVE-2015-8394.
Director
Director 6.1 is vulnerable to CVE-2015-8382 and CVE-2015-8386. The
vulnerabilities are only exploitable when a malicious authenticated
administrator passes crafted regular expressions as arguments to CLI
commands.
Norman Shark Network Protection
NNP 5.3 prior to 5.3.6 is vulnerable to CVE-2015-8382,
CVE-2015-8385, CVE-2015-8387, CVE-2015-8388, CVE-2015-8390,
CVE-2015-8393, and CVE-2015-8394.
ProxySG
ProxySG 6.5 is vulnerable to CVE-2015-8382, CVE-2015-8385,
CVE-2015-8386, CVE-2015-8387, CVE-2015-8388, CVE-2015-8390,
CVE-2015-8394, and CVE-2016-3191. ProxySG 6.6 is vulnerable to all
CVEs. The vulnerabilities are only exploitable when a malicious
authenticated administrator with write access adds crafted regular
expressions to policy.
Security Analytics
Security Analytics is vulnerable to CVE-2015-8382, CVE-2015-8386,
CVE-2015-8387, CVE-2015-8390, and CVE-2015-8394.
X-Series XOS
XOS 9.7, 10.0, and 11.0 are vulnerable to CVE-2015-8382,
CVE-2015-8385, CVE-2015-8386, CVE-2015-8388, and CVE-2016-3191.
The following products contain vulnerable versions of the PCRE or
GLib2 libraries, but are not vulnerable to known vectors of attack:
Content Analysis System
CAS 1.3 has vulnerable versions of PCRE and GLib2.
Mail Threat Defense
MTD 1.1 has vulnerable versions of PCRE and GLib2.
Management Center
MC 1.5 has vulnerable versions of PCRE and GLib2.
Norman Shark Industrial Control System Protection
ICSP 5.3 prior to 5.3.6 has a vulnerable version of PCRE.
Norman Shark SCADA Protection
NSP 5.3 prior to 5.3.6 has a vulnerable version of PCRE.
PacketShaper
PS 9.2 has a vulnerable version of PCRE.
PacketShaper S-Series
PS S-Series 11.2, 11.3, 11.4, 11.5, and 11.6 have vulnerable
versions of PCRE and GLib2.
PolicyCenter
PC 9.2 has a vulnerable version of PCRE.
PolicyCenter S-Series
PC S-Series 1.1 has vulnerable versions of PCRE and GLib2.
Reporter
Reporter 10.1 has vulnerable versions of PCRE and GLib2.
SSL Visibility
SSLV 3.8.4FC and 3.9 have a vulnerable version of PCRE." [1]
IMPACT
The vendor has provided the following information:
"CVE-2015-8380 is a flaw in regular expression execution that allows
a remote attacker to cause a heap-based buffer overflow via a
crafted regular expression, resulting in denial of service or
unspecified other impact.
CVE-2015-8381 is a flaw in group reference handling that allows a
remote attacker to cause a heap-based buffer overflow via a crafted
regular expression, resulting in denial of service or unspecified
other impact.
CVE-2015-8382 is a flaw in regular expression execution that allows
a remote attacker to obtain sensitive information from the target's
memory or cause denial of service through application crashes.
CVE-2015-8383 is a flaw in repeated conditional group handling that
allows a remote attacker to cause a buffer overflow via a crafted
regular expression, resulting in denial of service or unspecified
other impact.
CVE-2015-8384 is a flaw in recursive back reference handling that
allows a remote attacker to cause a buffer overflow via a crafted
regular expression, resulting in denial of service or unspecified
other impact.
CVE-2015-8385 is a flaw in forward reference handling that allows a
remote attacker to cause a buffer overflow via a crafted regular
expression, resulting in denial of service or unspecified other
impact.
CVE-2015-8386 is a flaw in lookbehind assertion and mutually
recursive subpattern handling that allows a remote attacker to cause
a buffer overflow via a crafted regular expression, resulting in
denial of service or unspecified other impact.
CVE-2015-8387 is a flaw in subroutine call handling that allows a
remote attacker to cause an integer overflow via a crafted regular
expression, resulting in denial of service or unspecified other
impact.
CVE-2015-8388 ia a flaw in unmatched closing parenthesis handling
that allows a remote attacker to cause a buffer overflow via a
crafted regular expression, resulting in denial of service or
unspecified other impact.
CVE-2015-8389 is a flaw in pattern handling that allows a remote
attacker to cause infinite recursion via a crafted regular
expression, resulting in denial of service or unspecified other
impact.
CVE-2015-8390 is a flaw in character class handling that allows a
remote attacker to cause uninitialized memory reads via a crafted
regular expression, resulting in denial of service or unspecified
other impact.
CVE-2015-8391 is a flaw in nesting handling that allows a remote
attacker to cause excessive CPU consumption via a crafted regular
expression, resulting in denial of service or unspecified other
impact.
CVE-2015-8392 is a flaw in substring handling that allows a remote
attacker to cause a buffer overflow and unintended recursion via a
crafted regular expression, resulting in denial of service or
unspecified other impact.
CVE-2015-8393 is a flaw in the pcregrep utility that allows a remote
attacker to obtain sensitive information via a crafted binary file.
CVE-2015-8394 is a flaw in condition handling that allows a remote
attacker to cause an integer overflow via a crafted regular
expression, resulting in denial of service or unspecified other
impact.
CVE-2015-8395 is a flaw in reference handling that allows a remote
attacker to cause denial of service or unspecified other impact via
a crafted regular expression.
CVE-2016-1283 is a flaw in named subgroup handling that allows a
remote attacker to cause heap-based buffer overflow via a crafted
regular expression, resulting in denial of service or unspecified
other impact.
CVE-2016-3191 is a flaw in substring and nested parenthesis handling
that allows a remote attacker to cause stack-based buffer overflow
via a crafted regular expression, resulting in arbitrary code
execution or denial of service." [1]
MITIGATION
Users should apply patches where available. For products without
patches, the vendor has recommended the following workarounds:
"These CVEs can be exploited in ASG and ProxySG 6.6 only by
authenticated administrator users with write access. Restricting the
administrator users that have write access reduces the threat of
exploiting the vulnerabilities.
These CVEs can be exploited in ASG, Director, and ProxySG only
through their management interfaces. Allowing only machines, IP
addresses and subnets from a trusted network to access the
management interface reduces the threat of exploiting the
vulnerabilities." [1]
REFERENCES
[1] SA128: Multiple PCRE Vulnerabilities
https://bto.bluecoat.com/security-advisory/sa128
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBV38HQIx+lLeg9Ub1AQhDNQ/+PXKoh49WoA8mArPSd97ZsAJmPL5FGo1i
HpB9JwnyQghLMaL6bdge8NzaZDXgRznygW28qATv1/MN7qYWMUw6lw2beETP0xEx
dLIU2E8BlzmxLiXDLDQ/ZXWnc52auWEzjPDtRmOcQAE4kBsLJIeTZX+9ZMaaij2f
gxwGZMBXj5ks7gXPzKhLCft+U4juI6lPFEGUCLDOtVbaZnbQXNkBDUHBrDVn0D30
zQb/HUVpYa6sTQzMeFuiiKSL0Ri8UgBCq7Byj3HMhEsuNAYx7ADcitHYZcRVtYYi
fEmf+aKcQDkpmobtUp9Rq+z/IcJe92F1TFM8yHbL+FWjJTG9RcMIXQpJ+C4Vru+W
9RZ5GAZM4p2txRASZfzsrYwgOywjVf2t26mmBJYPSHp8mP/AD36sWYNw8j5ea4zw
NtM+eKobsF/xZdBC4Islc+FjXbvUkazJQfdCQW9Y93Nbdmkm3cwTZOhC3xAP6AQl
I5KXSWGyvgRZwHKv/0ZqGSa3M3SsW6Ka4Qo8Xj6KSFVDFpFelsSssD1I+KG4KePo
Pd3ajXK06h/cnDBdSY7Y8NTI6J3NDddosSABvafp0cpHf4Je1L9Xi109QQssd0Zi
WMMAp8T294dbtAh+BL0GdcqaMkBOcj6GqmBtd/Vrt1chRuYGLHhhNtwCihcu1U/y
1S4hhEE4zv0=
=3Yi0
-----END PGP SIGNATURE-----