ESB-2016.2946.2 - UPDATE [Appliance] OpenSSH: Multiple vulnerabilities 2018-04-10

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2016.2946.2
                      SA136: OpenSSH Vulnerabilities
                               10 April 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:          OpenSSH
Publisher:        Blue Coat
Operating System: Network Appliance
Impact/Access:    Denial of Service -- Console/Physical      
                  Reduced Security  -- Remote/Unauthenticated
Resolution:       Patch/Upgrade
CVE Names:        CVE-2016-8858 CVE-2016-6515 CVE-2016-6210

Reference:        ESB-2016.2583
                  ESB-2016.2453
                  ESB-2016.1804

Revision History: April 10 2018: Update from vendor: A fix for CVE-2016-6210 
                                 and CVE-2016-6515 in SSLV 3.9 is available 
                                 in 3.9.6.1
                  December 14 2016: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

SA136 : OpenSSH Vulnerabilities

Security Advisory ID: SA136

Published Date: Dec 13, 2016

Advisory Status: Interim

Advisory Severity: High

CVSS v2 base score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)

CVE Number: 
CVE-2016-6210 - 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVE-2016-6515 - 7.8 (HIGH) (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CVE-2016-8858 - 7.8 (HIGH) (AV:N/AC:L/Au:N/C:N/I:N/A:C)

Blue Coat products using affected versions of OpenSSH are susceptible to
several vulnerabilities.  A remote attacker, with access to the management
interface, can exploit these vulnerabilities to enumerate existing user
accounts and cause denial of service through excessive CPU consumption and
memory exhaustion.

Affected Products:

The following products are vulnerable:

ASG
ASG 6.6 prior to 6.6.5.4 is vulnerable to CVE-2016-8858.  ASG 6.7 is not
vulnerable.

CacheFlow
CacheFlow 3.4 prior to 3.4.2.8 is vulnerable to CVE-2016-8858.

Director
Director 6.1 prior to 6.1.23.1 is vulnerable to CVE-2016-6515.  Director
6.1.22.1 only is also vulnerable to CVE-2016-6210 and CVE-2016-8858.

Malware Analysis Appliance
MAA 4.2 prior to 4.2.10 is vulnerable to CVE-2016-6210 and CVE-2016-6515.  MAA
4.2 is also vulnerable to CVE-2016-8858.

Norman Shark Industrial Control System Protection
ICSP 5.3 is vulnerable to all CVEs.

Norman Shark Network Protection
NNP 5.3 is vulnerable to all CVEs.

Norman Shark SCADA Protection
NSP 5.3 is vulnerable to all CVEs.

PacketShaper
PS 9.2 is vulnerable to CVE-2016-8858.  The denial of service attack only
affects other SSH management connections.

ProxySG
ProxySG 6.5 prior to 6.5.10.1 and 6.6 prior to 6.6.5.4 are vulnerable to
CVE-2016-8858.  ProxySG 6.7 is not vulnerable.

SSL Visibility
SSLV 3.8.4FC, 3.9, 3.10 prior to 3.10.3.1, and 3.11 prior to 3.11.2.1 are
vulnerable to CVE-2016-8858.  SSLV 3.8.4FC and 3.9 prior to 3.9.6.1 are
vulnerable to CVE-2016-6210 and CVE-2016-6515.  SSLV 3.12 is not vulnerable. 
SSLV 4.0 and later versions are not vulnerable.

X-Series XOS
XOS 9.7, 10.0, and 11.0 are vulnerable to CVE-2016-6210 and CVE-2016-6515. 
Only the APM software in XOS 11.0 is vulnerable.

The following products are not vulnerable:
Android Mobile Agent
AuthConnector
BCAAA
Blue Coat HSM Agent for the Luna SP
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
Content Analysis System
General Auth Connector Login Application
IntelligenceCenter
IntelligenceCenter Data Collector
K9
Mail Threat Defense
Management Center
PacketShaper S-Series
PolicyCenter
PolicyCenter S-Series
ProxyAV
ProxyAV ConLog and ConLogXP
ProxyClient
Reporter
Security Analytics
Unified Agent

Blue Coat no longer provides vulnerability information for the following
products:

DLP
Please, contact Digital Guardian technical support regarding vulnerability
information for DLP.

Advisory Details: 

This Security Advisory addresses several OpenSSH vulnerabilities announced in
July, August, and October 2016.  Blue Coat products that include a vulnerable
version of OpenSSH and make use of the affected functionality are vulnerable.

  o CVE-2016-6210 exploits a timing difference between password authentication
    of existing and non-existing user accounts.  A remote attacker can make
    authentication attempts with large passwords to enumerate the existing user
    accounts on the target system.
  o CVE-2016-6515 is an insufficient input validation flaw in password
    authentication.  A remote attacker can send a long password string and
    cause excessive CPU consumption, resulting in denial of service.
  o CVE-2016-8858 is a flaw in message handling.  A remote attacker can
    repeatedly send the KEXINIT SSH message to cause memory exhaustion,
    resulting in denial of service.

Blue Coat products do not enable or use all functionality within OpenSSH.  The
products listed below do not utilize the functionality described in the CVEs
below and are thus not known to be vulnerable to them.  However, fixes for
these CVEs will be included in the patches that are provided.

  o PacketShaper: CVE-2016-6210 and CVE-2016-6515

Workarounds: 

These vulnerabilities can be exploited only through the management interfaces
for all vulnerable products.  Allowing only machines, IP addresses and subnets
from a trusted network to access the management interface reduces the threat of
exploiting the vulnerabilities.

Patches: 

ASG
ASG 6.7 - a fix is available in 6.7.2.1.
ASG 6.6 - a fix is available in 6.6.5.4.

CacheFlow
CacheFlow 3.4 - a fix is available in 3.4.2.8.

Director
Director 6.1 - a fix is available in 6.1.23.1.

Malware Analysis Appliance
MAA 4.2 - a fix for CVE-2016-6210 and CVE-2016-6515 is available in 4.2.10.  A
fix for CVE-2016-8858 is not available at this time.

Norman Shark Industrial Control System Protection
ICSP 5.3 - a fix is not available at this time.

Norman Shark Network Protection
NNP 5.3 - a fix is not available at this time.

Norman Shark SCADA Protection
NSP 5.3 - a fix is not available at this time.

PacketShaper
PS 9.2 - a fix is not available at this time.

ProxySG
ProxySG 6.7 - a fix is available in 6.7.1.1.
ProxySG 6.6 - a fix is available in 6.6.5.4.
ProxySG 6.5 - a fix is available in 6.5.10.1.

SSL Visibility
SSLV 3.12 - a fix is available in 3.12.1.1.
SSLV 3.11 - a fix for CVE-2016-6210 and CVE-2016-6515 is available in
3.11.1.1.  SSLV 3.11.2.1 remediates CVE-2016-8858 by restricting the concurrent
unauthenticated incoming SSH connections.
SSLV 3.10 - a fix for CVE-2016-6210 and CVE-2016-6515 is available in
3.10.1.1.  A fix for CVE-2016-8858 is available in 3.10.3.1.
SSLV 3.9 - a fix for CVE-2016-6210 and CVE-2016-6515 is available in 3.9.6.1. 
A fix for CVE-2016-8858 will not be provided.  Please upgrade to a later
version with the vulnerability fixes.
SSLV 3.8.4FC - a fix is not available at this time.

X-Series XOS
XOS 11.0 - a fix is not available at this time.
XOS 10.0 - a fix is not available at this time.
XOS 9.7 - a fix is not available at this time.

References: 

CVE-2016-6210 - https://web.nvd.nist.gov/view/vuln/detail-vulnId=CVE-2016-6210
CVE-2016-6515 - https://web.nvd.nist.gov/view/vuln/detail-vulnId=CVE-2016-6515
CVE-2016-8858 - https://web.nvd.nist.gov/view/vuln/detail-vulnId=CVE-2016-8858

Advisory History: 

2018-04-06 A fix for CVE-2016-6210 and CVE-2016-6515 in SSLV 3.9 is available
in 3.9.6.1
2017-11-16 A fix for SSLV 3.9 will not be provided.  Please upgrade to a later
version with the vulnerability fixes.
2017-11-15 SSLV 3.12 is not vulnerable because a fix is available in 3.12.1.1.
2017-11-06 ASG 6.7 is not vulnerable because a fix is available in 6.7.2.1.
2017-08-15 A fix for CVE-2016-8858 in SSLV 3.10 is available in 3.10.3.1.
2017-08-02 SSLV 4.1 is not vulnerable.
2017-04-30 A fix for Director 6.1 is available in 6.1.23.1.
2017-04-29 A fix for CacheFlow 3.4 is available in 3.4.2.8.
2017-04-26 Added CVSS v2 score for CVE-2016-6210 and base score for Security
Advisory.
2017-03-29 It was previously reported that ASG 6.6 is not vulnerable to
CVE-2016-8858. Further investigation has shown that ASG 6.6 is vulnerable to
CVE-2016-8858. A fix is available in 6.6.5.4.
2017-03-29 A fix for ProxySG 6.6 is available in 6.6.5.4.
2017-03-08 A fix for ProxySG 6.5 is available in 6.5.10.1.
2017-03-08 ProxySG 6.7 is not vulnerable because a fix is available in
6.7.1.1.  SSLV 4.0 is not vulnerable.
2016-01-25 SSLV 3.11.2.1 remediates CVE-2016-8858 by restricting the number of
concurrent unauthenticated incoming SSH connections.
2016-12-13 initial public release
2016-01-20 It was previously reported that ASG, CAS, MTD, MC, PacketShaper
S-Series, PolicyCenter S-Series, Reporter 10.1, Security Analytics, and XOS are
vulnerable to CVE-2016-8858.  Further investigation has shows that these
products are not vulnerable.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWswa0Ix+lLeg9Ub1AQjI4A/7BXX0NSuaw++/gVxoR/lw2Qqg25Qtu5mV
AWMmxTZmH1+NxEEpGoVTZPW8fBevYsdXT3EhbiseBloEagnToprhdXD6RpugRXO9
X5Q/E7tC2446+KMduoFM+FcPCfPgYxcmV7RF7Pqo6/goptUekn6/CkpMXzilSYoz
fmZrnQ4iT5JY32a86zrAbSZKjVIiDHg5N0ubAvmgCFHb8pS35LB/+EMITIRYspLh
BvaybUU8hvEBYXP8Qb0zeZiUmS8N9E9kFULRtJcm9cXTeDhVy4OOek8NQczWQlpr
rvvf4euXH2hFpaZBhVnoBJkxc/nswXxLp/veOLlGB8l/zjNykqXKR7EcGI1frHr7
98VZC3XRk0N8UTtaYJ/J6o3XbmsGd7l7mWw0KbibTVLhrN/4vx/ClYjknbL8+do1
s+QP/0ra9FMzxQ7Sz2n5H7XfRE9q6osdMdduLOxKT2yQHhQMmOTDkoJnT4wGX6w6
rLI+c4veBSaa0RNhhqlnpi1mh1xhRFLDe7dxpw24Vvscg/sdXExU77EE8wYhkzcT
POUG3F8Y366cKIyy70c2wty51aOKEIkVt9lKkuRo96dxQtBulbPakScQR+DM0AMz
oHfiLooL1RoXlYQfEQ2tjN9PMe9QkZC9A5UKLYGCYRUuCRY5dSNa6j9UzGCS+PQS
fWM4DBpl+AM=
=1iMS
-----END PGP SIGNATURE-----

« Back to bulletins