Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2016.0085 Multiple vulnerabilities have been identified in Blue Coat products 2 September 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Blue Coat products Operating System: Network Appliance Virtualisation Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote with User Interaction Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2016-4483 CVE-2016-4449 CVE-2016-4448 CVE-2016-4447 CVE-2016-3705 CVE-2016-3627 CVE-2016-1840 CVE-2016-1839 CVE-2016-1838 CVE-2016-1837 CVE-2016-1836 CVE-2016-1835 CVE-2016-1834 CVE-2016-1833 CVE-2016-1762 Member content until: Sunday, October 2 2016 Reference: ESB-2016.1588 ESB-2016.1550 ESB-2016.1452 ESB-2016.1398 OVERVIEW Multiple Blue Coat products are affected by libxml2 vulnerabilities: "The following products are vulnerable: Advanced Secure Gateway ASG 6.6 is vulnerable to all CVEs. AuthConnector AuthConnector 2.5 is vulnerable to all CVEs. Director Director 6.1 is vulnerable to all CVEs. Malware Analysis Appliance MAA 4.2 is vulnerable to CVE-2016-4448 and CVE-2016-4449. Norman Shark Industrial Control System Protection ICSP 5.3 is vulnerable to all CVEs. Norman Shark Network Protection NNP 5.3 is vulnerable to all CVEs. Norman Shark SCADA Protection NSP 5.3 is vulnerable to all CVEs. ProxySG ProxySG 6.5 and 6.6 are vulnerable to all CVEs. Security Analytics Security Analytics 6.6, 7.0, and 7.1 are vulnerable to all CVEs. SSL Visibility SSLV 3.8.4FC is vulnerable to CVE-2016-4448 and CVE-2016-4449. SSLV 3.9 prior to 3.9.4.1 is vulnerable to CVE-2016-4449. SSLV 3.9 is also vulnerable to to CVE-2016-4448. X-Series XOS XOS 9.7, 10.0, and 11.0 are vulnerable to all CVEs. The following products contain vulnerable versions of the libxml2 library, but are not vulnerable to known vectors of attack: Content Analysis System CAS 1.3 has a vulnerable version of libxml2. Mail Threat Defense MTD 1.1 has a vulnerable version of libxml2. Management Center MC 1.5 has a vulnerable version of libxml2. PacketShaper S-Series PS S-Series 11.2, 11.3, 11.4, 11.5, and 11.6 have a vulnerable version of libxml2. PolicyCenter S-Series PC S-Series 1.1 has a vulnerable version of libxml2. Reporter Reporter 10.1 has a vulnerable version of libxml2. Reporter 9.4 and 9.5 are not vulnerable." [1] IMPACT The vendor has provided the following information: "CVE-2016-1762 is a flaw in the XML parser that allows a remote attacker to cause a heap-based buffer overread via crafted XML data, resulting in arbitrary code execution or denial of service through memory corruption. CVE-2016-1833 is a flaw in the XML parser that allows a remote attacker to cause a heap-based buffer overread via crafted XML data, resulting in arbitrary code execution or denial of service through memory corruption. CVE-2016-1834 is a flaw in string handling that allows a remote attacker to cause a heap-based buffer overflow via crafted XML data, resulting in arbitrary code execution or denial of service through memory corruption. CVE-2016-1835 is a flaw in the XML parser that allows a remote attacker to cause a use-after-free via crafted XML data, resulting in arbitrary code execution or denial of service through memory corruption. CVE-2016-1836 is a flaw in the XML parser that allows a remote attacker to cause a use-after-free via crafted XML data, resulting in arbitrary code execution or denial of service through memory corruption. CVE-2016-1837 is a flaw in the HTML parser that allows a remote attacker to cause a use-after-free via crafted HTML data, resulting in arbitrary code execution or denial of service through memory corruption. CVE-2016-1838 is a flaw in the XML parser that allows a remote attacker to cause a heap-based buffer overread via crafted XML data, resulting in arbitrary code execution or denial of service through memory corruption. CVE-2016-1839 is a flaw in the XML/HTML parser that allows a remote attacker to cause a heap-based buffer overread via crafted XML/HTML data, resulting in arbitrary code execution or denial of service through memory corruption. CVE-2016-1840 is a flaw that allows a remote attacker to cause a heap-based buffer overread via crafted XML data, resulting in arbitrary code execution or denial of service through memory corruption. CVE-2016-3627 is a flaw in the XML parser that allows a remote attacker to cause infinite recursion or stack depletion via crafted XML data, resulting in application crashes and denial of service. CVE-2016-3705 is a flaw in the XML parser that allows a remote attacker to cause stack depletion via crafted XML data, resulting in application crashes and denial of service. CVE-2016-4447 is a flaw in the XML parser that allows a remote attacker to cause a heap-based buffer underread via crafted XML data, resulting in application crashes and denial of service. CVE-2016-4448 is a flaw in format string handling that allows an attacker to have unspecified impact via unspecified attack vectors. CVE-2016-4449 is a flaw in the XML parser that allows a remote attacker to read arbitrary files or cause denial of service through resource consumption. CVE-2016-4483 is a flaw in the XML parser in recovery mode that allows a remote attacker to cause a buffer overread via crafted XML data, resulting in arbitrary code execution or denial of service through memory corruption." [1] MITIGATION The vendor recommends installing patches for products where available. For products without patches, the vendor has provided the following workaround information: "Blue Coat's ProxySG appliance running SGOS 6.6.4 or a later release can be used to protect against attacks using all CVEs, except CVE-2016-1834, CVE-2016-1840, CVE-2016-3627, and CVE-2016-4448. Customers using ProxySG as a reverse proxy can protect network hosts by blocking the malformed XML payload used in these attacks. The following CPL syntax introduced in SGOS 6.6.4 can be used: <proxy> http.request.detection.xml.invalid(block)" [1] REFERENCES [1] SA129: Multiple libxml2 Vulnerabilities https://bto.bluecoat.com/security-advisory/sa129 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBV8jI0ox+lLeg9Ub1AQjp0hAAqmv7x5bsBA2xHU9WeIus4S6Fa71XBsmC ZBhDe+UBb85g0H/Nsb/IiYqghps+R4F/dmsrXuI5hzyn9eGyQsaBVstsVNlHEQeq HJ0Lk0lXDlHWffMIJehRKqDpRkhSm76N9RBavfKy5qszKmmztwZfLHRT+gli6Whi 1dSubP2kE4sAgwgG6tTyXNPDw6Hm/2oTxJrOtZfM3BEtf6VquOZC07UqehVLpsDL A750cvXUtwkgwLAWnOUpMi7fAJLTYNweB0uvQnb6nLX86eggZHFoZuVt2XP+gDG3 4iaBA5BB6qhpBHV5ZNqHqkrArA1V2zPaED2fGRkY5LMHBJyYLY2U4kT5+NakDzCP F0xaCX5POW4nxiLURBwF/6ddWza+q1BcRE2TkTttzkrBAmYGNJjNM2NXbWPx9Hsa TYUPXa4/aTqBC+rKrby3e8MfiRYnhKvGMoP+WhDaaaEkqM62kguKkh7FB/oQe1e7 eYr52uAHXPf8cz2yqKgYtJmMLCHJ9mODNYw2VAlwxB0RzD7Wd2VOohs0KbN9iyh0 4eMCtSThEdFUCXZFM/IcefrRcsoqoV7a2IwLN1e0TP+URPsxqBsO6PaOncMnnQdC 170zfLg97ID8+Ny7Ob9t+Cwc937zX/yi8/Cz+gpY3gFJGfIKCRK0DrKY8fkpnofm b1ZL4TGWFK4= =H44u -----END PGP SIGNATURE-----