Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.1606.2 OpenSSL vulnerabilities patched in Symantec Network Protection products 30 January 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Symantec Network Protection products Publisher: Symantec Operating System: Network Appliance Impact/Access: Denial of Service -- Remote/Unauthenticated Provide Misleading Information -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2018-0739 CVE-2018-0733 Reference: ESB-2018.0896 Original Bulletin: https://www.symantec.com/security-center/network-protection-security-advisories/SA166 Revision History: January 30 2020: Vendor issued further update to original advisory May 28 2018: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- SA166: OpenSSL Vulnerabilities 27-Mar-2018 SYMSA1443 Last Updated January 16, 2020 Initial Publication Date May 22, 2018 Copy Article Title/URL Feedback Subscribe o Status: Open o Severity: Medium o CVSS Base Score: CVSS v2: 4.3 Summary Affected Products The following products are vulnerable: +----------------------------------------------------------------------+ | Advanced Secure Gateway (ASG) | +-------------+-------------------+------------------------------------+ | CVE |Affected Version(s)|Remediation | +-------------+-------------------+------------------------------------+ | |6.7 |Not available at this time | |CVE-2018-0739+-------------------+------------------------------------+ | |6.6 |Upgrade to later release with fixes.| +-------------+-------------------+------------------------------------+ +-----------------------------------------------------+ | CacheFlow | +-------------+-------------------+-------------------+ | CVE |Affected Version(s)|Remediation | +-------------+-------------------+-------------------+ |CVE-2018-0739|3.4 |Upgrade to 3.4.2.9.| +-------------+-------------------+-------------------+ +----------------------------------------------------------------------+ | Content Analysis (CA) | +-------------+-------------------+------------------------------------+ | CVE |Affected Version(s)|Remediation | +-------------+-------------------+------------------------------------+ | |2.3 |Not available at this time | |CVE-2018-0739+-------------------+------------------------------------+ | |2.1, 2.2 |Upgrade to later version with fixes.| +-------------+-------------------+------------------------------------+ +------------------------------------------------------------+ | Director | +-------------+-------------------+--------------------------+ | CVE |Affected Version(s)|Remediation | +-------------+-------------------+--------------------------+ |CVE-2018-0739|6.1 |Not available at this time| +-------------+-------------------+--------------------------+ +-----------------------------------------------------------------------------+ | IntelligenceCenter (IC) | +-------------+-----------------+---------------------------------------------+ | CVE |Affected Version |Remediation | | |(s) | | +-------------+-----------------+---------------------------------------------+ |CVE-2018-0739|3.3 |Upgrade to a version of NetDialog NetX with | | | |fixes. | +-------------+-----------------+---------------------------------------------+ +-----------------------------------------------------------------------------+ | IntelligenceCenter Data Collector | +-------------+-----------------+---------------------------------------------+ | CVE |Affected Version |Remediation | | |(s) | | +-------------+-----------------+---------------------------------------------+ |CVE-2018-0739|3.3 |Upgrade to a version of NetDialog NetX with | | | |fixes. | +-------------+-----------------+---------------------------------------------+ +------------------------------------------------------------+ | Mail Threat Defense (MTD) | +-------------+-------------------+--------------------------+ | CVE |Affected Version(s)|Remediation | +-------------+-------------------+--------------------------+ |CVE-2018-0739|1.1 |Not available at this time| +-------------+-------------------+--------------------------+ +----------------------------------------------------+ | Malware Analysis (MA) | +-------------+-------------------+------------------+ | CVE |Affected Version(s)|Remediation | +-------------+-------------------+------------------+ |CVE-2018-0739|4.2 |Upgrade to 4.2.12.| +-------------+-------------------+------------------+ +----------------------------------------------------------------------+ | Management Center (MC) | +-------------+-------------------+------------------------------------+ | CVE |Affected Version(s)|Remediation | +-------------+-------------------+------------------------------------+ | |2.2 and later |Not available at this time | |CVE-2018-0739+-------------------+------------------------------------+ | |1.11 - 2.1 |Upgrade to later version with fixes.| +-------------+-------------------+------------------------------------+ +-----------------------------------------------------------------------------+ | PacketShaper (PS) | +-------------+----------------+----------------------------------------------+ | CVE |Affected Version|Remediation | | |(s) | | +-------------+----------------+----------------------------------------------+ |CVE-2018-0739|9.2 |Upgrade to a version of PacketShaper S-Series | | | |with fixes. | +-------------+----------------+----------------------------------------------+ +-----------------------------------------------------------------------------+ | PolicyCenter (PC) | +-------------+----------------+----------------------------------------------+ | CVE |Affected Version|Remediation | | |(s) | | +-------------+----------------+----------------------------------------------+ |CVE-2018-0739|9.2 |Upgrade to a version of PolicyCenter S-Series | | | |with fixes. | +-------------+----------------+----------------------------------------------+ +------------------------------------------------------------------------+ | ProxyAV | +-------------+-------------------+--------------------------------------+ | CVE |Affected Version(s)|Remediation | +-------------+-------------------+--------------------------------------+ |CVE-2018-0739|3.5 |Upgrade to a version of CA with fixes.| +-------------+-------------------+--------------------------------------+ +----------------------------------------------------------------------+ | ProxySG | +-------------+-------------------+------------------------------------+ | CVE |Affected Version(s)|Remediation | +-------------+-------------------+------------------------------------+ | |6.7 |Fixed in 6.7.4.4 | | +-------------------+------------------------------------+ |CVE-2018-0739|6.6 |Upgrade to later release with fixes.| | +-------------------+------------------------------------+ | |6.5 |Upgrade to 6.5.10.15. | +-------------+-------------------+------------------------------------+ +----------------------------------------------------------------------+ | Reporter | +-------------+-------------------+------------------------------------+ | CVE |Affected Version(s)|Remediation | +-------------+-------------------+------------------------------------+ | |9.5, 10.1, 10.2 |Upgrade to later release with fixes.| |CVE-2018-0739+-------------------+------------------------------------+ | |10.3 |Not available at this time | +-------------+-------------------+------------------------------------+ +----------------------------------------------------------------------+ | Security Analytics | +-------------+-------------------+------------------------------------+ | CVE |Affected Version(s)|Remediation | +-------------+-------------------+------------------------------------+ | |8.0 |Not available at this time | | +-------------------+------------------------------------+ | |7.3 |Not available at this time | |CVE-2018-0739+-------------------+------------------------------------+ | |7.2 |Not available at this time | | +-------------------+------------------------------------+ | |7.1 |Upgrade to later version with fixes.| +-------------+-------------------+------------------------------------+ +----------------------------------------------------------------------+ | SSL Visibility (SSLV) | +-------------+-------------------+------------------------------------+ | CVE |Affected Version(s)|Remediation | +-------------+-------------------+------------------------------------+ | |4.3 and later |Not vulnerable, fixed in 4.3.1.1 | | +-------------------+------------------------------------+ | |4.2 |Upgrade to later version with fixes.| | +-------------------+------------------------------------+ |CVE-2018-0739|3.12 |Fixed in 3.12.3.1 | | +-------------------+------------------------------------+ | |3.10 |Not available at this time | | +-------------------+------------------------------------+ | |3.8.4FC |Upgrade to later version with fixes.| +-------------+-------------------+------------------------------------+ +------------------------------------------------------------+ | X-Series XOS | +-------------+-------------------+--------------------------+ | CVE |Affected Version(s)|Remediation | +-------------+-------------------+--------------------------+ |CVE-2018-0739|10.0, 11.0 |Not available at this time| +-------------+-------------------+--------------------------+ The following products have a vulnerable version of OpenSSL, but are not vulnerable to known vectors of attack: +-----------------------------------------------------------------------------+ | BCAAA | +-------------+--------------+------------------------------------------------+ | CVE |Affected |Remediation | | |Version(s) | | +-------------+--------------+------------------------------------------------+ | |6.1 (only when|A fix will not be provided. The vulnerable | |CVE-2018-0739|Novell SSO |OpenSSL library is in the Novell SSO SDK and an | | |realm is used)|updated Novell SSO SDK is no longer available. | | | |Please contact Novell for more information. | +-------------+--------------+------------------------------------------------+ +-----------------------------------------------------------------------------+ | Client Connector | +-------------+----------------+----------------------------------------------+ | CVE |Affected Version|Remediation | | |(s) | | +-------------+----------------+----------------------------------------------+ |CVE-2018-0739|1.6 |Upgrade to latest release of Unified Agent | | | |with fixes. | +-------------+----------------+----------------------------------------------+ +------------------------------------------------------------+ | PacketShaper (PS) S-Series | +-------------+-------------------+--------------------------+ | CVE |Affected Version(s)|Remediation | +-------------+-------------------+--------------------------+ |CVE-2018-0739|11.6, 11.9, 11.10 |Not available at this time| +-------------+-------------------+--------------------------+ +------------------------------------------------------------+ | PolicyCenter (PC) S-Series | +-------------+-------------------+--------------------------+ | CVE |Affected Version(s)|Remediation | +-------------+-------------------+--------------------------+ |CVE-2018-0739|1.1 |Not available at this time| +-------------+-------------------+--------------------------+ +-----------------------------------------------------------------------------+ | ProxyClient | +-------------+----------------+----------------------------------------------+ | CVE |Affected Version|Remediation | | |(s) | | +-------------+----------------+----------------------------------------------+ |CVE-2018-0739|3.4 |Upgrade to latest release of Unified Agent | | | |with fixes. | +-------------+----------------+----------------------------------------------+ +----------------------------------------------------------------------+ | Unified Agent (UA) | +-------------+-------------------+------------------------------------+ | CVE |Affected Version(s)|Remediation | +-------------+-------------------+------------------------------------+ | |4.10 |Not vulnerable, fixed in 4.10.1. | |CVE-2018-0739+-------------------+------------------------------------+ | |4.6, 4.7, 4.8, 4.9 |Upgrade to later release with fixes.| +-------------+-------------------+------------------------------------+ +------------------------------------------------------------+ | WSS Mobile Agent | +-------------+-------------------+--------------------------+ | CVE |Affected Version(s)|Remediation | +-------------+-------------------+--------------------------+ |CVE-2018-0739|2.0 |Not available at this time| +-------------+-------------------+--------------------------+ Additional Product Information Symantec Network Protection products that use a native installation of OpenSSL but do not install or maintain that implementation are not vulnerable to any of these CVEs. However, the underlying platform or application that installs and maintains OpenSSL may be vulnerable. Symantec urges our customers to update the versions of OpenSSL that are natively installed for Client Connector for OS X, Proxy Client for OS X, and Reporter 9.x for Linux. Some Symantec Network Protection products do not enable or use all functionality within OpenSSL. The products listed below do not utilize the functionality described in the CVEs below and are thus not known to be vulnerable to them. However, fixes for these CVEs will be included in the patches that are provided. o BCAAA: CVE-2018-0739 o Client Connector: CVE-2018-0739 o PS S-Series: CVE-2018-0739 o PC S-Series: CVE-2018-0739 o ProxyClient: CVE-2018-0739 o UA: CVE-2018-0739 o WSS Mobile Agent: CVE-2018-0739 The following products are not vulnerable: AuthConnector Cloud Data Protection for Salesforce Cloud Data Protection for Salesforce Analytics Cloud Data Protection for ServiceNow Cloud Data Protection for Oracle CRM On Demand Cloud Data Protection for Oracle Field Service Cloud Cloud Data Protection for Oracle Sales Cloud Cloud Data Protection Integration Server Cloud Data Protection Communication Server General Auth Connector Login Application HSM Agent for the Luna SP K9 ProxyAV ConLog and ConLogXP Web Isolation The following products are under investigation: Norman Shark Industrial Control System Protection Issues +-----------------------------------------------------------------------------+ | CVE-2018-0733 | +-----------+-----------------------------------------------------------------+ |Severity / |Medium / 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) | | CVSSv2 | | +-----------+-----------------------------------------------------------------+ |References |SecurityFocus: BID 103517 / NVD: CVE-2018-0733 | +-----------+-----------------------------------------------------------------+ | Impact |Message forgery | +-----------+-----------------------------------------------------------------+ | |A computational flaw in the PA-RISC cryptographic functionality | |Description|allows attackers to forge cryptographic messages via unspecified | | |vectors. | +-----------+-----------------------------------------------------------------+ +-----------------------------------------------------------------------------+ | CVE-2018-0739 | +-----------+-----------------------------------------------------------------+ |Severity / |Medium / 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) | | CVSSv2 | | +-----------+-----------------------------------------------------------------+ |References |SecurityFocus: BID 103518 / NVD: CVE-2018-0739 | +-----------+-----------------------------------------------------------------+ | Impact |Denial of service | +-----------+-----------------------------------------------------------------+ | |A flaw in the ASN.1 module allows remote attackers to send | |Description|crafted ASN.1 data and cause denial of service through stack | | |exhaustion. | +-----------+-----------------------------------------------------------------+ Mitigation CVE-2018-0739 can be remediated in SSLV by converting certificates and CRLs from PKCS#7 to a different format before importing them. References OpenSSL Security Advisory [27 Mar 2018] - https://www.openssl.org/news/secadv/ 20180327.txt Revisions 2020-01-15 A fix for ProxyAV will not be provided. Please upgrade to a version of CA with the vulnerability fixes. 2019-10-10 A fix for PacketShaper 9.2 will not be provided. Please upgrade to a version of PacketShaper S-Series with the vulnerability fixes. A fix for PolicyCenter 9.2 will not be provided. Please upgrade to a version of PolicyCenter S-Series with the vulnerability fixes. 2019-10-02 Web Isolation is not vulnerable. 2019-09-05 A fix for MC 2.1 will not be provided. Please upgrade to a later version with the vulnerability fixes. 2019-08-22 A fix for IntelligenceCenter (IC) 3.3 and IntelligenceCenter Data Collector (DC) 3.3 will not be provided. NetDialog NetX is a replacement product for IntelligenceCenter. Please switch to a version of NetX with the vulnerability fixes. 2019-08-12 MC 2.2 and MC 2.3 are vulnerable to CVE-2018-0739. A fix for MC 2.0 will not be provided. Please upgrade to a later version with the vulnerability fixes. 2019-08-09 A fix for ProxySG 6.5 is available in 6.5.10.15. 2019-08-07 A fix for ASG 6.6 and ProxySG 6.6 will not be provided. Please upgrade to a later version with the vulnerability fixes. 2019-08-06 A fix for Reporter 9.5, 10.1 and 10.2 will not be provided. Please upgrade to a later version with the vulnerability fixes. 2019-05-28 A fix for ProxySG 6.7 is available in 6.7.4.4. 2019-02-04 A fix for CA 2.2 will not be provided. Please upgrade to a later version with the vulnerability fixes. 2019-01-21 Security Analytics 8.0 is vulnerable to CVE-2018-0739. 2019-01-18 A fix for SSLV 3.8.4FC and 4.2 will not be provided. Please upgrade to a later version with the vulnerability fixes. 2019-01-14 MC 2.1 and Reporter 10.3 are vulnerable to CVE-2018-0739. A fix for MC 1.11 will not be provided. Please upgrade to a later version with the vulnerability fixes. 2019-01-12 A fix for Security Analytics 7.1 will not be provided. Please upgrade to a later version with the vulnerability fixes. 2019-01-11 A fix for CA 2.1 will not be provided. Please upgrade to a later version with the vulnerability fixes. 2018-08-16 A fix for SSLV 3.12 is available in 3.12.3.1. 2018-07-27 UA 4.10 is not vulnerable because a fix is available in 4.10.1. A fix for MA 4.2 is available in 4.2.12. 2018-07-26 A fix for CacheFlow is available in 3.4.2.9. MC 2.0 is vulnerable to CVE-2018-0739. 2018-07-01 A fix for SSLV 4.3 is available in 4.3.1.1. 2018-05-22 initial public release Legacy ID: SA166 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXjIyDWaOgq3Tt24GAQjSWQ//Q8SdpEsUN9PDewz1gTIO9RbWNZFt6j4J 0D3v30nveTu+USLLTJ3L3jW3V7c/d0iMH9MVZMQDxtI+/uPNtSBAlx6e/+wD07i+ hW6OndiXDFvuqI+BaE07eqXomktVPfHEVDxrVk44ee+r2NblonLHnKhhNHKDF5UE Qw9vKEmS/v1NKZF3Z4BHWY3e+J4c8FYSvdh9cLuedFSUpHHMmDell50YqiEq0pht b5ZfmRLCbUv5NYYhCtQX4rZwnITir76WOJhJkK65LCKpj1VBaIYMgolk71OuUn5I jVUGCsC6RWOG9c74NLwUVnEnzRgpI8XbaSQ2LHSjDL7dpUs4I1+yhT1xAIaGuUVo oXcYnaZIkTW6X0e2wQn5qFio/S425sbkOo4HCdYjM39h/RnSKfxvgh+XWzefhIHT 0Gwhgu/YPt3XfaOC11ogLOkI+AA/P3/1P1KfRikesHwt/zj3hZapQvUGc2mctDGa C/O0jH6M6YJb30U2Kw122LPiVtCmw5DsCa/rHnjdWPiqdL/wBvqgA/6oT/CN3Umq FK/P7TfkIDZhXsr/WzwCJYWYcUccdRx8meyd33R3BSS7Zz9nktWtSzYXWo1LW8/B Awr+AQ/NSBJCPED8erhB6KT4QGn2AfEghKfWqUzFn4swUp15mXRAHIqMtQlSoMWl oFd/LReZJjw= =gRsP -----END PGP SIGNATURE-----