Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.0174 Vulnerabilities in OpenSSL affect numerous Symantec products 17 January 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Symantec Advanced Secure Gateway Symantec Android Mobile Agent Symantec Director Symantec Malware Analysis Symantec ProxySG Symantec Reporter Symantec Security Analytics Symantec Unified Agent Symantec SSL Visibility Publisher: Symantec Operating System: Network Appliance Android Windows VMware ESX Server Impact/Access: Access Privileged Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2017-3738 CVE-2017-3737 Reference: ASB-2018.0013 ESB-2017.3217 ESB-2017.3209 ESB-2017.3169 ESB-2017.3144.2 Original Bulletin: https://www.symantec.com/security-center/network-protection-security-advisories/SA159 - --------------------------BEGIN INCLUDED TEXT-------------------- SA159: OpenSSL Vulnerabilities 7-Dec-2017 Security Advisory ID: SA159 Published Date: Jan 16, 2018 Advisory Status: Interim Advisory Severity: Medium CVSS v2 base score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) CVE Number: CVE-2017-3737 - 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:N/A:N) CVE-2017-3738 - 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:N/A:N) Symantec Network Protection products using affected versions of OpenSSL are susceptible to two security vulnerabilities. A remote attacker can obtain Diffie-Hellman private key information and sensitive information accidentally transmitted in plaintext over an SSL/TLS connection. Affected Products: The following products are vulnerable: Advanced Secure Gateway ASG 6.7 is vulnerable to all CVEs. ASG 6.6 is not vulnerable. Android Mobile Agent Android Mobile Agent 1.3 is vulnerable to all CVEs. Director Director 6.1 is vulnerable to CVE-2017-3737. Malware Analysis MA 4.2 is vulnerable to CVE-2017-3737. ProxySG ProxySG 6.7 starting with 6.7.2.1 is vulnerable to all CVEs. ProxySG 6.5 and 6.6 are not vulnerable. Reporter Reporter 9.5 starting with 9.5.2.1 is vulnerable to all CVEs. Reporter 10.1 and 10.2 are not vulnerable. Security Analytics Security Analytics 7.2 and 7.3 are vulnerable to CVE-2017-3737. Unified Agent UA 4.6 starting with 4.6.1 is vulnerable to CVE-2017-3737. All UA 4.6 releases are vulnerable to CVE-2017-3738. UA 4.7, 4.8, and 4.9 are vulnerable to all CVEs. The following products have a vulnerable version of OpenSSL, but are not vulnerable to known vectors of attack: SSL Visibility SSLV 3.8.4FC, 3.10, 3.11, 3.12, 4.0, 4.1, and 4.2 have a vulnerable version of OpenSSL The following products are not vulnerable: AuthConnector BCAAA Symantec HSM Agent for the Luna SP CacheFlow Client Connector Cloud Data Protection for Salesforce Cloud Data Protection for Salesforce Analytics Cloud Data Protection for ServiceNow Cloud Data Protection for Oracle CRM On Demand Cloud Data Protection for Oracle Field Service Cloud Cloud Data Protection for Oracle Sales Cloud Cloud Data Protection Integration Server Cloud Data Protection Communication Server Content Analysis General Auth Connector Login Application IntelligenceCenter IntelligenceCenter Data Collector K9 Mail Threat Defense Management Center Norman Shark Industrial Control System Protection PacketShaper PacketShaper S-Series PolicyCenter PolicyCenter S-Series ProxyAV ProxyAV ConLog and ConLogXP ProxyClient X-Series XOS Advisory Details: This security advisory addresses two security vulnerabilities announced in OpenSSL Security Advisory [7-Dec-2017]. Symantec Network Protection products that include a vulnerable version of OpenSSL and make use of the affected functionality are vulnerable. CVE-2017-3737 is an incorrect error handling flaw that allows a remote attacker to obtain sensitive information accidentally transmitted in plaintext over an SSL/TLS connection. CVE-2017-3738 is an overflow flaw in the AVX2 Montgomery multiplication procedure that allows a remote attacker to obtain Diffie-Hellman private key information. Symantec Network Protection products that use a native installation of OpenSSL but do not install or maintain that implementation are not vulnerable to any of these CVEs. However, the underlying platform or application that installs and maintains OpenSSL may be vulnerable. Symantec urges our customers to update the versions of OpenSSL that are natively installed for Client Connector for OS X, Proxy Client for OS X, and Reporter 9.x for Linux. Some Symantec Network Protection products do not enable or use all functionality within OpenSSL. The products listed below do not utilize the functionality described in the CVEs below and are thus not known to be vulnerable to them. However, fixes for these CVEs will be included in the patches that are provided. Director: CVE-2017-3738 Malware Analysis: CVE-2017-3738 Security Analytics 7.2 and 7.3: CVE-2017-3738 SSLV: all CVEs Patches: Advanced Secure Gateway ASG 6.7 - a fix is not available at this time. Android Mobile Agent Android Mobile Agent 1.3 - a fix is not available at this time. Director Director 6.1 - a fix is not available at this time. Malware Analysis MA 4.2 - a fix is not available at this time. ProxySG ProxySG 6.7 - a fix is not available at this time. Reporter Reporter 9.5 - a fix is not available at this time. Security Analytics Security Analytics 7.3 - a fix is not available at this time. Security Analytics 7.2 - a fix is not available at this time. SSL Visibility SSLV 4.2 - a fix is not available at this time. SSLV 4.1 - a fix will not be provided. Please upgrade to a later release with the vulnerability fixes. SSLV 4.0 - a fix will not be provided. Please upgrade to a later release with the vulnerability fixes. SSLV 3.12 - a fix is available in 3.12.2.1 SSLV 3.11 - a fix will not be provided. Please upgrade to a later release with the vulnerability fixes. SSLV 3.10 - a fix will not be provided. Please upgrade to a later release with the vulnerability fixes. SSLV 3.8.4FC - a fix will not be provided. Please upgrade to a later release with the vulnerability fixes. Unified Agent UA 4.9 - a fix is not available at this time. UA 4.8 - a fix will not be provided. Please upgrade to a later release with the vulnerability fixes. UA 4.7 - a fix will not be provided. Please upgrade to a later release with the vulnerability fixes. UA 4.6 - a fix will not be provided. Please upgrade to a later release with the vulnerability fixes. References: OpenSSL Security Advisory [7 Dec 2017] - https://www.openssl.org/news/secadv/20171207.txt CERT Vulnerability Note VU#144389 - https://www.kb.cert.org/vuls/id/144389 CVE-2017-3737 - https://nvd.nist.gov/vuln/detail/CVE-2017-3737 CVE-2017-3738 - https://nvd.nist.gov/vuln/detail/CVE-2017-3738 Advisory History: 2018-01-16 initial public release - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWl6hQIx+lLeg9Ub1AQjrfRAAkhzoQr4zLoPUhWDllGjUi6DlrFXcI957 Qwl1FkuHsqsMrWr87/INZsDLV7s4+c2TaqFQj9OifpypsolH3AZwS8vurs548IEP bJuefWNu2QKJWK7xqowlVpd30WVIumB5eJv0uhSGxlx9AZ5qhancWxvXf2qQC3Z9 c9yIDsuLdtTtKJV+EpS7Yc58T2++uoeqjAQjeC95Gvxy49UOMvM4zu/nXobfD9/P GfCm2uxD7DnFWDHzCypbAlHcNZ75WiWjL25W9p3u4g/FXWLB/jRNRT7qtBq+uSa6 QpSXKRfOR1xhsQoaPV8SkWjsfcqMC9GCaFkaXDUfkDfE4j+9qzqN0KxmGQhRFKvi vMwZqPzxNlO92zbR9WvnlJo5E7lh2sRZXVENh7Xm9AM9ppAj1WVB6cDd1bG/WhI2 wft9AWx05aG3e13sddtOANsHAAv2ZR7eWwxKXg9AASlsaXDT4wLnne7unBe7iT8D aidqG1oY5Kf9AXWhNQDIYnTUGeOGaWRj9Aue5bGONVFr2wX7jYxz2Na6WYetCl3n smXgnAQz8QWVi5ZZQV2Wd/quSOnlj3p4dolfY4aI5SRV6fgnPERuT7heKdkp6Koh jB043tCkuKSmlZjxtxkYdg/zfLJr+mGC72jNrxftvMRr4NAzE4NG+RFRxbSa9A2u cMvq2dC5w4U= =PQTd -----END PGP SIGNATURE-----