Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2018.0174
Vulnerabilities in OpenSSL affect numerous Symantec products
17 January 2018
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Symantec Advanced Secure Gateway
Symantec Android Mobile Agent
Symantec Director
Symantec Malware Analysis
Symantec ProxySG
Symantec Reporter
Symantec Security Analytics
Symantec Unified Agent
Symantec SSL Visibility
Publisher: Symantec
Operating System: Network Appliance
Android
Windows
VMware ESX Server
Impact/Access: Access Privileged Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2017-3738 CVE-2017-3737
Reference: ASB-2018.0013
ESB-2017.3217
ESB-2017.3209
ESB-2017.3169
ESB-2017.3144.2
Original Bulletin:
https://www.symantec.com/security-center/network-protection-security-advisories/SA159
- --------------------------BEGIN INCLUDED TEXT--------------------
SA159: OpenSSL Vulnerabilities 7-Dec-2017
Security Advisory ID:
SA159
Published Date:
Jan 16, 2018
Advisory Status:
Interim
Advisory Severity:
Medium
CVSS v2 base score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVE Number:
CVE-2017-3737 - 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVE-2017-3738 - 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Symantec Network Protection products using affected versions of OpenSSL are
susceptible to two security vulnerabilities. A remote attacker can obtain
Diffie-Hellman private key information and sensitive information accidentally
transmitted in plaintext over an SSL/TLS connection.
Affected Products:
The following products are vulnerable:
Advanced Secure Gateway
ASG 6.7 is vulnerable to all CVEs. ASG 6.6 is not vulnerable.
Android Mobile Agent
Android Mobile Agent 1.3 is vulnerable to all CVEs.
Director
Director 6.1 is vulnerable to CVE-2017-3737.
Malware Analysis
MA 4.2 is vulnerable to CVE-2017-3737.
ProxySG
ProxySG 6.7 starting with 6.7.2.1 is vulnerable to all CVEs. ProxySG 6.5 and
6.6 are not vulnerable.
Reporter
Reporter 9.5 starting with 9.5.2.1 is vulnerable to all CVEs. Reporter 10.1
and 10.2 are not vulnerable.
Security Analytics
Security Analytics 7.2 and 7.3 are vulnerable to CVE-2017-3737.
Unified Agent
UA 4.6 starting with 4.6.1 is vulnerable to CVE-2017-3737. All UA 4.6 releases
are vulnerable to CVE-2017-3738. UA 4.7, 4.8, and 4.9 are vulnerable to all
CVEs.
The following products have a vulnerable version of OpenSSL, but are not
vulnerable to known vectors of attack:
SSL Visibility
SSLV 3.8.4FC, 3.10, 3.11, 3.12, 4.0, 4.1, and 4.2 have a vulnerable version of
OpenSSL
The following products are not vulnerable:
AuthConnector
BCAAA
Symantec HSM Agent for the Luna SP
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Content Analysis
General Auth Connector Login Application
IntelligenceCenter
IntelligenceCenter Data Collector
K9
Mail Threat Defense
Management Center
Norman Shark Industrial Control System Protection
PacketShaper
PacketShaper S-Series
PolicyCenter
PolicyCenter S-Series
ProxyAV
ProxyAV ConLog and ConLogXP
ProxyClient
X-Series XOS
Advisory Details:
This security advisory addresses two security vulnerabilities announced in
OpenSSL Security Advisory [7-Dec-2017]. Symantec Network Protection products
that include a vulnerable version of OpenSSL and make use of the affected
functionality are vulnerable.
CVE-2017-3737 is an incorrect error handling flaw that allows a remote
attacker to obtain sensitive information accidentally transmitted in plaintext
over an SSL/TLS connection.
CVE-2017-3738 is an overflow flaw in the AVX2 Montgomery multiplication
procedure that allows a remote attacker to obtain Diffie-Hellman private key
information.
Symantec Network Protection products that use a native installation of OpenSSL
but do not install or maintain that implementation are not vulnerable to any
of these CVEs. However, the underlying platform or application that installs
and maintains OpenSSL may be vulnerable. Symantec urges our customers to
update the versions of OpenSSL that are natively installed for Client
Connector for OS X, Proxy Client for OS X, and Reporter 9.x for Linux.
Some Symantec Network Protection products do not enable or use all
functionality within OpenSSL. The products listed below do not utilize the
functionality described in the CVEs below and are thus not known to be
vulnerable to them. However, fixes for these CVEs will be included in the
patches that are provided.
Director: CVE-2017-3738
Malware Analysis: CVE-2017-3738
Security Analytics 7.2 and 7.3: CVE-2017-3738
SSLV: all CVEs
Patches:
Advanced Secure Gateway
ASG 6.7 - a fix is not available at this time.
Android Mobile Agent
Android Mobile Agent 1.3 - a fix is not available at this time.
Director
Director 6.1 - a fix is not available at this time.
Malware Analysis
MA 4.2 - a fix is not available at this time.
ProxySG
ProxySG 6.7 - a fix is not available at this time.
Reporter
Reporter 9.5 - a fix is not available at this time.
Security Analytics
Security Analytics 7.3 - a fix is not available at this time.
Security Analytics 7.2 - a fix is not available at this time.
SSL Visibility
SSLV 4.2 - a fix is not available at this time.
SSLV 4.1 - a fix will not be provided. Please upgrade to a later release with
the vulnerability fixes.
SSLV 4.0 - a fix will not be provided. Please upgrade to a later release with
the vulnerability fixes.
SSLV 3.12 - a fix is available in 3.12.2.1
SSLV 3.11 - a fix will not be provided. Please upgrade to a later release with
the vulnerability fixes.
SSLV 3.10 - a fix will not be provided. Please upgrade to a later release with
the vulnerability fixes.
SSLV 3.8.4FC - a fix will not be provided. Please upgrade to a later release
with the vulnerability fixes.
Unified Agent
UA 4.9 - a fix is not available at this time.
UA 4.8 - a fix will not be provided. Please upgrade to a later release with
the vulnerability fixes.
UA 4.7 - a fix will not be provided. Please upgrade to a later release with
the vulnerability fixes.
UA 4.6 - a fix will not be provided. Please upgrade to a later release with
the vulnerability fixes.
References:
OpenSSL Security Advisory [7 Dec 2017] -
https://www.openssl.org/news/secadv/20171207.txt
CERT Vulnerability Note VU#144389 - https://www.kb.cert.org/vuls/id/144389
CVE-2017-3737 - https://nvd.nist.gov/vuln/detail/CVE-2017-3737
CVE-2017-3738 - https://nvd.nist.gov/vuln/detail/CVE-2017-3738
Advisory History:
2018-01-16 initial public release
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWl6hQIx+lLeg9Ub1AQjrfRAAkhzoQr4zLoPUhWDllGjUi6DlrFXcI957
Qwl1FkuHsqsMrWr87/INZsDLV7s4+c2TaqFQj9OifpypsolH3AZwS8vurs548IEP
bJuefWNu2QKJWK7xqowlVpd30WVIumB5eJv0uhSGxlx9AZ5qhancWxvXf2qQC3Z9
c9yIDsuLdtTtKJV+EpS7Yc58T2++uoeqjAQjeC95Gvxy49UOMvM4zu/nXobfD9/P
GfCm2uxD7DnFWDHzCypbAlHcNZ75WiWjL25W9p3u4g/FXWLB/jRNRT7qtBq+uSa6
QpSXKRfOR1xhsQoaPV8SkWjsfcqMC9GCaFkaXDUfkDfE4j+9qzqN0KxmGQhRFKvi
vMwZqPzxNlO92zbR9WvnlJo5E7lh2sRZXVENh7Xm9AM9ppAj1WVB6cDd1bG/WhI2
wft9AWx05aG3e13sddtOANsHAAv2ZR7eWwxKXg9AASlsaXDT4wLnne7unBe7iT8D
aidqG1oY5Kf9AXWhNQDIYnTUGeOGaWRj9Aue5bGONVFr2wX7jYxz2Na6WYetCl3n
smXgnAQz8QWVi5ZZQV2Wd/quSOnlj3p4dolfY4aI5SRV6fgnPERuT7heKdkp6Koh
jB043tCkuKSmlZjxtxkYdg/zfLJr+mGC72jNrxftvMRr4NAzE4NG+RFRxbSa9A2u
cMvq2dC5w4U=
=PQTd
-----END PGP SIGNATURE-----