ASB-2016.0054.2 - UPDATE [Appliance] Blue coat products: Multiple vulnerabilities 2018-04-10

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                              ASB-2016.0054.2
  Multiple Blue Coat products are affected by vulnerabilities in OpenSSL
                               10 April 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:          Blue coat products
Operating System: Network Appliance
Impact/Access:    Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                  Access Privileged Data          -- Remote/Unauthenticated
                  Denial of Service               -- Remote/Unauthenticated
                  Provide Misleading Information  -- Remote/Unauthenticated
Resolution:       Patch/Upgrade
CVE Names:        CVE-2016-2176 CVE-2016-2109 CVE-2016-2108
                  CVE-2016-2107 CVE-2016-2106 CVE-2016-2105
                  CVE-2013-0169  
Reference:        ASB-2013.0113
                  ASB-2013.0069
                  ESB-2013.0183
                  ESB-2013.0177
                  ESB-2013.0161

Revision History: April 10 2018: Update from vendor: A fix for Reporter 9.5 is 
                                 available in 9.5.4.1
                  May   10 2016: Initial Release

OVERVIEW

        Multiple Blue Coat products are affected by vulnerabilities in OpenSSL:
        
        "Advanced Secure Gateway
        ASG 6.6 prior to 6.6.5.1 is vulnerable to CVE-2016-2105, CVE-2016-2106,
        CVE-2016-2107 (all supported hardware platforms), CVE-2016-2108, and
        CVE-2016-2109.  ASG 6.7 is not vulnerable.
        
        Android Mobile Agent
        Android Mobile Agent 1.3 prior to 1.3.8 is vulnerable to CVE-2016-2105,
        CVE-2016-2106, CVE-2016-2107, CVE-2016-2108, and CVE-2016-2109.
        
        BCAAA
        BCAAA 6.1 is vulnerable to CVE-2016-2105, CVE-2016-2106, CVE-2016-2107,
        CVE-2016-2108, CVE-2016-2109, and CVE-2016-2176 when a Novell SSO realm is
        used.
        
        CacheFlow
        CacheFlow 3.4 prior to 3.4.2.7 is vulnerable to CVE-2016-2108 and
        CVE-2016-2109.
        
        Client Connector
        Client Connector 1.6 for Windows is vulnerable to CVE-2016-2105, CVE-2016-2106,
        CVE-2016-2107, CVE-2016-2108, and CVE-2016-2109.
        
        Content Analysis System
        CAS 1.2 and 1.3 prior to 1.3.7.1 are vulnerable to CVE-2016-2105,
        CVE-2016-2106, CVE-2016-2107 (all supported hardware platforms), CVE-2016-2108,
        and CVE-2016-2109.  CAS 2.1 and later releases are not vulnerable.
        
        Director
        Director 6.1 is vulnerable to CVE-2016-2105, CVE-2016-2106, CVE-2016-2108,
        CVE-2016-2109, and CVE-2016-2176.
        
        Mail Threat Defense
        MTD 1.1 is vulnerable to CVE-2016-2105, CVE-2016-2106, CVE-2016-2107 (all
        supported hardware platforms), CVE-2016-2108, and CVE-2016-2109.
        
        Malware Analysis Appliance
        MAA 4.2 prior to 4.2.11 is vulnerable to CVE-2016-2105, CVE-2016-2107 (all
        supported hardware platforms) and CVE-2016-2108.
        
        Management Center
        MC 1.5 is vulnerable to CVE-2016-2105, CVE-2016-2106, CVE-2016-2108, and
        CVE-2016-2109.  MC 1.6 and later releases are not vulnerable.
        
        Norman Shark Industrial Control System Protection
        ICSP 5.3 prior to 5.3.6 is vulnerable to CVE-2016-2105, CVE-2016-2106,
        CVE-2016-2108, and CVE-2016-2109.  They are also vulnerable to CVE-2016-2107
        when running on an AESNI-capable hardware platform.  See the Advisory Details
        section for more details.
        
        Norman Shark Network Protection
        NNP 5.3 prior to 5.3.6 is vulnerable to CVE-2016-2105, CVE-2016-2106,
        CVE-2016-2108, and CVE-2016-2109.  They are also vulnerable to CVE-2016-2107
        when running on an AESNI-capable hardware platform.  See the Advisory Details
        section for more details.
        
        Norman Shark SCADA Protection
        NSP 5.3 prior to 5.3.6 is vulnerable to CVE-2016-2105, CVE-2016-2106,
        CVE-2016-2108, and CVE-2016-2109.  They are also vulnerable to CVE-2016-2107
        when running on an AESNI-capable hardware platform.  See the Advisory Details
        section for more details.
        
        PacketShaper
        PS 9.2 prior to 9.2.13p2 is vulnerable to CVE-2016-2106 and CVE-2016-2109.  PS
        9.2 prior to 9.2.13p1 is also vulnerable to CVE-2016-2108.
        
        PacketShaper S-Series
        PS S-Series 11.2, 11.3, 11.4, and 11.5 prior to 11.5.3.2 are vulnerable to
        CVE-2016-2106, CVE-2016-2107 (all supported hardware platforms), and
        CVE-2016-2108. PS S-Series 11.6, 11.7, 1.8 and 1.9 are not vulnerable.
        
        PolicyCenter
        PC 9.2 prior to 9.2.13p2 is vulnerable to CVE-2016-2106 and CVE-2016-2109.  PC
        9.2 prior to 9.2.13p1 is also vulnerable to CVE-2016-2108.
        
        PolicyCenter S-Series
        PC S-Series 1.1 prior to 1.1.2.2 is vulnerable to CVE-2016-2106, CVE-2016-2107
        (all supported hardware platforms), and CVE-2016-2108.
        
        ProxyAV
        ProxyAV 3.5 prior to 3.5.4.2 is vulnerable to CVE-2016-2105, CVE-2016-2106,
        CVE-2016-2108, CVE-2016-2109, and CVE-2016-2176.
        
        ProxyClient
        ProxyClient 3.4 for Windows is vulnerable to CVE-2016-2105, CVE-2016-2106,
        CVE-2016-2107, CVE-2016-2108, and CVE-2016-2109.
        
        ProxySG
        ProxySG 6.5 prior to 6.5.9.8 and 6.6 prior to 6.6.4.1 are vulnerable to
        CVE-2016-2108 and CVE-2016-2109.  They are also vulnerable to CVE-2016-2107
        when running on an AESNI-capable hardware platform.  See the Advisory Details
        section for more details.  ProxySG 6.7 is not vulnerable.
        
        Reporter
        Reporter 9.4, 9.5 prior to 9.5.4.1, and 10.1 prior to 10.1.4.2 are vulnerable
        to CVE-2016-2105, CVE-2016-2106, CVE-2016-2108, and CVE-2016-2109.  Reporter
        9.5 and 10.1 are also vulnerable to CVE-2016-2107.
        
        Security Analytics
        Security Analytics 6.6, 7.0, and 7.1 are vulnerable to CVE-2016-2105,
        CVE-2016-2106, CVE-2016-2108, and CVE-2016-2109.  Security Analytics 6.6 and
        7.1 are also vulnerable to CVE-2016-2107 when running on an AESNI-capable
        hardware platform.  See the Advisory Details section for more details. 
        Security Analytics 7.2 and 7.3 are not vulnerable.
        
        SSL Visibility
        SSLV 3.8, 3.8.4FC prior to 3.8.4FC-55, and 3.9 prior to 3.9.3.6 are vulnerable
        to CVE-2016-2105, CVE-2016-2106, CVE-2016-2108, and CVE-2016-2109.  They are
        also vulnerable to CVE-2016-2107 when running on an AESNI-capable hardware
        platform.  See the Advisory Details section for more details.  SSLV 3.10 and
        later versions are not vulnerable.
        
        Unified Agent
        UA 4.1 and 4.6 are vulnerable to CVE-2016-2105, CVE-2016-2106, CVE-2016-2107,
        and CVE-2016-2109.  UA 4.1 is also vulnerable to CVE-2016-2108.  UA 4.7 is not
        vulnerable.
        
        X-Series XOS
        XOS 9.7, 10.0, and 11.0 are vulnerable to CVE-2016-2105, CVE-2016-2106,
        CVE-2016-2108, and CVE-2016-2109.  They are also vulnerable to CVE-2016-2107
        when running on an AESNI-capable hardware platform.  See the Advisory Details
        section for more details." [1]


IMPACT

        The vendor has provided the following information about the 
        vulnerability:
        
        "CVE-2016-2105 is a flaw in the Base64 encoding module that allows a
        remote attacker to supply large input data and trigger a heap 
        overflow, resulting in denial of service and possible arbitrary code
        execution.
        
        CVE-2016-2106 is a flaw in the generic symmetric 
        encryption/decryption module that allows a remote attacker to supply
        large input data and trigger a heap overflow, resulting in denial of
        service and possible arbitrary code execution.
        
        CVE-2016-2107 is a flaw introduced as part of the fix for 
        CVE-2013-0169 (Lucky13). A remote man-in-the-middle (MITM) attacker
        can exploit this vulnerability to perform a padding oracle attack 
        and decrypt intercepted TLS traffic when the TLS sessions use AES 
        CBC cipher suites and the server supports AESNI. The CVSS v2 score 
        for CVE-2016-2107 listed in this Security Advisory is published by 
        the National Vulnerability Database (NVD). The effective CVSS v2 
        score my be higher for Blue Coat products if the decrypted plaintext
        contains cookie or password information.
        
        CVE-2016-2108 is a flaw in the ASN.1 encoder that allows a remote 
        attacker to send a crafted X.509 certificate and trigger a buffer 
        underflow on the target if it parses and re-encodes the certificate.
        The attack is also possible if the crafted X.509 certificate is 
        signed using RSA and the target verifies the RSA signature. 
        Exploiting this vulnerability can result in denial of service 
        through memory corruption and possible arbitrary code execution.
        
        CVE-2016-2109 is a flaw in the ASN.1 decoder that allows a remote 
        attacker to send crafted ASN.1 data and trigger excessive memory 
        allocation on the target. This can result in denial of service 
        through memory depletion.
        
        CVE-2016-2176 is an overread flaw in X.509 certificate ASN.1 string
        parsing on EBCDIC systems. A remote attacker can exploit this 
        vulnerability using crafted X.509 certificates to obtain arbitrary 
        data from the target's memory stack." [1]


MITIGATION

        The vendor recommends upgrading to versions unaffected by the 
        vulnerability. [1]


REFERENCES

        [1] SA123: OpenSSL Vulnerabilities 3-May-2016
            https://bto.bluecoat.com/security-advisory/sa123

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWswayIx+lLeg9Ub1AQgrKRAAg5UIhBzZYfLYrkMdsZyV9klZkb9c1eje
mpE5tdbwaxYlwv4X4/qsn/VEH7NjcN1Hf1+enSzXOey6SGTnB4rKZjK6lls05Bg5
OC01Lqljck0EwTMeKQvzRpBgT8UwbfC5V0g22oaQTBSFVjql5903XGkcIfC0PVR7
TwjFcPl8LiRsOocopovnanHQd3RLRsCdFtWwhkmqqeIiM9IZ5c95PV0cNK760PW/
EPxk2BYaLVcfBGSDLw1U3h0yO2u5N8QYEF9farNrHeFv7KhHm3xzf4Pyqs6uafqV
71rlnK1uxkBjKoATd5u4lectMVaaohII5CzmRvusamVSoNMpD16Pm+F0bhNW9/4E
j7BfLt8L1NuuRtylrTvVQpqZwv9CfZHYJ9mIQPyk2lnS0GyRiLG78MVanSC3mKJw
X0dgDawCHrfL9INqjHPQvIftJ3UyOtLuBX/GgdFpyLlRbHs/YoPEabo+lHRV3mm6
xQz04dZL0NsGPYW10K/EXRo9bfH/LNEzUAbxqvJLGtjJBg3hzS00vPT0xT9E3t6p
CkLozPd+cbjZip/md2LPEbIafE9rgcACZHYUGNZNCNbI8Omw6xoenKVfRXrpND6a
bYZmKFishANPEZNUmEAVPgN0QtLucEkq+C6Kgk7FH5ThwRhZx81AW1lC7MGS6qA0
SIjjsCBHbtQ=
=Ny+B
-----END PGP SIGNATURE-----

« Back to bulletins