ESB-2018.1606 - [Appliance] Symantec Network Protection products: Multiple vulnerabilities 2018-05-28

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.1606
  OpenSSL vulnerabilities patched in Symantec Network Protection products
                                28 May 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Symantec Network Protection products
Publisher:         Symantec
Operating System:  Network Appliance
Impact/Access:     Denial of Service              -- Remote/Unauthenticated
                   Provide Misleading Information -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-0739 CVE-2018-0733 

Reference:         ESB-2018.0896

Original Bulletin: 
   https://www.symantec.com/security-center/network-protection-security-advisories/SA166

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Center / Network Protection Security Advisories / SA166: OpenSSL
Vulnerabilities 27-Mar-2018

SA166: OpenSSL Vulnerabilities 27-Mar-2018

Security Advisory ID: SA166
Published Date: May 22, 2018
Advisory Status: Interim
Advisory Severity: Medium
CVSS v2 base score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVE Number: 
CVE-2018-0733 - 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVE-2018-0739 - 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:N/A:P)

Symantec Network Protection products using affected versions of OpenSSL are
susceptible to several vulnerabilities.  A remote attacker can forge
cryptographic messages and cause denial of service through application crashes.

Affected Products:

The following products are vulnerable:

Advanced Secure Gateway
ASG 6.6 and 6.7 are vulnerable to CVE-2018-0739.

CacheFlow
CF 3.4 is vulnerable to CVE-2018-0739.

Content Analysis
CA 2.1, 2.2, and 2.3 are vulnerable to CVE-2018-0739.

Director
Director 6.1 is vulnerable to CVE-2018-0739.

IntelligenceCenter
IC 3.3 is vulnerable to CVE-2018-0739.

IntelligenceCenter Data Collector
DC 3.3 is vulnerable to CVE-2018-0739.

Mail Threat Defense
MTD 1.1 is vulnerable to CVE-2018-0739.

Malware Analysis
MA 4.2 is vulnerable to CVE-2018-0739.

Management Center
MC 1.11 is vulnerable to CVE-2018-0739.

PacketShaper
PS 9.2 is vulnerable to CVE-2018-0739.

PolicyCenter
PC 9.2 is vulnerable to CVE-2018-0739.

ProxyAV
ProxyAV 3.5 is vulnerable to CVE-2018-0739.

ProxySG
ProxySG 6.5, 6.6, and 6.7 are vulnerable to CVE-2018-0739.

Reporter
Reporter 9.5 for Windows and 10.2 are vulnerable to CVE-2018-0739.  Reporter
10.1 has a vulnerable version of OpenSSL, but is not vulnerable to known
vectors of attack.

Security Analytics
Security Analytics 7.1, 7.2, and 7.3 are vulnerable to CVE-2018-0739.

SSL Visibility
SSLV 3.8.4FC, 3.10, 3.12, and 4.2 are vulnerable to CVE-2018-0739 when an
administrator user imports certificates and CRLs in PKCS#7 format.

X-Series XOS
XOS 10.0 and 11.10 are vulnerable to CVE-2018-0739.

The following products have a vulnerable version of OpenSSL, but are not
vulnerable to known vectors of attack:

BCAAA
BCAAA 6.1 has a vulnerable version of OpenSSL.

Client Connector
Client Connector 1.6 has a vulnerable version of OpenSSL.

PacketShaper S-Series
PS S-Series 11.6, 11.9, and 11.10 have a vulnerable version of OpenSSL.

PolicyCenter S-Series
PC S-Series 1.1 has a vulnerable version of OpenSSL.

ProxyClient
ProxyClient 3.4 has a vulnerable version of OpenSSL.

Unified Agent
UA 4.6, 4.7, 4.8, and 4.9 have a vulnerable version of OpenSSL.

WSS Mobile Agent
WSS Mobile Agent 2.0 has a vulnerable version of OpenSSL.

The following products are not vulnerable:
AuthConnector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
General Auth Connector Login Application
HSM Agent for the Luna SP
K9
ProxyAV ConLog and ConLogXP

The following products are under investigation:
Norman Shark Industrial Control System Protection

Advisory Details: 

This security advisory addresses two security vulnerabilities announced in
OpenSSL Security Advisory [27 Mar 2018].  Symantec Network Protection products
that include a vulnerable version of OpenSSL and make use of the affected
functionality are vulnerable.

  * CVE-2018-0733 is a computational flaw in the PA-RISC cryptographic
    functionality that allows attackers to forge cryptographic messages via
    unspecified vectors.
  * CVE-2018-0739 is a flaw in the ASN.1 module that allows remote attackers to
    send crafted ASN.1 data and cause denial of service through stack
    exhaustion.

Symantec Network Protection products that use a native installation of OpenSSL
but do not install or maintain that implementation are not vulnerable to any of
these CVEs.  However, the underlying platform or application that installs and
maintains OpenSSL may be vulnerable. Symantec urges our customers to update the
versions of OpenSSL that are natively installed for Client Connector for OS X,
Proxy Client for OS X, and Reporter 9.x for Linux.

Some Symantec Network Protection products do not enable or use all
functionality within OpenSSL. The products listed below do not utilize the
functionality described in the CVEs below and are thus not known to be
vulnerable to them.  However, fixes for these CVEs will be included in the
patches that are provided.

  * BCAAA: CVE-2018-0739
  * Client Connector: CVE-2018-0739
  * PS S-Series: CVE-2018-0739
  * PC S-Series: CVE-2018-0739
  * ProxyClient: CVE-2018-0739
  * UA: CVE-2018-0739
  * WSS Mobile Agent: CVE-2018-0739

Workarounds: 

CVE-2018-0739 can be remediated in SSLV by converting certificates and CRLs
from PKCS#7 to a different format before importing them.

Patches: 

Advanced Secure Gateway
ASG 6.7 - a fix is not available at this time.
ASG 6.6 - a fix is not available at this time.

BCAAA
BCAAA 6.1 - a fix will not be provided.  The vulnerable OpenSSL library is in
the Novell SSO SDK and an updated Novell SSO SDK is no longer available. 
Please contact Novell for more information.

CacheFlow
CF 3.4 - a fix is not available at this time.

Client Connector
Client Connector 1.6 - a fix will not be provided.  Please upgrade to the
latest version of Unified Agent with the vulnerability fixes.

Content Analysis
CA 2.3 - a fix is not available at this time.
CA 2.2 - a fix is not available at this time.
CA 2.1 - a fix is not available at this time.

Director
Director 6.1 - a fix is not available at this time.

IntelligenceCenter
IC 3.3 - a fix is not available at this time.

IntelligenceCenter Data Collector
DC 3.3 - a fix is not available at this time.

Mail Threat Defense
MTD 1.1 - a fix is not available at this time.

Malware Analysis
MA 4.2 - a fix is not available at this time.

Management Center
MC 1.11 - a fix is not available at this time.

PacketShaper
PS 9.2 - a fix is not available at this time.

PacketShaper S-Series
PS S-Series 11.10 - a fix is not available at this time.
PS S-Series 11.9 - a fix is not available at this time.
PS S-Series 11.6 - a fix is not available at this time.

PolicyCenter
PC 9.2 - a fix is not available at this time.

PolicyCenter S-Series
PC S-Series 1.1 - a fix is not available at this time.

ProxyAV
ProxyAV 3.5 - a fix is not available at this time.

ProxyClient
ProxyClient 3.4 - a fix will not be provided.  Please upgrade to the latest
version of Unified Agent with the vulnerability fixes.

ProxySG
ProxySG 6.7 - a fix is not available at this time.
ProxySG 6.6 - a fix is not available at this time.
ProxySG 6.5 - a fix is not available at this time.

Reporter
Reporter 10.2 - a fix is not available at this time.
Reporter 10.1 - a fix is not available at this time.
Reporter 9.5 - a fix is not available at this time.

Security Analytics
Security Analytics 7.3 - a fix is not available at this time.
Security Analytics 7.2 - a fix is not available at this time.
Security Analytics 7.1 - a fix is not available at this time.

SSL Visibility
SSLV 4.2 - a fix is not available at this time.
SSLV 3.12 - a fix is not available at this time.
SSLV 3.10 - a fix is not available at this time.
SSLV 3.8.4FC - a fix is not available at this time.

Unified Agent
UA 4.9 - a fix is not available at this time.
UA 4.8 - a fix is not available at this time.
UA 4.7 - a fix is not available at this time.
UA 4.6 - a fix is not available at this time.

WSS Mobile Agent
WSS Mobile Agent 2.0 - a fix is not available at this time.

X-Series XOS
XOS 11.0 - a fix is not available at this time.
XOS 10.0 - a fix is not available at this time.

References: 

OpenSSL Security Advisory [27 Mar 2018] - https://www.openssl.org/news/secadv/
20180327.txt
CVE-2018-0733 - https://nvd.nist.gov/vuln/detail/CVE-2018-0733
CVE-2018-0739 - https://nvd.nist.gov/vuln/detail/CVE-2018-0739

Advisory History: 

2018-05-22 initial public release

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWwtPs2aOgq3Tt24GAQilQRAAukx+Wfvy7Lw5yZWMvADRPfJN5LE+kTOU
CWsjozHDCSJKwxUgxm+QDIxm0+l2sxQ2zDYT58/waaZqjcTMMzWJjmCONoKkD8vk
Gtf8ScqyDey53dY7v9mtlLGvG+l2m8x6DuqdEGfN18ifdlOeDzR4ljZF5O0qqPMj
AgoDQuBinfmRGD5nGdiiB2SB8QgVv4mPZAWOydZtlnJLbUA4HVPyyVQGhTF3VBmC
G2YQfc3t1dan3I28Yg2NNBSC6oQyLXGCVT5cjnDwcGLdHrnazUoopm9+Vwrr2fH1
KtxTkbgUGzG7/W1C0V535vhuDufv9ozSYjDxBQAaygejUr7A2RmfgxTSfLCsLEGl
6kK/s6W258wu3CjDXd14S2vGS8XqF4qwb+a4DvbpdDptq6ZB0PupIeQ3Vm8SZqnq
J8K58CdaJ/z6YVOa4pUb5Gp8pLw2xJI5POQyEMNMHmce6GwZI4hB8vC8/6uZc76f
JCzDxfvAmT/IBLFVCg2D+0fmvpdKf7Q/9clX6edAC3GLGNE4i9oT8PrsNXlU23KK
+xG+kNUUzOgJiDPCK0L/w80uO7aceI+8L6T6cj5K1YLpRcfNT5AD/HvmdydYOxpw
spXDrd0nyLRH6uoal66sa09649jLI+BXUUEcE8VDlTprg14wv7y+2+h4EDiGfQKX
qfaxeZzNk0M=
=bFb1
-----END PGP SIGNATURE-----

« Back to bulletins