Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2016.2946.2 SA136: OpenSSH Vulnerabilities 10 April 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: OpenSSH Publisher: Blue Coat Operating System: Network Appliance Impact/Access: Denial of Service -- Console/Physical Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2016-8858 CVE-2016-6515 CVE-2016-6210 Reference: ESB-2016.2583 ESB-2016.2453 ESB-2016.1804 Revision History: April 10 2018: Update from vendor: A fix for CVE-2016-6210 and CVE-2016-6515 in SSLV 3.9 is available in 3.9.6.1 December 14 2016: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- SA136 : OpenSSH Vulnerabilities Security Advisory ID: SA136 Published Date: Dec 13, 2016 Advisory Status: Interim Advisory Severity: High CVSS v2 base score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) CVE Number: CVE-2016-6210 - 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:N/A:N) CVE-2016-6515 - 7.8 (HIGH) (AV:N/AC:L/Au:N/C:N/I:N/A:C) CVE-2016-8858 - 7.8 (HIGH) (AV:N/AC:L/Au:N/C:N/I:N/A:C) Blue Coat products using affected versions of OpenSSH are susceptible to several vulnerabilities. A remote attacker, with access to the management interface, can exploit these vulnerabilities to enumerate existing user accounts and cause denial of service through excessive CPU consumption and memory exhaustion. Affected Products: The following products are vulnerable: ASG ASG 6.6 prior to 6.6.5.4 is vulnerable to CVE-2016-8858. ASG 6.7 is not vulnerable. CacheFlow CacheFlow 3.4 prior to 3.4.2.8 is vulnerable to CVE-2016-8858. Director Director 6.1 prior to 6.1.23.1 is vulnerable to CVE-2016-6515. Director 6.1.22.1 only is also vulnerable to CVE-2016-6210 and CVE-2016-8858. Malware Analysis Appliance MAA 4.2 prior to 4.2.10 is vulnerable to CVE-2016-6210 and CVE-2016-6515. MAA 4.2 is also vulnerable to CVE-2016-8858. Norman Shark Industrial Control System Protection ICSP 5.3 is vulnerable to all CVEs. Norman Shark Network Protection NNP 5.3 is vulnerable to all CVEs. Norman Shark SCADA Protection NSP 5.3 is vulnerable to all CVEs. PacketShaper PS 9.2 is vulnerable to CVE-2016-8858. The denial of service attack only affects other SSH management connections. ProxySG ProxySG 6.5 prior to 6.5.10.1 and 6.6 prior to 6.6.5.4 are vulnerable to CVE-2016-8858. ProxySG 6.7 is not vulnerable. SSL Visibility SSLV 3.8.4FC, 3.9, 3.10 prior to 3.10.3.1, and 3.11 prior to 3.11.2.1 are vulnerable to CVE-2016-8858. SSLV 3.8.4FC and 3.9 prior to 3.9.6.1 are vulnerable to CVE-2016-6210 and CVE-2016-6515. SSLV 3.12 is not vulnerable. SSLV 4.0 and later versions are not vulnerable. X-Series XOS XOS 9.7, 10.0, and 11.0 are vulnerable to CVE-2016-6210 and CVE-2016-6515. Only the APM software in XOS 11.0 is vulnerable. The following products are not vulnerable: Android Mobile Agent AuthConnector BCAAA Blue Coat HSM Agent for the Luna SP Client Connector Cloud Data Protection for Salesforce Cloud Data Protection for Salesforce Analytics Cloud Data Protection for ServiceNow Cloud Data Protection for Oracle CRM On Demand Cloud Data Protection for Oracle Field Service Cloud Cloud Data Protection for Oracle Sales Cloud Cloud Data Protection Integration Server Cloud Data Protection Communication Server Cloud Data Protection Policy Builder Content Analysis System General Auth Connector Login Application IntelligenceCenter IntelligenceCenter Data Collector K9 Mail Threat Defense Management Center PacketShaper S-Series PolicyCenter PolicyCenter S-Series ProxyAV ProxyAV ConLog and ConLogXP ProxyClient Reporter Security Analytics Unified Agent Blue Coat no longer provides vulnerability information for the following products: DLP Please, contact Digital Guardian technical support regarding vulnerability information for DLP. Advisory Details: This Security Advisory addresses several OpenSSH vulnerabilities announced in July, August, and October 2016. Blue Coat products that include a vulnerable version of OpenSSH and make use of the affected functionality are vulnerable. o CVE-2016-6210 exploits a timing difference between password authentication of existing and non-existing user accounts. A remote attacker can make authentication attempts with large passwords to enumerate the existing user accounts on the target system. o CVE-2016-6515 is an insufficient input validation flaw in password authentication. A remote attacker can send a long password string and cause excessive CPU consumption, resulting in denial of service. o CVE-2016-8858 is a flaw in message handling. A remote attacker can repeatedly send the KEXINIT SSH message to cause memory exhaustion, resulting in denial of service. Blue Coat products do not enable or use all functionality within OpenSSH. The products listed below do not utilize the functionality described in the CVEs below and are thus not known to be vulnerable to them. However, fixes for these CVEs will be included in the patches that are provided. o PacketShaper: CVE-2016-6210 and CVE-2016-6515 Workarounds: These vulnerabilities can be exploited only through the management interfaces for all vulnerable products. Allowing only machines, IP addresses and subnets from a trusted network to access the management interface reduces the threat of exploiting the vulnerabilities. Patches: ASG ASG 6.7 - a fix is available in 6.7.2.1. ASG 6.6 - a fix is available in 6.6.5.4. CacheFlow CacheFlow 3.4 - a fix is available in 3.4.2.8. Director Director 6.1 - a fix is available in 6.1.23.1. Malware Analysis Appliance MAA 4.2 - a fix for CVE-2016-6210 and CVE-2016-6515 is available in 4.2.10. A fix for CVE-2016-8858 is not available at this time. Norman Shark Industrial Control System Protection ICSP 5.3 - a fix is not available at this time. Norman Shark Network Protection NNP 5.3 - a fix is not available at this time. Norman Shark SCADA Protection NSP 5.3 - a fix is not available at this time. PacketShaper PS 9.2 - a fix is not available at this time. ProxySG ProxySG 6.7 - a fix is available in 6.7.1.1. ProxySG 6.6 - a fix is available in 6.6.5.4. ProxySG 6.5 - a fix is available in 6.5.10.1. SSL Visibility SSLV 3.12 - a fix is available in 3.12.1.1. SSLV 3.11 - a fix for CVE-2016-6210 and CVE-2016-6515 is available in 3.11.1.1. SSLV 3.11.2.1 remediates CVE-2016-8858 by restricting the concurrent unauthenticated incoming SSH connections. SSLV 3.10 - a fix for CVE-2016-6210 and CVE-2016-6515 is available in 3.10.1.1. A fix for CVE-2016-8858 is available in 3.10.3.1. SSLV 3.9 - a fix for CVE-2016-6210 and CVE-2016-6515 is available in 3.9.6.1. A fix for CVE-2016-8858 will not be provided. Please upgrade to a later version with the vulnerability fixes. SSLV 3.8.4FC - a fix is not available at this time. X-Series XOS XOS 11.0 - a fix is not available at this time. XOS 10.0 - a fix is not available at this time. XOS 9.7 - a fix is not available at this time. References: CVE-2016-6210 - https://web.nvd.nist.gov/view/vuln/detail-vulnId=CVE-2016-6210 CVE-2016-6515 - https://web.nvd.nist.gov/view/vuln/detail-vulnId=CVE-2016-6515 CVE-2016-8858 - https://web.nvd.nist.gov/view/vuln/detail-vulnId=CVE-2016-8858 Advisory History: 2018-04-06 A fix for CVE-2016-6210 and CVE-2016-6515 in SSLV 3.9 is available in 3.9.6.1 2017-11-16 A fix for SSLV 3.9 will not be provided. Please upgrade to a later version with the vulnerability fixes. 2017-11-15 SSLV 3.12 is not vulnerable because a fix is available in 3.12.1.1. 2017-11-06 ASG 6.7 is not vulnerable because a fix is available in 6.7.2.1. 2017-08-15 A fix for CVE-2016-8858 in SSLV 3.10 is available in 3.10.3.1. 2017-08-02 SSLV 4.1 is not vulnerable. 2017-04-30 A fix for Director 6.1 is available in 6.1.23.1. 2017-04-29 A fix for CacheFlow 3.4 is available in 3.4.2.8. 2017-04-26 Added CVSS v2 score for CVE-2016-6210 and base score for Security Advisory. 2017-03-29 It was previously reported that ASG 6.6 is not vulnerable to CVE-2016-8858. Further investigation has shown that ASG 6.6 is vulnerable to CVE-2016-8858. A fix is available in 6.6.5.4. 2017-03-29 A fix for ProxySG 6.6 is available in 6.6.5.4. 2017-03-08 A fix for ProxySG 6.5 is available in 6.5.10.1. 2017-03-08 ProxySG 6.7 is not vulnerable because a fix is available in 6.7.1.1. SSLV 4.0 is not vulnerable. 2016-01-25 SSLV 3.11.2.1 remediates CVE-2016-8858 by restricting the number of concurrent unauthenticated incoming SSH connections. 2016-12-13 initial public release 2016-01-20 It was previously reported that ASG, CAS, MTD, MC, PacketShaper S-Series, PolicyCenter S-Series, Reporter 10.1, Security Analytics, and XOS are vulnerable to CVE-2016-8858. Further investigation has shows that these products are not vulnerable. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWswa0Ix+lLeg9Ub1AQjI4A/7BXX0NSuaw++/gVxoR/lw2Qqg25Qtu5mV AWMmxTZmH1+NxEEpGoVTZPW8fBevYsdXT3EhbiseBloEagnToprhdXD6RpugRXO9 X5Q/E7tC2446+KMduoFM+FcPCfPgYxcmV7RF7Pqo6/goptUekn6/CkpMXzilSYoz fmZrnQ4iT5JY32a86zrAbSZKjVIiDHg5N0ubAvmgCFHb8pS35LB/+EMITIRYspLh BvaybUU8hvEBYXP8Qb0zeZiUmS8N9E9kFULRtJcm9cXTeDhVy4OOek8NQczWQlpr rvvf4euXH2hFpaZBhVnoBJkxc/nswXxLp/veOLlGB8l/zjNykqXKR7EcGI1frHr7 98VZC3XRk0N8UTtaYJ/J6o3XbmsGd7l7mWw0KbibTVLhrN/4vx/ClYjknbL8+do1 s+QP/0ra9FMzxQ7Sz2n5H7XfRE9q6osdMdduLOxKT2yQHhQMmOTDkoJnT4wGX6w6 rLI+c4veBSaa0RNhhqlnpi1mh1xhRFLDe7dxpw24Vvscg/sdXExU77EE8wYhkzcT POUG3F8Y366cKIyy70c2wty51aOKEIkVt9lKkuRo96dxQtBulbPakScQR+DM0AMz oHfiLooL1RoXlYQfEQ2tjN9PMe9QkZC9A5UKLYGCYRUuCRY5dSNa6j9UzGCS+PQS fWM4DBpl+AM= =1iMS -----END PGP SIGNATURE-----