ESB-2018.0118 - [Appliance] Symantec Network Protection products: Access privileged data - Existing account 2018-01-10

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.0118
  SA161: Local Information Disclosure Due to Meltdown and Spectre Attacks
                              10 January 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Symantec Network Protection products
Publisher:         Symantec
Operating System:  Network Appliance
Impact/Access:     Access Privileged Data -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-5754 CVE-2017-5753 CVE-2017-5715

Reference:         ASB-2018.0009
                   ASB-2018.0002.4
                   ESB-2018.0046
                   ESB-2018.0044
                   ESB-2018.0042

Original Bulletin: 
   https://www.symantec.com/security-center/network-protection-security-advisories/SA161

- --------------------------BEGIN INCLUDED TEXT--------------------

SA161: Local Information Disclosure Due to Meltdown and Spectre Attacks

Security Advisory ID: 
SA161

Published Date: 
Jan 08, 2018

Advisory Status: 
Interim

Advisory Severity: 
Medium
CVSS v2 base score: 4.7 (AV:L/AC:M/Au:N/C:C/I:N/A:N)

CVE Number: 
CVE-2017-5715 - 4.7 (MEDIUM) (AV:L/AC:M/Au:N/C:C/I:N/A:N)
CVE-2017-5753 - 4.7 (MEDIUM) (AV:L/AC:M/Au:N/C:C/I:N/A:N)
CVE-2017-5754 - 4.7 (MEDIUM) (AV:L/AC:M/Au:N/C:C/I:N/A:N)

Symantec Network Protection products, which run on an affected CPU chipset 
and execute arbitrary code from external sources, are susceptible to several
information disclosure vulnerabilities (aka Meltdown and Spectre attacks). 

A remote attacker, with the ability to execute arbitrary code locally on the 
target, can obtain sensitive information from the memory spaces of the same
userspace application, other userspace applications, the operating system, 
or a VM hypervisor.

Affected Products:

The following products are vulnerable:

Content Analysis
CA 2.1 and 2.2 are vulnerable to all CVEs when configured with on-box
sandboxing.  CA 1.3 uses affected CPU chipsets, but does not allow
administrators to execute arbitrary code and is not vulnerable to known
vectors of attack.

Malware Analysis
MA 4.2 is vulnerable to all CVEs.

Security Analytics
Security Analytics 7.1, 7.2, and 7.3 are vulnerable to all CVEs when a
malicious administrator executes malicious code on the appliance.

X-Series XOS
XOS 9.7, 10.0, and 11.0 are vulnerable to all CVEs when a malicious
administrator accesses the XOS diagnostics functionality and executes
malicious code on the appliance.

The following products use affected CPU chipsets, but do not allow 
administrators to execute arbitrary code and are not vulnerable to known
vectors of attack:

Advanced Secure Gateway
CacheFlow (not affected by Meltdown)
Director
Mail Threat Defense
Management Center
Norman Shark Industrial Control System Protection
PacketShaper
PacketShaper S-Series
PolicyCenter S-Series
ProxyAV
ProxySG (SG300, SG600, and SG9000 platforms are not affected by Meltdown)
Reporter 10.1
SSL Visibility

The following products run as userspace applications on customer-provided 
hardware platforms and operating systems. The vulnerabilities addressed in this
security advisory are not present in our applications, but these applications
can be targeted by an attacker if the underlying hardware platforms and
operating systems are vulnerable:

Android Mobile Agent
AuthConnector
BCAAA
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
HSM Agent for the Luna SP
IntelligenceCenter
IntelligenceCenter Data Collector
K9
PolicyCenter
ProxyClient
ProxyAV ConLog and ConLogXP
Reporter 9.5
Unified Agent

Advisory Details: 

Symantec Network Protection products, which run on an affected CPU chipset and
execute arbitrary code from external sources, are susceptible to several
information disclosure vulnerabilities.

The Meltdown attack (CVE-2017-5754) exploits an information disclosure
vulnerability in CPU chipsets that support out-of-order execution. CPU
chipsets from multiple vendors use out-of-order execution to improve
instruction execution performance.  Modern operating systems rely on memory
isolation between userspace applications and the operating system kernel.  If
a userspace application attempts to access a memory location reserved for the
operating system, the system triggers an exception.  A CPU chipset supporting
out-of-order execution may fetch sensitive data and store it in the CPU cache
before detecting the exception. The data remains uncleared in the CPU cache,
where a malicious userspace application can access it via side-channel
analysis.  The Meltdown attack also allows malicious userspace applications
to access sensitive data from the memory spaces of other userspace
applications.

The Spectre attack (CVE-2017-5753 and CVE-2017-5715) exploits an information
disclosure vulnerability in CPU chipsets that support speculative execution
through branch prediction.  CPU chipsets from multiple vendors use branch
prediction to improve instruction execution performance. A malicious
userspace application can obtain unauthorized access to sensitive data from
the memory space of the same or a different userspace application by
accessing data left uncleared in the CPU cache after speculatively executed
CPU instructions. In one variant of the Spectre attack (CVE-2017-5753), the
speculatively executed instructions follow an incorrect branch prediction. In
a second variant (CVE-2017-5715), the instructions are loaded from the
location of a mispredicted branch target.  CVE-2017-5715 may also allow
malicious code running as a guest in a virtual machine to obtain unauthorized
access to sensitive data from the VM hypervisor memory.

The vulnerabilities addressed in this security advisory are not present in
Symantec Network Protection products that run as userspace applications, but
these applications can be targeted by an attacker if the underlying hardware
platforms and operating systems are vulnerable. Symantec urges our customers
to contact their operating system and hardware platform vendors for
Meltdown/Spectre vulnerability information and fixes.

Patches: 

Content Analysis
CA 2.2 - a fix is not available at this time.
CA 2.1 - a fix is not available at this time.

Malware Analysis
MA 4.2 - a fix is not available at this time.

Security Analytics
Security Analytics 7.3 - a fix is not available at this time.
Security Analytics 7.2 - a fix is not available at this time.
Security Analytics 7.1 - a fix is not available at this time.

X-Series XOS
XOS 11.0 - a fix is not available at this time.
XOS 10.0 - a fix is not available at this time.
XOS 9.7 - a fix is not available at this time.

References: 

Meltdown and Spectre - https://meltdownattack.com/
CERT Vulnerability Note VU#584653 - http://www.kb.cert.org/vuls/id/584653
CVE-2017-5715 - https://nvd.nist.gov/vuln/detail/CVE-2017-5715
CVE-2017-5753 - https://nvd.nist.gov/vuln/detail/CVE-2017-5753
CVE-2017-5754 - https://nvd.nist.gov/vuln/detail/CVE-2017-5754

Advisory History: 

2018-01-09 PolicyCenter (non S-Series) and Reporter 9.5 run as userspace
applications on customer-provided hardware platforms and operating systems.
The vulnerabilities addressed in this security advisory are not present in
these applications, but they can be targeted by an attacker if the underlying
hardware platforms and operating systems are vulnerable.

2018-01-08 initial public release

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWlWySIx+lLeg9Ub1AQhAAw/+NNPqZkCfnUHHDRTBvPAeIR6uZlE2T7Ld
XfQgv7dtsK3BIsaPkfLn6lpndtOh7zkgi7PoHBQoIeSQ1T4MOQxCEjOmxVsIEv5j
0KgPWqneEnMGnAu8OfJZc0nTfCJnoqhQ9yysxPVMWB/cMgmgYrN0zHFvfZJS5d3A
ePndT5t/MJK7pLLpyImlr3P6tkEfc1+TU+sQFzLWcD4eGYivkSDo0Q0riWNvVI/l
3Gi4OvyK7SqWp3VATDTmhwvrud6Ex3pnf8YKo4qRe2OpXJ4SDSVtm2prCVFt2Bi+
SNSNNXowgqKO33wziUWheC+bOhlMRdV17b+n+unug7bHKwJshjx2mBgT1LFT8zEA
BzDh5+v2blRBJc2HgYsiKkdbAy6+9RidFTj3gionBEJIweIIth5rHSKYSC5xX5pv
wy1SNoHzWr4CFpH5P0qeQqx6wr8XVn8TQd9KGwkcLhtaOrIkyEeWfPYq2KlOxryH
cuIvw1JNq+GYBWyBsZmQSkxglFbtPY7n6rnCFfLqIjjWs6Dnb3vDhMnGPZ9e/Y08
tKnoyk9va06OmqLD4tIGXRCWHJPp8yTvyGyn+LYNiMKnzTT6g+60cUgUJfkzY0jS
YNDP/HSdME6hsMw4+KWu9x+GMo2+EKQXtkW+ouh7k1P+Y9/+oKwOS7FoiXrGgffO
yQKamZM4aRg=
=X0eU
-----END PGP SIGNATURE-----

« Back to bulletins