Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2017.0973
SA147: March 2017 NTP Security Vulnerabilities
18 April 2017
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Bluecoat products
Publisher: Bluecoat
Operating System: Network Appliance
Impact/Access: Execute Arbitrary Code/Commands -- Existing Account
Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2017-6464 CVE-2017-6463 CVE-2017-6462
CVE-2017-6460 CVE-2017-6459 CVE-2017-6458
CVE-2017-6455 CVE-2017-6452 CVE-2017-6451
CVE-2016-9042 CVE-2016-6459
Reference: ESB-2017.0947
Original Bulletin:
https://bto.bluecoat.com/security-advisory/sa147
- --------------------------BEGIN INCLUDED TEXT--------------------
SA147: March 2017 NTP Security Vulnerabilities
Security Advisories ID: SA147
Published Date: April 13, 2017
Advisory Status: Interim
Advisory Severity: Medium
CVSS v2 base score: TBD
CVE Number:
CVE-2016-9042 - TBD
CVE-2017-6451 - 4.6 (MEDIUM) (AV:L/AC:L/Au:N/C:P/I:P/A:P)
CVE-2017-6452 - 4.6 (MEDIUM) (AV:L/AC:L/Au:N/C:P/I:P/A:P)
CVE-2017-6455 - 4.4 (MEDIUM) (AV:L/AC:M/Au:N/C:P/I:P/A:P)
CVE-2017-6458 - 6.5 (MEDIUM) (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CVE-2017-6459 - 2.1 (LOW) (AV:L/AC:L/Au:N/C:N/I:N/A:P)
CVE-2017-6460 - 6.5 (MEDIUM) (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CVE-2017-6462 - 4.6 (MEDIUM) (AV:L/AC:L/Au:N/C:P/I:P/A:P)
CVE-2017-6463 - 4.0 (MEDIUM) (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CVE-2017-6464 - 4.0 (MEDIUM) (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Blue Coat products using affected versions of the NTP reference implementation
from ntp.org are susceptible to multiple vulnerabilities. A remote attacker
can exploit these vulnerabilities to cause denial of service through
application crashes. A local attacker can exploit these vulnerabilities to
execute arbitrary code.
CVSS v2 base scores will be provided when the National Vulnerability Database
(NVD) scoring is complete. The advisory severity may be adjusted once the CVSS
v2 base scores become available.
Affected Products:
The following products are vulnerable:
Content Analysis System
CAS 1.3 is vulnerable to CVE-2016-9042, CVE-2017-6460, CVE-2017-6463, and
CVE-2017-6464.
Director
Director 6.1 is vulnerable to all CVEs except CVE-2017-6452 and CVE-2016-6459.
Mail Threat Defense
MTD 1.1 is vulnerable to CVE-2016-9042, CVE-2017-6460, CVE-2017-6463, and
CVE-2017-6464.
Management Center
MC 1.9 is vulnerable to CVE-2016-9042, CVE-2017-6460, CVE-2017-6463, and
CVE-2017-6464.
SSL Visibility
SSLV 3.8.4FC, 3.9, 3.10, 3.11, and 4.0 are vulnerable to CVE-2017-6460,
CVE-2017-6463, and CVE-2017-6464. SSLV 4.0 is also vulnerable to
CVE-2016-9042.
The following products contain a vulnerable version of the ntp.org NTP
reference implementation, but are not vulnerable to known vectors of attack:
Advanced Secure Gateway
ASG 6.6 has a vulnerable version of the ntp.org NTP reference implementation.
The following products are not vulnerable:
Android Mobile Agent
AuthConnector
BCAAA
Blue Coat HSM Agent for the Luna SP
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
IntelligenceCenter
IntelligenceCenter Data Collector
K9
Malware Analysis Appliance
Norman Shark Industrial Control System Protection
Norman Shark Network Protection
Norman Shark SCADA Protection
PacketShaper
PacketShaper S-Series
PolicyCenter
PolicyCenter S-Series
ProxyAV
ProxyAV ConLog and ConLogXP
ProxyClient
Unified Agent
ProxySG
The following products are under investigation:
Reporter
Security Analytics
X-Series XOS
Advisory Details:
This Security Advisory addresses multiple vulnerabilities in the ntp.org NTP
reference implementation announced in March 2017. Blue Coat products that
include a vulnerable version of the NTP reference implementation and make use
of the affected functionality are vulnerable.
CVE-2016-9042 is a flaw in ntpd origin timestamp validation. A remote
attacker who can spoof packets from a configured time server can cause ntpd
to discard responses from that server. A remote attacker who can spoof
packets from all configured time servers can prevent ntpd from adjusting
the system time, resulting in denial of service.
CVE-2017-6451 is an out-of-bounds write flaw in the legacy MX4200 refclock
that allows a local attacker to execute arbitrary code via unspecified
vectors.
CVE-2017-6452 is an out-of-bounds write flaw in the NTP library Windows
installer that allows a local attacker to pass in a crafted application
path and have unspecified impact.
CVE-2017-6455 is a flaw in ntpd under Windows NT that allows a local
attacker to specify a malicious DLL in the PPSAPI_DLLS environment variable
and execute arbitrary code within ntpd.
CVE-2017-6458 is a flaw in ntpd that allows a remote attacker to send query
requests and have unspecified impact. Successful exploitation requires the
query responses to include custom variables with long names, which have
been pre-configured in the ntpd configuration file.
CVE-2017-6459 is a flaw in the NTP library Windows installer that allows
local attackers to have unspecified impact via vectors related to an
argument with multiple NULL bytes.
CVE-2017-6460 is a flaw in ntpq that allows a malicious remote NTP server
to send a crafted list response and cause a stack-based buffer overflow.
The malicious server can execute arbitrary code on the host running ntpq or
cause ntpq to crash.
CVE-2017-6462 is a flaw in the legacy Datum Programmable Time Server (DPTS)
refclock driver that allows local attackers to cause a buffer overflow in
ntpd via a crafted /dev/datum device file, and have unspecified impact.
CVE-2017-6463 is a flaw in ntpd that allows a remote authenticated attacker
to send a crafted unpeer configuration request and cause ntpd to crash,
resulting in denial of service.
CVE-2017-6464 is a flaw in ntpd that allows a remote authenticated attacker
to send a crafted mode configuration request and cause ntpd to crash,
resulting in denial of service.
Blue Coat products do not enable or use all functionality within the ntp.org
NTP reference implementation. The products listed below do not utilize the
functionality described in the CVEs below and are thus not known to be
vulnerable to them. However, fixes for these CVEs will be included in the
patches that are provided.
ASG: all CVEs except CVE-2017-6451, CVE-2017-6452, and CVE-2017-6459
CAS: CVE-2017-6455, CVE-2017-6458, and CVE-2017-6462
MTD: CVE-2017-6455, CVE-2017-6458, and CVE-2017-6462
MC: CVE-2017-6455, CVE-2017-6458, and CVE-2017-6462
SSLV: CVE-2017-6455, CVE-2017-6458, and CVE-2017-6462
Workarounds:
These vulnerabilities can be exploited only through the management network port
for Director, MTD, MC, and SSLV. Allowing only machines, IP addresses and
subnets from a trusted network to access to the management network port reduces
the threat of exploiting the vulnerabilities.
By default, Director does not use the PPSAPI_DLLS environment variable, custom
variables with long names, and the DPTS refclock. Customers who leave these
NTP features disabled prevent attacks against Director using CVE-2017-6455,
CVE-2017-6458, and CVE-2017-6462.
Patches:
Advanced Secure Gateway
ASG 6.6 - a fix is not available at this time.
Content Analysis System
CAS 1.3 - a fix is not available at this time.
Director
Director 6.1 - a fix is not available at this time.
Mail Threat Defense
MTD 1.1 - a fix is not available at this time.
Management Center
MC 1.9 - a fix is not available at this time.
SSL Visibility
SSLV 4.0 - a fix is not available at this time.
SSLV 3.11 - a fix is not available at this time.
SSLV 3.10 - a fix is not available at this time.
SSLV 3.9 - a fix will not be provided. Please upgrade to a later version with
the vulnerability fixes.
SSLV 3.8.4FC - a fix will not be provided. Please upgrade to a later version
with the vulnerability fixes.
References:
NTP Security Notice - http://support.ntp.org/bin/view/Main/SecurityNotice#
March_2017_ntp_4_2_8p10_NTP_Secu
CVE-2016-9042 - https://access.redhat.com/security/cve/CVE-2016-9042
CVE-2017-6451 - https://nvd.nist.gov/vuln/detail/CVE-2017-6451
CVE-2017-6452 - https://nvd.nist.gov/vuln/detail/CVE-2017-6452
CVE-2017-6455 - https://nvd.nist.gov/vuln/detail/CVE-2017-6455
CVE-2017-6458 - https://nvd.nist.gov/vuln/detail/CVE-2017-6458
CVE-2017-6459 - https://nvd.nist.gov/vuln/detail/CVE-2017-6459
CVE-2017-6460 - https://nvd.nist.gov/vuln/detail/CVE-2017-6460
CVE-2017-6462 - https://nvd.nist.gov/vuln/detail/CVE-2017-6462
CVE-2017-6463 - https://nvd.nist.gov/vuln/detail/CVE-2017-6463
CVE-2017-6464 - https://nvd.nist.gov/vuln/detail/CVE-2017-6464
Advisory History:
2017-04-13 initial public release
Copyright 2017, Blue Coat Systems, Inc. All rights reserved.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWPWcL4x+lLeg9Ub1AQjdWxAAj0CylhDduq4hAn0c7dcefVFRs179NDZg
pIT+4PZpfsPHLB75FlU2QBX6ZeAVXhFBpr/iftVEwf1uLiE0fsO2caCQwTzWJKGr
wYemvUXxlYFveJkI+r8tC7z9mVrQRRcm25PxwEY/iZcEstb+8qoFeNVykXuP6wL9
UzmNJ7W+fSoj4NkqPJ3Qe5f5oFNjo1V7rmXOl2zlkmO/Stx5470iTGRcmpOWJloq
kXfxPoSUchX3RbRiKaAxHFhgDaNG+rQKrIKxj0v0CMIbbjBoQokoVE6ZwzWDX/55
C6U82cAelqnvzW6pNhvUlM0/dZHIjIrw5iNbSntYznj8fhwXqaa2Sba4HLt1m+1d
bblZQliJYsE/ufV8ShNoVSDaomOnLWxUf4ompOoLiG6AUsdEwNomoi65xBoSEDGZ
nGNDv7y/yaLZYlhZ0cx9M7ANQDOXef1uXPt+LwkopODBm/P2IyrDU4JLrlfRqO08
+KjmNMJ1wW6Z2+mKUELcBWMKejaAED7RWZ7mvoLkaORhyJxPP1b+hMD8muYL8Any
hR2Vr2ND2eg79WVBccJsFUtEFNeK/6IaY66KC5ZuZwBE8iH0N0dcgz3JwlmLhRzu
RVw9CaFygQsVAsj1zqiRY2/6GBfYz4eeAe6hWdcx2ixAO62ubdidX1Fxey3dhX9t
ZzyO2bgOTX0=
=K6nu
-----END PGP SIGNATURE-----