Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.0973 SA147: March 2017 NTP Security Vulnerabilities 18 April 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Bluecoat products Publisher: Bluecoat Operating System: Network Appliance Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2017-6464 CVE-2017-6463 CVE-2017-6462 CVE-2017-6460 CVE-2017-6459 CVE-2017-6458 CVE-2017-6455 CVE-2017-6452 CVE-2017-6451 CVE-2016-9042 CVE-2016-6459 Reference: ESB-2017.0947 Original Bulletin: https://bto.bluecoat.com/security-advisory/sa147 - --------------------------BEGIN INCLUDED TEXT-------------------- SA147: March 2017 NTP Security Vulnerabilities Security Advisories ID: SA147 Published Date: April 13, 2017 Advisory Status: Interim Advisory Severity: Medium CVSS v2 base score: TBD CVE Number: CVE-2016-9042 - TBD CVE-2017-6451 - 4.6 (MEDIUM) (AV:L/AC:L/Au:N/C:P/I:P/A:P) CVE-2017-6452 - 4.6 (MEDIUM) (AV:L/AC:L/Au:N/C:P/I:P/A:P) CVE-2017-6455 - 4.4 (MEDIUM) (AV:L/AC:M/Au:N/C:P/I:P/A:P) CVE-2017-6458 - 6.5 (MEDIUM) (AV:N/AC:L/Au:S/C:P/I:P/A:P) CVE-2017-6459 - 2.1 (LOW) (AV:L/AC:L/Au:N/C:N/I:N/A:P) CVE-2017-6460 - 6.5 (MEDIUM) (AV:N/AC:L/Au:S/C:P/I:P/A:P) CVE-2017-6462 - 4.6 (MEDIUM) (AV:L/AC:L/Au:N/C:P/I:P/A:P) CVE-2017-6463 - 4.0 (MEDIUM) (AV:N/AC:L/Au:S/C:N/I:N/A:P) CVE-2017-6464 - 4.0 (MEDIUM) (AV:N/AC:L/Au:S/C:N/I:N/A:P) Blue Coat products using affected versions of the NTP reference implementation from ntp.org are susceptible to multiple vulnerabilities. A remote attacker can exploit these vulnerabilities to cause denial of service through application crashes. A local attacker can exploit these vulnerabilities to execute arbitrary code. CVSS v2 base scores will be provided when the National Vulnerability Database (NVD) scoring is complete. The advisory severity may be adjusted once the CVSS v2 base scores become available. Affected Products: The following products are vulnerable: Content Analysis System CAS 1.3 is vulnerable to CVE-2016-9042, CVE-2017-6460, CVE-2017-6463, and CVE-2017-6464. Director Director 6.1 is vulnerable to all CVEs except CVE-2017-6452 and CVE-2016-6459. Mail Threat Defense MTD 1.1 is vulnerable to CVE-2016-9042, CVE-2017-6460, CVE-2017-6463, and CVE-2017-6464. Management Center MC 1.9 is vulnerable to CVE-2016-9042, CVE-2017-6460, CVE-2017-6463, and CVE-2017-6464. SSL Visibility SSLV 3.8.4FC, 3.9, 3.10, 3.11, and 4.0 are vulnerable to CVE-2017-6460, CVE-2017-6463, and CVE-2017-6464. SSLV 4.0 is also vulnerable to CVE-2016-9042. The following products contain a vulnerable version of the ntp.org NTP reference implementation, but are not vulnerable to known vectors of attack: Advanced Secure Gateway ASG 6.6 has a vulnerable version of the ntp.org NTP reference implementation. The following products are not vulnerable: Android Mobile Agent AuthConnector BCAAA Blue Coat HSM Agent for the Luna SP CacheFlow Client Connector Cloud Data Protection for Salesforce Cloud Data Protection for Salesforce Analytics Cloud Data Protection for ServiceNow Cloud Data Protection for Oracle CRM On Demand Cloud Data Protection for Oracle Field Service Cloud Cloud Data Protection for Oracle Sales Cloud Cloud Data Protection Integration Server Cloud Data Protection Communication Server Cloud Data Protection Policy Builder General Auth Connector Login Application IntelligenceCenter IntelligenceCenter Data Collector K9 Malware Analysis Appliance Norman Shark Industrial Control System Protection Norman Shark Network Protection Norman Shark SCADA Protection PacketShaper PacketShaper S-Series PolicyCenter PolicyCenter S-Series ProxyAV ProxyAV ConLog and ConLogXP ProxyClient Unified Agent ProxySG The following products are under investigation: Reporter Security Analytics X-Series XOS Advisory Details: This Security Advisory addresses multiple vulnerabilities in the ntp.org NTP reference implementation announced in March 2017. Blue Coat products that include a vulnerable version of the NTP reference implementation and make use of the affected functionality are vulnerable. CVE-2016-9042 is a flaw in ntpd origin timestamp validation. A remote attacker who can spoof packets from a configured time server can cause ntpd to discard responses from that server. A remote attacker who can spoof packets from all configured time servers can prevent ntpd from adjusting the system time, resulting in denial of service. CVE-2017-6451 is an out-of-bounds write flaw in the legacy MX4200 refclock that allows a local attacker to execute arbitrary code via unspecified vectors. CVE-2017-6452 is an out-of-bounds write flaw in the NTP library Windows installer that allows a local attacker to pass in a crafted application path and have unspecified impact. CVE-2017-6455 is a flaw in ntpd under Windows NT that allows a local attacker to specify a malicious DLL in the PPSAPI_DLLS environment variable and execute arbitrary code within ntpd. CVE-2017-6458 is a flaw in ntpd that allows a remote attacker to send query requests and have unspecified impact. Successful exploitation requires the query responses to include custom variables with long names, which have been pre-configured in the ntpd configuration file. CVE-2017-6459 is a flaw in the NTP library Windows installer that allows local attackers to have unspecified impact via vectors related to an argument with multiple NULL bytes. CVE-2017-6460 is a flaw in ntpq that allows a malicious remote NTP server to send a crafted list response and cause a stack-based buffer overflow. The malicious server can execute arbitrary code on the host running ntpq or cause ntpq to crash. CVE-2017-6462 is a flaw in the legacy Datum Programmable Time Server (DPTS) refclock driver that allows local attackers to cause a buffer overflow in ntpd via a crafted /dev/datum device file, and have unspecified impact. CVE-2017-6463 is a flaw in ntpd that allows a remote authenticated attacker to send a crafted unpeer configuration request and cause ntpd to crash, resulting in denial of service. CVE-2017-6464 is a flaw in ntpd that allows a remote authenticated attacker to send a crafted mode configuration request and cause ntpd to crash, resulting in denial of service. Blue Coat products do not enable or use all functionality within the ntp.org NTP reference implementation. The products listed below do not utilize the functionality described in the CVEs below and are thus not known to be vulnerable to them. However, fixes for these CVEs will be included in the patches that are provided. ASG: all CVEs except CVE-2017-6451, CVE-2017-6452, and CVE-2017-6459 CAS: CVE-2017-6455, CVE-2017-6458, and CVE-2017-6462 MTD: CVE-2017-6455, CVE-2017-6458, and CVE-2017-6462 MC: CVE-2017-6455, CVE-2017-6458, and CVE-2017-6462 SSLV: CVE-2017-6455, CVE-2017-6458, and CVE-2017-6462 Workarounds: These vulnerabilities can be exploited only through the management network port for Director, MTD, MC, and SSLV. Allowing only machines, IP addresses and subnets from a trusted network to access to the management network port reduces the threat of exploiting the vulnerabilities. By default, Director does not use the PPSAPI_DLLS environment variable, custom variables with long names, and the DPTS refclock. Customers who leave these NTP features disabled prevent attacks against Director using CVE-2017-6455, CVE-2017-6458, and CVE-2017-6462. Patches: Advanced Secure Gateway ASG 6.6 - a fix is not available at this time. Content Analysis System CAS 1.3 - a fix is not available at this time. Director Director 6.1 - a fix is not available at this time. Mail Threat Defense MTD 1.1 - a fix is not available at this time. Management Center MC 1.9 - a fix is not available at this time. SSL Visibility SSLV 4.0 - a fix is not available at this time. SSLV 3.11 - a fix is not available at this time. SSLV 3.10 - a fix is not available at this time. SSLV 3.9 - a fix will not be provided. Please upgrade to a later version with the vulnerability fixes. SSLV 3.8.4FC - a fix will not be provided. Please upgrade to a later version with the vulnerability fixes. References: NTP Security Notice - http://support.ntp.org/bin/view/Main/SecurityNotice# March_2017_ntp_4_2_8p10_NTP_Secu CVE-2016-9042 - https://access.redhat.com/security/cve/CVE-2016-9042 CVE-2017-6451 - https://nvd.nist.gov/vuln/detail/CVE-2017-6451 CVE-2017-6452 - https://nvd.nist.gov/vuln/detail/CVE-2017-6452 CVE-2017-6455 - https://nvd.nist.gov/vuln/detail/CVE-2017-6455 CVE-2017-6458 - https://nvd.nist.gov/vuln/detail/CVE-2017-6458 CVE-2017-6459 - https://nvd.nist.gov/vuln/detail/CVE-2017-6459 CVE-2017-6460 - https://nvd.nist.gov/vuln/detail/CVE-2017-6460 CVE-2017-6462 - https://nvd.nist.gov/vuln/detail/CVE-2017-6462 CVE-2017-6463 - https://nvd.nist.gov/vuln/detail/CVE-2017-6463 CVE-2017-6464 - https://nvd.nist.gov/vuln/detail/CVE-2017-6464 Advisory History: 2017-04-13 initial public release Copyright 2017, Blue Coat Systems, Inc. All rights reserved. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWPWcL4x+lLeg9Ub1AQjdWxAAj0CylhDduq4hAn0c7dcefVFRs179NDZg pIT+4PZpfsPHLB75FlU2QBX6ZeAVXhFBpr/iftVEwf1uLiE0fsO2caCQwTzWJKGr wYemvUXxlYFveJkI+r8tC7z9mVrQRRcm25PxwEY/iZcEstb+8qoFeNVykXuP6wL9 UzmNJ7W+fSoj4NkqPJ3Qe5f5oFNjo1V7rmXOl2zlkmO/Stx5470iTGRcmpOWJloq kXfxPoSUchX3RbRiKaAxHFhgDaNG+rQKrIKxj0v0CMIbbjBoQokoVE6ZwzWDX/55 C6U82cAelqnvzW6pNhvUlM0/dZHIjIrw5iNbSntYznj8fhwXqaa2Sba4HLt1m+1d bblZQliJYsE/ufV8ShNoVSDaomOnLWxUf4ompOoLiG6AUsdEwNomoi65xBoSEDGZ nGNDv7y/yaLZYlhZ0cx9M7ANQDOXef1uXPt+LwkopODBm/P2IyrDU4JLrlfRqO08 +KjmNMJ1wW6Z2+mKUELcBWMKejaAED7RWZ7mvoLkaORhyJxPP1b+hMD8muYL8Any hR2Vr2ND2eg79WVBccJsFUtEFNeK/6IaY66KC5ZuZwBE8iH0N0dcgz3JwlmLhRzu RVw9CaFygQsVAsj1zqiRY2/6GBfYz4eeAe6hWdcx2ixAO62ubdidX1Fxey3dhX9t ZzyO2bgOTX0= =K6nu -----END PGP SIGNATURE-----