Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2017.0109
SA139: November 2016 NTP Security Vulnerabilities
13 January 2017
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Bluecoat Products
Publisher: Bluecoat
Operating System: Network Appliance
Impact/Access: Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2016-9312 CVE-2016-9311 CVE-2016-9310
CVE-2016-7434 CVE-2016-7433 CVE-2016-7431
CVE-2016-7429 CVE-2016-7428 CVE-2016-7427
CVE-2016-7426
Reference: ESB-2017.0030
ESB-2016.3091
ESB-2016.3026
ESB-2016.2803
Original Bulletin:
https://bto.bluecoat.com/security-advisory/sa139
- --------------------------BEGIN INCLUDED TEXT--------------------
SA139: November 2016 NTP Security Vulnerabilities
Security Advisories ID:
SA139
Published Date:
January 12, 2017
Advisory Status:
Interim
Advisory Severity:
High
CVSS v2 base score: TBD
CVE Number:
CVE-2016-7426
CVE-2016-7427
CVE-2016-7428
CVE-2016-7429
CVE-2016-7431
CVE-2016-7433
CVE-2016-7434
CVE-2016-9310
CVE-2016-9311
CVE-2016-9312
Blue Coat products using affected versions of the NTP reference
implementation from ntp.org are susceptible to multiple vulnerabilities.
A remote attacker can modify the target's system time, prevent the target
from synchronizing its time, cause denial of service through NTP daemon
crashes, perform DDoS attack amplification, and evade security monitoring
in the NTP daemon.
CVSS v2 base scores will be provided when the National Vulnerability Database
(NVD) scoring is complete.
Affected Products:
The following products are vulnerable:
Content Analysis System
CAS 1.3 is vulnerable to CVE-2016-7429 and CVE-2016-7433.
Director
Director 6.1 is vulnerable to all CVEs except CVE-2016-7429.
Management Center
MC 1.8 is vulnerable to CVE-2016-7431, CVE-2016-7433, and CVE-2016-9312.
Mail Threat Defense
MTD 1.1 is vulnerable to CVE-2016-7429 and CVE-2016-7433.
Security Analytics
Security Analytics 6.6, 7.1, and 7.2 are vulnerable to CVE-2016-7426,
CVE-2016-7429, CVE-2016-7433, CVE-2016-9310, and CVE-2016-9311. Security
Analytics 6.6 with the ntp-4.2.8p8 RPM patch, 7.1 with the ntp-4.2.8p8 RPM,
and 7.2.2 are also vulnerable to CVE-2016-7427, CVE-2016-7428, CVE-2016-7431,
and CVE-2016-7434.
SSL Visibility
SSLV 3.9, 3.10, and 3.11 are vulnerable to CVE-2016-7431 and CVE-2016-7433.
X-Series XOS
XOS 9.7, 10.0, and 11.0 are vulnerable to CVE-2016-7426, CVE-2016-7429,
CVE-2016-7433, CVE-2016-9310, and CVE-2016-9311.
The following products contain a vulnerable version of the ntp.org NTP
reference implementation, but are not vulnerable to known vectors of attack:
Advanced Secure Gateway
ASG 6.6 has a vulnerable version of the ntp.org NTP reference implementation.
The following products are not vulnerable:
Android Mobile Agent
AuthConnector
BCAAA
Blue Coat HSM Agent for the Luna SP
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
IntelligenceCenter
IntelligenceCenter Data Collector
K9
Malware Analysis Appliance
Norman Shark Industrial Control System Protection
Norman Shark Network Protection
Norman Shark SCADA Protection
PacketShaper
PacketShaper S-Series
PolicyCenter
PolicyCenter S-Series
ProxyClient
ProxyAV
ProxyAV ConLog and ConLogXP
ProxySG
Unified Agent
The following products are under investigation:
Reporter
Blue Coat no longer provides vulnerability information for the following
products:
DLP
Please, contact Digital Guardian technical support regarding vulnerability
information for DLP.
Advisory Details:
This Security Advisory addresses multiple vulnerabilities in the ntp.org NTP
reference implementation announced in November 2016. Blue Coat products
that include a vulnerable version of the NTP reference implementation and
make use of the affected functionality are vulnerable.
CVE-2016-7426 is a flaw in rate limiting that allows a remote attacker to
send NTP packets with spoofed source IP addresses and cause the target
to reject legitimate packets from configured NTP servers. The attacker
can thus prevent the target from synchronizing its system time.
CVE-2016-7427 is a flaw in NTP broadcast packet replay prevention that
allows a remote attacker with access to the NTP broadcast domain to send
crafted broadcast packets and cause the target to reject legitimate
packets from NTP broadcast servers. The attacker can thus prevent
the target from synchronizing its system time.
CVE-2016-7428 is a flaw in NTP broadcast packet poll interval enforcement
that allows a remote attacker with access to the NTP broadcast domain
to send crafted broadcast packets and cause the target to reject
legitimate packets from NTP broadcast servers. The attacker can thus
prevent the target from synchronizing its system time.
CVE-2016-7429 is a flaw in the NTP daemon when it listens on multiple
network interfaces and the operating system does not validate the
source address of received packets. A remote attacker can send an
NTP packet with a spoofed source IP address on an unexpected network
interface to corrupt the NTP daemon's internal state and prevent it
from synchronizing the system time.
CVE-2016-7431 is a flaw in NTP packet origin timestamp validation that
allows a remote attacker to send crafted NTP packets and and either
modify the target's system time or prevent it from synchronizing
its time.
CVE-2016-7433 is a flaw in initial time synchronization that allows a
remote attacker to send a spoofed NTP response and modify the target's
system time.
CVE-2016-7434 is a flaw in mrulist query handling that allows a remote
attacker to send crafted query requests to the NTP daemon and cause
it to crash, resulting in denial of service.
CVE-2016-9310 is a missing authorization flaw that allows a remote
attacker to send query requests and obtain sensitive information,
perform DDoS attack amplification, and evade security monitoring in
the target's NTP daemon.
CVE-2016-9311 is a flaw in remote query handling that allows a remote
attacker to send crafted query requests to the NTP daemon and cause
it to crash, resulting in denial of service.
CVE-2016-9312 is a flaw in oversized packet handling on Windows
platforms that allows a remote attacker to send crafted NTP packets
to the NTP daemon and cause it to crash, resulting in denial of service.
Blue Coat products do not enable or use all functionality within the
ntp.org NTP reference implementation. The products listed below do not
utilize the functionality described in the CVEs below and are thus not
known to be vulnerable to them. However, fixes for these CVEs will be
included in the patches that are provided.
ASG: all CVEs
CAS: CVE-2016-7426, CVE-2016-9310, and CVE-2016-9311
Director: CVE-2016-7429
MTD: CVE-2016-7426, CVE-2016-9310, and CVE-2016-9311
MC: CVE-2016-7426, CVE-2016-7429, CVE-2016-9310, and CVE-2016-9311
Security Analytics: CVE-2016-9312
SSLV: all CVEs except CVE-2016-7431, CVE-2016-7433, and CVE-2016-9312
Workarounds:
These vulnerabilities can be exploited only through the management network
port for CAS, Director, MTD, MC, Security Analytics, SSLV, and XOS.
Allowing only machines, IP addresses and subnets from a trusted network
to access to the management network port reduces the threat of exploiting
the vulnerabilities.
By default, Director does not enable unrestricted rate limiting, NTP
broadcast mode, and remote querying in the NTP daemon. Customers who
leave these NTP features disabled prevent attacks against Director using
CVE-2016-7426, CVE-2016-7427, CVE-2016-7428, CVE-2016-7434, CVE-2016-9310,
and CVE-2016-9311.
By default, Security Analytics does not enable unrestricted rate limiting,
NTP broadcast mode, and remote querying in the NTP daemon. The Security
Analytics NTP daemon also does not listen by default on multiple network
interfaces. Customers who leave these NTP features disabled prevent attacks
against Security Analytics using CVE-2016-7426, CVE-2016-7427, CVE-2016-7428,
CVE-2016-7429, CVE-2016-7434, CVE-2016-9310, and CVE-2016-9311.
By default, XOS does not enable unrestricted rate limiting and remote
querying in the NTP daemon. Customers who leave this behavior unchanged
prevent attacks against XOS using CVE-2016-7426, CVE-2016-9310, and
CVE-2016-9311.
Patches:
Advanced Secure Gateway
ASG 6.6 - a fix is not available at this time.
Content Analysis System
CAS 1.3 - a fix is not available at this time.
Director
Director 6.1 - a fix is not available at this time.
Mail Threat Defense
MTD 1.1 - a fix is not available at this time.
Management Center
MC 1.8 - a fix is not available at this time.
Security Analytics
Security Analytics 7.2 - a fix is not available at this time.
Security Analytics 7.1 - a fix is not available at this time.
Security Analytics 6.6 - a fix is not available at this time.
SSL Visibility
SSLV 3.11 - a fix is not available at this time.
SSLV 3.10 - a fix is not available at this time.
SSLV 3.9 - a fix is not available at this time.
X-Series XOS
XOS 11.0 - a fix is not available at this time.
XOS 10.0 - a fix is not available at this time.
XOS 9.7 - a fix is not available at this time.
References:
NTP.org Security Notice -
http://support.ntp.org/bin/view/Main/SecurityNotice#November_2016_ntp_4_...
Vulnerability Note VU#633847 - http://www.kb.cert.org/vuls/id/633847
CVE-2016-7426 - https://access.redhat.com/security/cve/cve-2016-7426
CVE-2016-7427 - https://access.redhat.com/security/cve/cve-2016-7427
CVE-2016-7428 - https://access.redhat.com/security/cve/cve-2016-7428
CVE-2016-7429 - https://access.redhat.com/security/cve/cve-2016-7429
CVE-2016-7431 - https://access.redhat.com/security/cve/cve-2016-7431
CVE-2016-7433 - https://access.redhat.com/security/cve/cve-2016-7433
CVE-2016-7434 - https://access.redhat.com/security/cve/cve-2016-7434
CVE-2016-9310 - https://access.redhat.com/security/cve/cve-2016-9310
CVE-2016-9311 - https://access.redhat.com/security/cve/cve-2016-9311
CVE-2016-9312 - https://access.redhat.com/security/cve/cve-2016-9312
Advisory History:
2017-01-12 initial public release
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWHhXTIx+lLeg9Ub1AQgmtA//YUDZE7OKKNXEXp4tno4NMaPA/h2wwC3Y
LX5lOYQhjji/8sl+2S8FXVLQy9PCoPSSlNC5eADIYMZo+BFUwDjrd0N/q/DYFMGy
+IaSIdX+fbS/+fIAtP28y+J8YvH+8+tEySNiPx6j4UAHv1t7oLU9vxtgm10fRq69
+Zs7bSVkVEtwwo59LUdAfJpEiRHUZ50E1XygVR/05dZQPB5a5e/KbTjPF/xY4De1
eJULJBe3oXV3BjSD8XXlXyzP2Xzk2/rBCrXu+d2CNTys9X8ZuHOyQXnFzxaSNxhu
lPIjrTUT4ZkcXSv/rUuBhAEhEVBnlD3L+VIigEh88GS+aLaNwlzLIe8vjBVpfnHI
1r2fZfjKLf+/UqZrd6G1/uvksteBox/nA8L95JV1vOqTTqyQrlbrWyPYs+ETpRr7
kaYkLw3cM+/UvZaxfE9bgJu97SNDcyMg3lPMRGgne88Ywihk1y2siEV2o8DIq6yr
IZKLnyAGFIoytVIcXKSafV/PmuUVLJbM6nnoMc9PoUMjfA503qF0LDuZAOUmiBcY
svkADU1C+M+OtBSIN4L0LmtXcIdn0m1Td/29vrmVNJT6B+RaIsGe2FOJVI0jtX0W
tpmoiNfhkDOzSZd9z6lDJKr6HhPezbYUSaxThwiUjj3qJhM7HxNBdsh9rSEW4ZYV
YfGl4ZDKC2k=
=8/Um
-----END PGP SIGNATURE-----