Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2016.0085
Multiple vulnerabilities have been identified in Blue Coat products
2 September 2016
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Blue Coat products
Operating System: Network Appliance
Virtualisation
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote with User Interaction
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2016-4483 CVE-2016-4449 CVE-2016-4448
CVE-2016-4447 CVE-2016-3705 CVE-2016-3627
CVE-2016-1840 CVE-2016-1839 CVE-2016-1838
CVE-2016-1837 CVE-2016-1836 CVE-2016-1835
CVE-2016-1834 CVE-2016-1833 CVE-2016-1762
Member content until: Sunday, October 2 2016
Reference: ESB-2016.1588
ESB-2016.1550
ESB-2016.1452
ESB-2016.1398
OVERVIEW
Multiple Blue Coat products are affected by libxml2 vulnerabilities:
"The following products are vulnerable:
Advanced Secure Gateway
ASG 6.6 is vulnerable to all CVEs.
AuthConnector
AuthConnector 2.5 is vulnerable to all CVEs.
Director
Director 6.1 is vulnerable to all CVEs.
Malware Analysis Appliance
MAA 4.2 is vulnerable to CVE-2016-4448 and CVE-2016-4449.
Norman Shark Industrial Control System Protection
ICSP 5.3 is vulnerable to all CVEs.
Norman Shark Network Protection
NNP 5.3 is vulnerable to all CVEs.
Norman Shark SCADA Protection
NSP 5.3 is vulnerable to all CVEs.
ProxySG
ProxySG 6.5 and 6.6 are vulnerable to all CVEs.
Security Analytics
Security Analytics 6.6, 7.0, and 7.1 are vulnerable to all CVEs.
SSL Visibility
SSLV 3.8.4FC is vulnerable to CVE-2016-4448 and CVE-2016-4449. SSLV
3.9 prior to 3.9.4.1 is vulnerable to CVE-2016-4449. SSLV 3.9 is
also vulnerable to to CVE-2016-4448.
X-Series XOS
XOS 9.7, 10.0, and 11.0 are vulnerable to all CVEs.
The following products contain vulnerable versions of the libxml2
library, but are not vulnerable to known vectors of attack:
Content Analysis System
CAS 1.3 has a vulnerable version of libxml2.
Mail Threat Defense
MTD 1.1 has a vulnerable version of libxml2.
Management Center
MC 1.5 has a vulnerable version of libxml2.
PacketShaper S-Series
PS S-Series 11.2, 11.3, 11.4, 11.5, and 11.6 have a vulnerable
version of libxml2.
PolicyCenter S-Series
PC S-Series 1.1 has a vulnerable version of libxml2.
Reporter
Reporter 10.1 has a vulnerable version of libxml2. Reporter 9.4 and
9.5 are not vulnerable." [1]
IMPACT
The vendor has provided the following information:
"CVE-2016-1762 is a flaw in the XML parser that allows a remote
attacker to cause a heap-based buffer overread via crafted XML data,
resulting in arbitrary code execution or denial of service through
memory corruption.
CVE-2016-1833 is a flaw in the XML parser that allows a remote
attacker to cause a heap-based buffer overread via crafted XML data,
resulting in arbitrary code execution or denial of service through
memory corruption.
CVE-2016-1834 is a flaw in string handling that allows a remote
attacker to cause a heap-based buffer overflow via crafted XML data,
resulting in arbitrary code execution or denial of service through
memory corruption.
CVE-2016-1835 is a flaw in the XML parser that allows a remote
attacker to cause a use-after-free via crafted XML data, resulting
in arbitrary code execution or denial of service through memory
corruption.
CVE-2016-1836 is a flaw in the XML parser that allows a remote
attacker to cause a use-after-free via crafted XML data, resulting
in arbitrary code execution or denial of service through memory
corruption.
CVE-2016-1837 is a flaw in the HTML parser that allows a remote
attacker to cause a use-after-free via crafted HTML data, resulting
in arbitrary code execution or denial of service through memory
corruption.
CVE-2016-1838 is a flaw in the XML parser that allows a remote
attacker to cause a heap-based buffer overread via crafted XML data,
resulting in arbitrary code execution or denial of service through
memory corruption.
CVE-2016-1839 is a flaw in the XML/HTML parser that allows a remote
attacker to cause a heap-based buffer overread via crafted XML/HTML
data, resulting in arbitrary code execution or denial of service
through memory corruption.
CVE-2016-1840 is a flaw that allows a remote attacker to cause a
heap-based buffer overread via crafted XML data, resulting in
arbitrary code execution or denial of service through memory
corruption.
CVE-2016-3627 is a flaw in the XML parser that allows a remote
attacker to cause infinite recursion or stack depletion via crafted
XML data, resulting in application crashes and denial of service.
CVE-2016-3705 is a flaw in the XML parser that allows a remote
attacker to cause stack depletion via crafted XML data, resulting in
application crashes and denial of service.
CVE-2016-4447 is a flaw in the XML parser that allows a remote
attacker to cause a heap-based buffer underread via crafted XML
data, resulting in application crashes and denial of service.
CVE-2016-4448 is a flaw in format string handling that allows an
attacker to have unspecified impact via unspecified attack vectors.
CVE-2016-4449 is a flaw in the XML parser that allows a remote
attacker to read arbitrary files or cause denial of service through
resource consumption.
CVE-2016-4483 is a flaw in the XML parser in recovery mode that
allows a remote attacker to cause a buffer overread via crafted XML
data, resulting in arbitrary code execution or denial of service
through memory corruption." [1]
MITIGATION
The vendor recommends installing patches for products where
available. For products without patches, the vendor has provided the
following workaround information:
"Blue Coat's ProxySG appliance running SGOS 6.6.4 or a later release
can be used to protect against attacks using all CVEs, except
CVE-2016-1834, CVE-2016-1840, CVE-2016-3627, and CVE-2016-4448.
Customers using ProxySG as a reverse proxy can protect network hosts
by blocking the malformed XML payload used in these attacks. The
following CPL syntax introduced in SGOS 6.6.4 can be used:
<proxy>
http.request.detection.xml.invalid(block)" [1]
REFERENCES
[1] SA129: Multiple libxml2 Vulnerabilities
https://bto.bluecoat.com/security-advisory/sa129
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBV8jI0ox+lLeg9Ub1AQjp0hAAqmv7x5bsBA2xHU9WeIus4S6Fa71XBsmC
ZBhDe+UBb85g0H/Nsb/IiYqghps+R4F/dmsrXuI5hzyn9eGyQsaBVstsVNlHEQeq
HJ0Lk0lXDlHWffMIJehRKqDpRkhSm76N9RBavfKy5qszKmmztwZfLHRT+gli6Whi
1dSubP2kE4sAgwgG6tTyXNPDw6Hm/2oTxJrOtZfM3BEtf6VquOZC07UqehVLpsDL
A750cvXUtwkgwLAWnOUpMi7fAJLTYNweB0uvQnb6nLX86eggZHFoZuVt2XP+gDG3
4iaBA5BB6qhpBHV5ZNqHqkrArA1V2zPaED2fGRkY5LMHBJyYLY2U4kT5+NakDzCP
F0xaCX5POW4nxiLURBwF/6ddWza+q1BcRE2TkTttzkrBAmYGNJjNM2NXbWPx9Hsa
TYUPXa4/aTqBC+rKrby3e8MfiRYnhKvGMoP+WhDaaaEkqM62kguKkh7FB/oQe1e7
eYr52uAHXPf8cz2yqKgYtJmMLCHJ9mODNYw2VAlwxB0RzD7Wd2VOohs0KbN9iyh0
4eMCtSThEdFUCXZFM/IcefrRcsoqoV7a2IwLN1e0TP+URPsxqBsO6PaOncMnnQdC
170zfLg97ID8+Ny7Ob9t+Cwc937zX/yi8/Cz+gpY3gFJGfIKCRK0DrKY8fkpnofm
b1ZL4TGWFK4=
=H44u
-----END PGP SIGNATURE-----