-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2018.1606.2
  OpenSSL vulnerabilities patched in Symantec Network Protection products
                              30 January 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Symantec Network Protection products
Publisher:         Symantec
Operating System:  Network Appliance
Impact/Access:     Denial of Service              -- Remote/Unauthenticated
                   Provide Misleading Information -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-0739 CVE-2018-0733 

Reference:         ESB-2018.0896

Original Bulletin: 
   https://www.symantec.com/security-center/network-protection-security-advisories/SA166

Revision History:  January 30 2020: Vendor issued further update to original advisory
                   May     28 2018: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

SA166: OpenSSL Vulnerabilities 27-Mar-2018

SYMSA1443
Last Updated January 16, 2020
Initial Publication Date May 22, 2018
Copy Article Title/URL
 
Feedback
 
Subscribe


  o Status: Open
  o Severity: Medium
  o CVSS Base Score: CVSS v2: 4.3

Summary

Affected Products



The following products are vulnerable:

+----------------------------------------------------------------------+
|                    Advanced Secure Gateway (ASG)                     |
+-------------+-------------------+------------------------------------+
|     CVE     |Affected Version(s)|Remediation                         |
+-------------+-------------------+------------------------------------+
|             |6.7                |Not available at this time          |
|CVE-2018-0739+-------------------+------------------------------------+
|             |6.6                |Upgrade to later release with fixes.|
+-------------+-------------------+------------------------------------+

+-----------------------------------------------------+
|                      CacheFlow                      |
+-------------+-------------------+-------------------+
|     CVE     |Affected Version(s)|Remediation        |
+-------------+-------------------+-------------------+
|CVE-2018-0739|3.4                |Upgrade to 3.4.2.9.|
+-------------+-------------------+-------------------+

+----------------------------------------------------------------------+
|                        Content Analysis (CA)                         |
+-------------+-------------------+------------------------------------+
|     CVE     |Affected Version(s)|Remediation                         |
+-------------+-------------------+------------------------------------+
|             |2.3                |Not available at this time          |
|CVE-2018-0739+-------------------+------------------------------------+
|             |2.1, 2.2           |Upgrade to later version with fixes.|
+-------------+-------------------+------------------------------------+

+------------------------------------------------------------+
|                          Director                          |
+-------------+-------------------+--------------------------+
|     CVE     |Affected Version(s)|Remediation               |
+-------------+-------------------+--------------------------+
|CVE-2018-0739|6.1                |Not available at this time|
+-------------+-------------------+--------------------------+

+-----------------------------------------------------------------------------+
|                           IntelligenceCenter (IC)                           |
+-------------+-----------------+---------------------------------------------+
|     CVE     |Affected Version |Remediation                                  |
|             |(s)              |                                             |
+-------------+-----------------+---------------------------------------------+
|CVE-2018-0739|3.3              |Upgrade to a version of NetDialog NetX with  |
|             |                 |fixes.                                       |
+-------------+-----------------+---------------------------------------------+

+-----------------------------------------------------------------------------+
|                      IntelligenceCenter Data Collector                      |
+-------------+-----------------+---------------------------------------------+
|     CVE     |Affected Version |Remediation                                  |
|             |(s)              |                                             |
+-------------+-----------------+---------------------------------------------+
|CVE-2018-0739|3.3              |Upgrade to a version of NetDialog NetX with  |
|             |                 |fixes.                                       |
+-------------+-----------------+---------------------------------------------+

+------------------------------------------------------------+
|                 Mail Threat Defense (MTD)                  |
+-------------+-------------------+--------------------------+
|     CVE     |Affected Version(s)|Remediation               |
+-------------+-------------------+--------------------------+
|CVE-2018-0739|1.1                |Not available at this time|
+-------------+-------------------+--------------------------+

+----------------------------------------------------+
|               Malware Analysis (MA)                |
+-------------+-------------------+------------------+
|     CVE     |Affected Version(s)|Remediation       |
+-------------+-------------------+------------------+
|CVE-2018-0739|4.2                |Upgrade to 4.2.12.|
+-------------+-------------------+------------------+

+----------------------------------------------------------------------+
|                        Management Center (MC)                        |
+-------------+-------------------+------------------------------------+
|     CVE     |Affected Version(s)|Remediation                         |
+-------------+-------------------+------------------------------------+
|             |2.2 and later      |Not available at this time          |
|CVE-2018-0739+-------------------+------------------------------------+
|             |1.11 - 2.1         |Upgrade to later version with fixes.|
+-------------+-------------------+------------------------------------+

+-----------------------------------------------------------------------------+
|                              PacketShaper (PS)                              |
+-------------+----------------+----------------------------------------------+
|     CVE     |Affected Version|Remediation                                   |
|             |(s)             |                                              |
+-------------+----------------+----------------------------------------------+
|CVE-2018-0739|9.2             |Upgrade to a version of PacketShaper S-Series |
|             |                |with fixes.                                   |
+-------------+----------------+----------------------------------------------+

+-----------------------------------------------------------------------------+
|                              PolicyCenter (PC)                              |
+-------------+----------------+----------------------------------------------+
|     CVE     |Affected Version|Remediation                                   |
|             |(s)             |                                              |
+-------------+----------------+----------------------------------------------+
|CVE-2018-0739|9.2             |Upgrade to a version of PolicyCenter S-Series |
|             |                |with fixes.                                   |
+-------------+----------------+----------------------------------------------+

+------------------------------------------------------------------------+
|                                ProxyAV                                 |
+-------------+-------------------+--------------------------------------+
|     CVE     |Affected Version(s)|Remediation                           |
+-------------+-------------------+--------------------------------------+
|CVE-2018-0739|3.5                |Upgrade to a version of CA with fixes.|
+-------------+-------------------+--------------------------------------+

+----------------------------------------------------------------------+
|                               ProxySG                                |
+-------------+-------------------+------------------------------------+
|     CVE     |Affected Version(s)|Remediation                         |
+-------------+-------------------+------------------------------------+
|             |6.7                |Fixed in 6.7.4.4                    |
|             +-------------------+------------------------------------+
|CVE-2018-0739|6.6                |Upgrade to later release with fixes.|
|             +-------------------+------------------------------------+
|             |6.5                |Upgrade to 6.5.10.15.               |
+-------------+-------------------+------------------------------------+

+----------------------------------------------------------------------+
|                               Reporter                               |
+-------------+-------------------+------------------------------------+
|     CVE     |Affected Version(s)|Remediation                         |
+-------------+-------------------+------------------------------------+
|             |9.5, 10.1, 10.2    |Upgrade to later release with fixes.|
|CVE-2018-0739+-------------------+------------------------------------+
|             |10.3               |Not available at this time          |
+-------------+-------------------+------------------------------------+

+----------------------------------------------------------------------+
|                          Security Analytics                          |
+-------------+-------------------+------------------------------------+
|     CVE     |Affected Version(s)|Remediation                         |
+-------------+-------------------+------------------------------------+
|             |8.0                |Not available at this time          |
|             +-------------------+------------------------------------+
|             |7.3                |Not available at this time          |
|CVE-2018-0739+-------------------+------------------------------------+
|             |7.2                |Not available at this time          |
|             +-------------------+------------------------------------+
|             |7.1                |Upgrade to later version with fixes.|
+-------------+-------------------+------------------------------------+

+----------------------------------------------------------------------+
|                        SSL Visibility (SSLV)                         |
+-------------+-------------------+------------------------------------+
|     CVE     |Affected Version(s)|Remediation                         |
+-------------+-------------------+------------------------------------+
|             |4.3 and later      |Not vulnerable, fixed in 4.3.1.1    |
|             +-------------------+------------------------------------+
|             |4.2                |Upgrade to later version with fixes.|
|             +-------------------+------------------------------------+
|CVE-2018-0739|3.12               |Fixed in 3.12.3.1                   |
|             +-------------------+------------------------------------+
|             |3.10               |Not available at this time          |
|             +-------------------+------------------------------------+
|             |3.8.4FC            |Upgrade to later version with fixes.|
+-------------+-------------------+------------------------------------+

+------------------------------------------------------------+
|                        X-Series XOS                        |
+-------------+-------------------+--------------------------+
|     CVE     |Affected Version(s)|Remediation               |
+-------------+-------------------+--------------------------+
|CVE-2018-0739|10.0, 11.0         |Not available at this time|
+-------------+-------------------+--------------------------+

The following products have a vulnerable version of OpenSSL, but are not
vulnerable to known vectors of attack:

+-----------------------------------------------------------------------------+
|                                    BCAAA                                    |
+-------------+--------------+------------------------------------------------+
|     CVE     |Affected      |Remediation                                     |
|             |Version(s)    |                                                |
+-------------+--------------+------------------------------------------------+
|             |6.1 (only when|A fix will not be provided. The vulnerable      |
|CVE-2018-0739|Novell SSO    |OpenSSL library is in the Novell SSO SDK and an |
|             |realm is used)|updated Novell SSO SDK is no longer available.  |
|             |              |Please contact Novell for more information.     |
+-------------+--------------+------------------------------------------------+

+-----------------------------------------------------------------------------+
|                              Client Connector                               |
+-------------+----------------+----------------------------------------------+
|     CVE     |Affected Version|Remediation                                   |
|             |(s)             |                                              |
+-------------+----------------+----------------------------------------------+
|CVE-2018-0739|1.6             |Upgrade to latest release of Unified Agent    |
|             |                |with fixes.                                   |
+-------------+----------------+----------------------------------------------+

+------------------------------------------------------------+
|                 PacketShaper (PS) S-Series                 |
+-------------+-------------------+--------------------------+
|     CVE     |Affected Version(s)|Remediation               |
+-------------+-------------------+--------------------------+
|CVE-2018-0739|11.6, 11.9, 11.10  |Not available at this time|
+-------------+-------------------+--------------------------+

+------------------------------------------------------------+
|                 PolicyCenter (PC) S-Series                 |
+-------------+-------------------+--------------------------+
|     CVE     |Affected Version(s)|Remediation               |
+-------------+-------------------+--------------------------+
|CVE-2018-0739|1.1                |Not available at this time|
+-------------+-------------------+--------------------------+

+-----------------------------------------------------------------------------+
|                                 ProxyClient                                 |
+-------------+----------------+----------------------------------------------+
|     CVE     |Affected Version|Remediation                                   |
|             |(s)             |                                              |
+-------------+----------------+----------------------------------------------+
|CVE-2018-0739|3.4             |Upgrade to latest release of Unified Agent    |
|             |                |with fixes.                                   |
+-------------+----------------+----------------------------------------------+

+----------------------------------------------------------------------+
|                          Unified Agent (UA)                          |
+-------------+-------------------+------------------------------------+
|     CVE     |Affected Version(s)|Remediation                         |
+-------------+-------------------+------------------------------------+
|             |4.10               |Not vulnerable, fixed in 4.10.1.    |
|CVE-2018-0739+-------------------+------------------------------------+
|             |4.6, 4.7, 4.8, 4.9 |Upgrade to later release with fixes.|
+-------------+-------------------+------------------------------------+

+------------------------------------------------------------+
|                      WSS Mobile Agent                      |
+-------------+-------------------+--------------------------+
|     CVE     |Affected Version(s)|Remediation               |
+-------------+-------------------+--------------------------+
|CVE-2018-0739|2.0                |Not available at this time|
+-------------+-------------------+--------------------------+

Additional Product Information



Symantec Network Protection products that use a native installation of OpenSSL
but do not install or maintain that implementation are not vulnerable to any of
these CVEs. However, the underlying platform or application that installs and
maintains OpenSSL may be vulnerable. Symantec urges our customers to update the
versions of OpenSSL that are natively installed for Client Connector for OS X,
Proxy Client for OS X, and Reporter 9.x for Linux.

Some Symantec Network Protection products do not enable or use all
functionality within OpenSSL. The products listed below do not utilize the
functionality described in the CVEs below and are thus not known to be
vulnerable to them. However, fixes for these CVEs will be included in the
patches that are provided.

  o BCAAA: CVE-2018-0739
  o Client Connector: CVE-2018-0739
  o PS S-Series: CVE-2018-0739
  o PC S-Series: CVE-2018-0739
  o ProxyClient: CVE-2018-0739
  o UA: CVE-2018-0739
  o WSS Mobile Agent: CVE-2018-0739

The following products are not vulnerable:
AuthConnector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
General Auth Connector Login Application
HSM Agent for the Luna SP
K9
ProxyAV ConLog and ConLogXP
Web Isolation

The following products are under investigation:
Norman Shark Industrial Control System Protection

Issues


+-----------------------------------------------------------------------------+
|                                CVE-2018-0733                                |
+-----------+-----------------------------------------------------------------+
|Severity / |Medium / 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)                        |
|  CVSSv2   |                                                                 |
+-----------+-----------------------------------------------------------------+
|References |SecurityFocus: BID 103517 / NVD: CVE-2018-0733                   |
+-----------+-----------------------------------------------------------------+
|  Impact   |Message forgery                                                  |
+-----------+-----------------------------------------------------------------+
|           |A computational flaw in the PA-RISC cryptographic functionality  |
|Description|allows attackers to forge cryptographic messages via unspecified |
|           |vectors.                                                         |
+-----------+-----------------------------------------------------------------+

+-----------------------------------------------------------------------------+
|                                CVE-2018-0739                                |
+-----------+-----------------------------------------------------------------+
|Severity / |Medium / 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)                        |
|  CVSSv2   |                                                                 |
+-----------+-----------------------------------------------------------------+
|References |SecurityFocus: BID 103518 / NVD: CVE-2018-0739                   |
+-----------+-----------------------------------------------------------------+
|  Impact   |Denial of service                                                |
+-----------+-----------------------------------------------------------------+
|           |A flaw in the ASN.1 module allows remote attackers to send       |
|Description|crafted ASN.1 data and cause denial of service through stack     |
|           |exhaustion.                                                      |
+-----------+-----------------------------------------------------------------+

Mitigation



CVE-2018-0739 can be remediated in SSLV by converting certificates and CRLs
from PKCS#7 to a different format before importing them.

References



OpenSSL Security Advisory [27 Mar 2018] - https://www.openssl.org/news/secadv/
20180327.txt

Revisions



2020-01-15 A fix for ProxyAV will not be provided. Please upgrade to a version
of CA with the vulnerability fixes.
2019-10-10 A fix for PacketShaper 9.2 will not be provided. Please upgrade to a
version of PacketShaper S-Series with the vulnerability fixes. A fix for
PolicyCenter 9.2 will not be provided. Please upgrade to a version of
PolicyCenter S-Series with the vulnerability fixes.
2019-10-02 Web Isolation is not vulnerable.
2019-09-05 A fix for MC 2.1 will not be provided. Please upgrade to a later
version with the vulnerability fixes.
2019-08-22 A fix for IntelligenceCenter (IC) 3.3 and IntelligenceCenter Data
Collector (DC) 3.3 will not be provided. NetDialog NetX is a replacement
product for IntelligenceCenter. Please switch to a version of NetX with the
vulnerability fixes.
2019-08-12 MC 2.2 and MC 2.3 are vulnerable to CVE-2018-0739. A fix for MC 2.0
will not be provided. Please upgrade to a later version with the vulnerability
fixes.
2019-08-09 A fix for ProxySG 6.5 is available in 6.5.10.15.
2019-08-07 A fix for ASG 6.6 and ProxySG 6.6 will not be provided. Please
upgrade to a later version with the vulnerability fixes.
2019-08-06 A fix for Reporter 9.5, 10.1 and 10.2 will not be provided. Please
upgrade to a later version with the vulnerability fixes.
2019-05-28 A fix for ProxySG 6.7 is available in 6.7.4.4.
2019-02-04 A fix for CA 2.2 will not be provided. Please upgrade to a later
version with the vulnerability fixes.
2019-01-21 Security Analytics 8.0 is vulnerable to CVE-2018-0739.
2019-01-18 A fix for SSLV 3.8.4FC and 4.2 will not be provided. Please upgrade
to a later version with the vulnerability fixes.
2019-01-14 MC 2.1 and Reporter 10.3 are vulnerable to CVE-2018-0739. A fix for
MC 1.11 will not be provided. Please upgrade to a later version with the
vulnerability fixes.
2019-01-12 A fix for Security Analytics 7.1 will not be provided. Please
upgrade to a later version with the vulnerability fixes.
2019-01-11 A fix for CA 2.1 will not be provided. Please upgrade to a later
version with the vulnerability fixes.
2018-08-16 A fix for SSLV 3.12 is available in 3.12.3.1.
2018-07-27 UA 4.10 is not vulnerable because a fix is available in 4.10.1. A
fix for MA 4.2 is available in 4.2.12.
2018-07-26 A fix for CacheFlow is available in 3.4.2.9. MC 2.0 is vulnerable to
CVE-2018-0739.
2018-07-01 A fix for SSLV 4.3 is available in 4.3.1.1.
2018-05-22 initial public release

Legacy ID: SA166

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXjIyDWaOgq3Tt24GAQjSWQ//Q8SdpEsUN9PDewz1gTIO9RbWNZFt6j4J
0D3v30nveTu+USLLTJ3L3jW3V7c/d0iMH9MVZMQDxtI+/uPNtSBAlx6e/+wD07i+
hW6OndiXDFvuqI+BaE07eqXomktVPfHEVDxrVk44ee+r2NblonLHnKhhNHKDF5UE
Qw9vKEmS/v1NKZF3Z4BHWY3e+J4c8FYSvdh9cLuedFSUpHHMmDell50YqiEq0pht
b5ZfmRLCbUv5NYYhCtQX4rZwnITir76WOJhJkK65LCKpj1VBaIYMgolk71OuUn5I
jVUGCsC6RWOG9c74NLwUVnEnzRgpI8XbaSQ2LHSjDL7dpUs4I1+yhT1xAIaGuUVo
oXcYnaZIkTW6X0e2wQn5qFio/S425sbkOo4HCdYjM39h/RnSKfxvgh+XWzefhIHT
0Gwhgu/YPt3XfaOC11ogLOkI+AA/P3/1P1KfRikesHwt/zj3hZapQvUGc2mctDGa
C/O0jH6M6YJb30U2Kw122LPiVtCmw5DsCa/rHnjdWPiqdL/wBvqgA/6oT/CN3Umq
FK/P7TfkIDZhXsr/WzwCJYWYcUccdRx8meyd33R3BSS7Zz9nktWtSzYXWo1LW8/B
Awr+AQ/NSBJCPED8erhB6KT4QGn2AfEghKfWqUzFn4swUp15mXRAHIqMtQlSoMWl
oFd/LReZJjw=
=gRsP
-----END PGP SIGNATURE-----