Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.0109 SA139: November 2016 NTP Security Vulnerabilities 13 January 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Bluecoat Products Publisher: Bluecoat Operating System: Network Appliance Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2016-9312 CVE-2016-9311 CVE-2016-9310 CVE-2016-7434 CVE-2016-7433 CVE-2016-7431 CVE-2016-7429 CVE-2016-7428 CVE-2016-7427 CVE-2016-7426 Reference: ESB-2017.0030 ESB-2016.3091 ESB-2016.3026 ESB-2016.2803 Original Bulletin: https://bto.bluecoat.com/security-advisory/sa139 - --------------------------BEGIN INCLUDED TEXT-------------------- SA139: November 2016 NTP Security Vulnerabilities Security Advisories ID: SA139 Published Date: January 12, 2017 Advisory Status: Interim Advisory Severity: High CVSS v2 base score: TBD CVE Number: CVE-2016-7426 CVE-2016-7427 CVE-2016-7428 CVE-2016-7429 CVE-2016-7431 CVE-2016-7433 CVE-2016-7434 CVE-2016-9310 CVE-2016-9311 CVE-2016-9312 Blue Coat products using affected versions of the NTP reference implementation from ntp.org are susceptible to multiple vulnerabilities. A remote attacker can modify the target's system time, prevent the target from synchronizing its time, cause denial of service through NTP daemon crashes, perform DDoS attack amplification, and evade security monitoring in the NTP daemon. CVSS v2 base scores will be provided when the National Vulnerability Database (NVD) scoring is complete. Affected Products: The following products are vulnerable: Content Analysis System CAS 1.3 is vulnerable to CVE-2016-7429 and CVE-2016-7433. Director Director 6.1 is vulnerable to all CVEs except CVE-2016-7429. Management Center MC 1.8 is vulnerable to CVE-2016-7431, CVE-2016-7433, and CVE-2016-9312. Mail Threat Defense MTD 1.1 is vulnerable to CVE-2016-7429 and CVE-2016-7433. Security Analytics Security Analytics 6.6, 7.1, and 7.2 are vulnerable to CVE-2016-7426, CVE-2016-7429, CVE-2016-7433, CVE-2016-9310, and CVE-2016-9311. Security Analytics 6.6 with the ntp-4.2.8p8 RPM patch, 7.1 with the ntp-4.2.8p8 RPM, and 7.2.2 are also vulnerable to CVE-2016-7427, CVE-2016-7428, CVE-2016-7431, and CVE-2016-7434. SSL Visibility SSLV 3.9, 3.10, and 3.11 are vulnerable to CVE-2016-7431 and CVE-2016-7433. X-Series XOS XOS 9.7, 10.0, and 11.0 are vulnerable to CVE-2016-7426, CVE-2016-7429, CVE-2016-7433, CVE-2016-9310, and CVE-2016-9311. The following products contain a vulnerable version of the ntp.org NTP reference implementation, but are not vulnerable to known vectors of attack: Advanced Secure Gateway ASG 6.6 has a vulnerable version of the ntp.org NTP reference implementation. The following products are not vulnerable: Android Mobile Agent AuthConnector BCAAA Blue Coat HSM Agent for the Luna SP CacheFlow Client Connector Cloud Data Protection for Salesforce Cloud Data Protection for Salesforce Analytics Cloud Data Protection for ServiceNow Cloud Data Protection for Oracle CRM On Demand Cloud Data Protection for Oracle Field Service Cloud Cloud Data Protection for Oracle Sales Cloud Cloud Data Protection Integration Server Cloud Data Protection Communication Server Cloud Data Protection Policy Builder General Auth Connector Login Application IntelligenceCenter IntelligenceCenter Data Collector K9 Malware Analysis Appliance Norman Shark Industrial Control System Protection Norman Shark Network Protection Norman Shark SCADA Protection PacketShaper PacketShaper S-Series PolicyCenter PolicyCenter S-Series ProxyClient ProxyAV ProxyAV ConLog and ConLogXP ProxySG Unified Agent The following products are under investigation: Reporter Blue Coat no longer provides vulnerability information for the following products: DLP Please, contact Digital Guardian technical support regarding vulnerability information for DLP. Advisory Details: This Security Advisory addresses multiple vulnerabilities in the ntp.org NTP reference implementation announced in November 2016. Blue Coat products that include a vulnerable version of the NTP reference implementation and make use of the affected functionality are vulnerable. CVE-2016-7426 is a flaw in rate limiting that allows a remote attacker to send NTP packets with spoofed source IP addresses and cause the target to reject legitimate packets from configured NTP servers. The attacker can thus prevent the target from synchronizing its system time. CVE-2016-7427 is a flaw in NTP broadcast packet replay prevention that allows a remote attacker with access to the NTP broadcast domain to send crafted broadcast packets and cause the target to reject legitimate packets from NTP broadcast servers. The attacker can thus prevent the target from synchronizing its system time. CVE-2016-7428 is a flaw in NTP broadcast packet poll interval enforcement that allows a remote attacker with access to the NTP broadcast domain to send crafted broadcast packets and cause the target to reject legitimate packets from NTP broadcast servers. The attacker can thus prevent the target from synchronizing its system time. CVE-2016-7429 is a flaw in the NTP daemon when it listens on multiple network interfaces and the operating system does not validate the source address of received packets. A remote attacker can send an NTP packet with a spoofed source IP address on an unexpected network interface to corrupt the NTP daemon's internal state and prevent it from synchronizing the system time. CVE-2016-7431 is a flaw in NTP packet origin timestamp validation that allows a remote attacker to send crafted NTP packets and and either modify the target's system time or prevent it from synchronizing its time. CVE-2016-7433 is a flaw in initial time synchronization that allows a remote attacker to send a spoofed NTP response and modify the target's system time. CVE-2016-7434 is a flaw in mrulist query handling that allows a remote attacker to send crafted query requests to the NTP daemon and cause it to crash, resulting in denial of service. CVE-2016-9310 is a missing authorization flaw that allows a remote attacker to send query requests and obtain sensitive information, perform DDoS attack amplification, and evade security monitoring in the target's NTP daemon. CVE-2016-9311 is a flaw in remote query handling that allows a remote attacker to send crafted query requests to the NTP daemon and cause it to crash, resulting in denial of service. CVE-2016-9312 is a flaw in oversized packet handling on Windows platforms that allows a remote attacker to send crafted NTP packets to the NTP daemon and cause it to crash, resulting in denial of service. Blue Coat products do not enable or use all functionality within the ntp.org NTP reference implementation. The products listed below do not utilize the functionality described in the CVEs below and are thus not known to be vulnerable to them. However, fixes for these CVEs will be included in the patches that are provided. ASG: all CVEs CAS: CVE-2016-7426, CVE-2016-9310, and CVE-2016-9311 Director: CVE-2016-7429 MTD: CVE-2016-7426, CVE-2016-9310, and CVE-2016-9311 MC: CVE-2016-7426, CVE-2016-7429, CVE-2016-9310, and CVE-2016-9311 Security Analytics: CVE-2016-9312 SSLV: all CVEs except CVE-2016-7431, CVE-2016-7433, and CVE-2016-9312 Workarounds: These vulnerabilities can be exploited only through the management network port for CAS, Director, MTD, MC, Security Analytics, SSLV, and XOS. Allowing only machines, IP addresses and subnets from a trusted network to access to the management network port reduces the threat of exploiting the vulnerabilities. By default, Director does not enable unrestricted rate limiting, NTP broadcast mode, and remote querying in the NTP daemon. Customers who leave these NTP features disabled prevent attacks against Director using CVE-2016-7426, CVE-2016-7427, CVE-2016-7428, CVE-2016-7434, CVE-2016-9310, and CVE-2016-9311. By default, Security Analytics does not enable unrestricted rate limiting, NTP broadcast mode, and remote querying in the NTP daemon. The Security Analytics NTP daemon also does not listen by default on multiple network interfaces. Customers who leave these NTP features disabled prevent attacks against Security Analytics using CVE-2016-7426, CVE-2016-7427, CVE-2016-7428, CVE-2016-7429, CVE-2016-7434, CVE-2016-9310, and CVE-2016-9311. By default, XOS does not enable unrestricted rate limiting and remote querying in the NTP daemon. Customers who leave this behavior unchanged prevent attacks against XOS using CVE-2016-7426, CVE-2016-9310, and CVE-2016-9311. Patches: Advanced Secure Gateway ASG 6.6 - a fix is not available at this time. Content Analysis System CAS 1.3 - a fix is not available at this time. Director Director 6.1 - a fix is not available at this time. Mail Threat Defense MTD 1.1 - a fix is not available at this time. Management Center MC 1.8 - a fix is not available at this time. Security Analytics Security Analytics 7.2 - a fix is not available at this time. Security Analytics 7.1 - a fix is not available at this time. Security Analytics 6.6 - a fix is not available at this time. SSL Visibility SSLV 3.11 - a fix is not available at this time. SSLV 3.10 - a fix is not available at this time. SSLV 3.9 - a fix is not available at this time. X-Series XOS XOS 11.0 - a fix is not available at this time. XOS 10.0 - a fix is not available at this time. XOS 9.7 - a fix is not available at this time. References: NTP.org Security Notice - http://support.ntp.org/bin/view/Main/SecurityNotice#November_2016_ntp_4_... Vulnerability Note VU#633847 - http://www.kb.cert.org/vuls/id/633847 CVE-2016-7426 - https://access.redhat.com/security/cve/cve-2016-7426 CVE-2016-7427 - https://access.redhat.com/security/cve/cve-2016-7427 CVE-2016-7428 - https://access.redhat.com/security/cve/cve-2016-7428 CVE-2016-7429 - https://access.redhat.com/security/cve/cve-2016-7429 CVE-2016-7431 - https://access.redhat.com/security/cve/cve-2016-7431 CVE-2016-7433 - https://access.redhat.com/security/cve/cve-2016-7433 CVE-2016-7434 - https://access.redhat.com/security/cve/cve-2016-7434 CVE-2016-9310 - https://access.redhat.com/security/cve/cve-2016-9310 CVE-2016-9311 - https://access.redhat.com/security/cve/cve-2016-9311 CVE-2016-9312 - https://access.redhat.com/security/cve/cve-2016-9312 Advisory History: 2017-01-12 initial public release - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWHhXTIx+lLeg9Ub1AQgmtA//YUDZE7OKKNXEXp4tno4NMaPA/h2wwC3Y LX5lOYQhjji/8sl+2S8FXVLQy9PCoPSSlNC5eADIYMZo+BFUwDjrd0N/q/DYFMGy +IaSIdX+fbS/+fIAtP28y+J8YvH+8+tEySNiPx6j4UAHv1t7oLU9vxtgm10fRq69 +Zs7bSVkVEtwwo59LUdAfJpEiRHUZ50E1XygVR/05dZQPB5a5e/KbTjPF/xY4De1 eJULJBe3oXV3BjSD8XXlXyzP2Xzk2/rBCrXu+d2CNTys9X8ZuHOyQXnFzxaSNxhu lPIjrTUT4ZkcXSv/rUuBhAEhEVBnlD3L+VIigEh88GS+aLaNwlzLIe8vjBVpfnHI 1r2fZfjKLf+/UqZrd6G1/uvksteBox/nA8L95JV1vOqTTqyQrlbrWyPYs+ETpRr7 kaYkLw3cM+/UvZaxfE9bgJu97SNDcyMg3lPMRGgne88Ywihk1y2siEV2o8DIq6yr IZKLnyAGFIoytVIcXKSafV/PmuUVLJbM6nnoMc9PoUMjfA503qF0LDuZAOUmiBcY svkADU1C+M+OtBSIN4L0LmtXcIdn0m1Td/29vrmVNJT6B+RaIsGe2FOJVI0jtX0W tpmoiNfhkDOzSZd9z6lDJKr6HhPezbYUSaxThwiUjj3qJhM7HxNBdsh9rSEW4ZYV YfGl4ZDKC2k= =8/Um -----END PGP SIGNATURE-----