Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2016.0054.2
Multiple Blue Coat products are affected by vulnerabilities in OpenSSL
10 April 2018
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Blue coat products
Operating System: Network Appliance
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Access Privileged Data -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Provide Misleading Information -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2016-2176 CVE-2016-2109 CVE-2016-2108
CVE-2016-2107 CVE-2016-2106 CVE-2016-2105
CVE-2013-0169
Reference: ASB-2013.0113
ASB-2013.0069
ESB-2013.0183
ESB-2013.0177
ESB-2013.0161
Revision History: April 10 2018: Update from vendor: A fix for Reporter 9.5 is
available in 9.5.4.1
May 10 2016: Initial Release
OVERVIEW
Multiple Blue Coat products are affected by vulnerabilities in OpenSSL:
"Advanced Secure Gateway
ASG 6.6 prior to 6.6.5.1 is vulnerable to CVE-2016-2105, CVE-2016-2106,
CVE-2016-2107 (all supported hardware platforms), CVE-2016-2108, and
CVE-2016-2109. ASG 6.7 is not vulnerable.
Android Mobile Agent
Android Mobile Agent 1.3 prior to 1.3.8 is vulnerable to CVE-2016-2105,
CVE-2016-2106, CVE-2016-2107, CVE-2016-2108, and CVE-2016-2109.
BCAAA
BCAAA 6.1 is vulnerable to CVE-2016-2105, CVE-2016-2106, CVE-2016-2107,
CVE-2016-2108, CVE-2016-2109, and CVE-2016-2176 when a Novell SSO realm is
used.
CacheFlow
CacheFlow 3.4 prior to 3.4.2.7 is vulnerable to CVE-2016-2108 and
CVE-2016-2109.
Client Connector
Client Connector 1.6 for Windows is vulnerable to CVE-2016-2105, CVE-2016-2106,
CVE-2016-2107, CVE-2016-2108, and CVE-2016-2109.
Content Analysis System
CAS 1.2 and 1.3 prior to 1.3.7.1 are vulnerable to CVE-2016-2105,
CVE-2016-2106, CVE-2016-2107 (all supported hardware platforms), CVE-2016-2108,
and CVE-2016-2109. CAS 2.1 and later releases are not vulnerable.
Director
Director 6.1 is vulnerable to CVE-2016-2105, CVE-2016-2106, CVE-2016-2108,
CVE-2016-2109, and CVE-2016-2176.
Mail Threat Defense
MTD 1.1 is vulnerable to CVE-2016-2105, CVE-2016-2106, CVE-2016-2107 (all
supported hardware platforms), CVE-2016-2108, and CVE-2016-2109.
Malware Analysis Appliance
MAA 4.2 prior to 4.2.11 is vulnerable to CVE-2016-2105, CVE-2016-2107 (all
supported hardware platforms) and CVE-2016-2108.
Management Center
MC 1.5 is vulnerable to CVE-2016-2105, CVE-2016-2106, CVE-2016-2108, and
CVE-2016-2109. MC 1.6 and later releases are not vulnerable.
Norman Shark Industrial Control System Protection
ICSP 5.3 prior to 5.3.6 is vulnerable to CVE-2016-2105, CVE-2016-2106,
CVE-2016-2108, and CVE-2016-2109. They are also vulnerable to CVE-2016-2107
when running on an AESNI-capable hardware platform. See the Advisory Details
section for more details.
Norman Shark Network Protection
NNP 5.3 prior to 5.3.6 is vulnerable to CVE-2016-2105, CVE-2016-2106,
CVE-2016-2108, and CVE-2016-2109. They are also vulnerable to CVE-2016-2107
when running on an AESNI-capable hardware platform. See the Advisory Details
section for more details.
Norman Shark SCADA Protection
NSP 5.3 prior to 5.3.6 is vulnerable to CVE-2016-2105, CVE-2016-2106,
CVE-2016-2108, and CVE-2016-2109. They are also vulnerable to CVE-2016-2107
when running on an AESNI-capable hardware platform. See the Advisory Details
section for more details.
PacketShaper
PS 9.2 prior to 9.2.13p2 is vulnerable to CVE-2016-2106 and CVE-2016-2109. PS
9.2 prior to 9.2.13p1 is also vulnerable to CVE-2016-2108.
PacketShaper S-Series
PS S-Series 11.2, 11.3, 11.4, and 11.5 prior to 11.5.3.2 are vulnerable to
CVE-2016-2106, CVE-2016-2107 (all supported hardware platforms), and
CVE-2016-2108. PS S-Series 11.6, 11.7, 1.8 and 1.9 are not vulnerable.
PolicyCenter
PC 9.2 prior to 9.2.13p2 is vulnerable to CVE-2016-2106 and CVE-2016-2109. PC
9.2 prior to 9.2.13p1 is also vulnerable to CVE-2016-2108.
PolicyCenter S-Series
PC S-Series 1.1 prior to 1.1.2.2 is vulnerable to CVE-2016-2106, CVE-2016-2107
(all supported hardware platforms), and CVE-2016-2108.
ProxyAV
ProxyAV 3.5 prior to 3.5.4.2 is vulnerable to CVE-2016-2105, CVE-2016-2106,
CVE-2016-2108, CVE-2016-2109, and CVE-2016-2176.
ProxyClient
ProxyClient 3.4 for Windows is vulnerable to CVE-2016-2105, CVE-2016-2106,
CVE-2016-2107, CVE-2016-2108, and CVE-2016-2109.
ProxySG
ProxySG 6.5 prior to 6.5.9.8 and 6.6 prior to 6.6.4.1 are vulnerable to
CVE-2016-2108 and CVE-2016-2109. They are also vulnerable to CVE-2016-2107
when running on an AESNI-capable hardware platform. See the Advisory Details
section for more details. ProxySG 6.7 is not vulnerable.
Reporter
Reporter 9.4, 9.5 prior to 9.5.4.1, and 10.1 prior to 10.1.4.2 are vulnerable
to CVE-2016-2105, CVE-2016-2106, CVE-2016-2108, and CVE-2016-2109. Reporter
9.5 and 10.1 are also vulnerable to CVE-2016-2107.
Security Analytics
Security Analytics 6.6, 7.0, and 7.1 are vulnerable to CVE-2016-2105,
CVE-2016-2106, CVE-2016-2108, and CVE-2016-2109. Security Analytics 6.6 and
7.1 are also vulnerable to CVE-2016-2107 when running on an AESNI-capable
hardware platform. See the Advisory Details section for more details.
Security Analytics 7.2 and 7.3 are not vulnerable.
SSL Visibility
SSLV 3.8, 3.8.4FC prior to 3.8.4FC-55, and 3.9 prior to 3.9.3.6 are vulnerable
to CVE-2016-2105, CVE-2016-2106, CVE-2016-2108, and CVE-2016-2109. They are
also vulnerable to CVE-2016-2107 when running on an AESNI-capable hardware
platform. See the Advisory Details section for more details. SSLV 3.10 and
later versions are not vulnerable.
Unified Agent
UA 4.1 and 4.6 are vulnerable to CVE-2016-2105, CVE-2016-2106, CVE-2016-2107,
and CVE-2016-2109. UA 4.1 is also vulnerable to CVE-2016-2108. UA 4.7 is not
vulnerable.
X-Series XOS
XOS 9.7, 10.0, and 11.0 are vulnerable to CVE-2016-2105, CVE-2016-2106,
CVE-2016-2108, and CVE-2016-2109. They are also vulnerable to CVE-2016-2107
when running on an AESNI-capable hardware platform. See the Advisory Details
section for more details." [1]
IMPACT
The vendor has provided the following information about the
vulnerability:
"CVE-2016-2105 is a flaw in the Base64 encoding module that allows a
remote attacker to supply large input data and trigger a heap
overflow, resulting in denial of service and possible arbitrary code
execution.
CVE-2016-2106 is a flaw in the generic symmetric
encryption/decryption module that allows a remote attacker to supply
large input data and trigger a heap overflow, resulting in denial of
service and possible arbitrary code execution.
CVE-2016-2107 is a flaw introduced as part of the fix for
CVE-2013-0169 (Lucky13). A remote man-in-the-middle (MITM) attacker
can exploit this vulnerability to perform a padding oracle attack
and decrypt intercepted TLS traffic when the TLS sessions use AES
CBC cipher suites and the server supports AESNI. The CVSS v2 score
for CVE-2016-2107 listed in this Security Advisory is published by
the National Vulnerability Database (NVD). The effective CVSS v2
score my be higher for Blue Coat products if the decrypted plaintext
contains cookie or password information.
CVE-2016-2108 is a flaw in the ASN.1 encoder that allows a remote
attacker to send a crafted X.509 certificate and trigger a buffer
underflow on the target if it parses and re-encodes the certificate.
The attack is also possible if the crafted X.509 certificate is
signed using RSA and the target verifies the RSA signature.
Exploiting this vulnerability can result in denial of service
through memory corruption and possible arbitrary code execution.
CVE-2016-2109 is a flaw in the ASN.1 decoder that allows a remote
attacker to send crafted ASN.1 data and trigger excessive memory
allocation on the target. This can result in denial of service
through memory depletion.
CVE-2016-2176 is an overread flaw in X.509 certificate ASN.1 string
parsing on EBCDIC systems. A remote attacker can exploit this
vulnerability using crafted X.509 certificates to obtain arbitrary
data from the target's memory stack." [1]
MITIGATION
The vendor recommends upgrading to versions unaffected by the
vulnerability. [1]
REFERENCES
[1] SA123: OpenSSL Vulnerabilities 3-May-2016
https://bto.bluecoat.com/security-advisory/sa123
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWswayIx+lLeg9Ub1AQgrKRAAg5UIhBzZYfLYrkMdsZyV9klZkb9c1eje
mpE5tdbwaxYlwv4X4/qsn/VEH7NjcN1Hf1+enSzXOey6SGTnB4rKZjK6lls05Bg5
OC01Lqljck0EwTMeKQvzRpBgT8UwbfC5V0g22oaQTBSFVjql5903XGkcIfC0PVR7
TwjFcPl8LiRsOocopovnanHQd3RLRsCdFtWwhkmqqeIiM9IZ5c95PV0cNK760PW/
EPxk2BYaLVcfBGSDLw1U3h0yO2u5N8QYEF9farNrHeFv7KhHm3xzf4Pyqs6uafqV
71rlnK1uxkBjKoATd5u4lectMVaaohII5CzmRvusamVSoNMpD16Pm+F0bhNW9/4E
j7BfLt8L1NuuRtylrTvVQpqZwv9CfZHYJ9mIQPyk2lnS0GyRiLG78MVanSC3mKJw
X0dgDawCHrfL9INqjHPQvIftJ3UyOtLuBX/GgdFpyLlRbHs/YoPEabo+lHRV3mm6
xQz04dZL0NsGPYW10K/EXRo9bfH/LNEzUAbxqvJLGtjJBg3hzS00vPT0xT9E3t6p
CkLozPd+cbjZip/md2LPEbIafE9rgcACZHYUGNZNCNbI8Omw6xoenKVfRXrpND6a
bYZmKFishANPEZNUmEAVPgN0QtLucEkq+C6Kgk7FH5ThwRhZx81AW1lC7MGS6qA0
SIjjsCBHbtQ=
=Ny+B
-----END PGP SIGNATURE-----