Lucene search

K
symantecSymantec Security ResponseSMNTC-1337
HistoryDec 08, 2015 - 8:00 a.m.

SA104 : OpenSSH Vulnerabilities

2015-12-0808:00:00
Symantec Security Response
34

4.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N

8.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:P/I:N/A:C

SUMMARY

Blue Coat products using affected versions of OpenSSH are susceptible to multiple vulnerabilities. An attacker, with access to the management interface, may exploit these vulnerabilities to conduct brute-force password guessing attacks, bypass access restrictions, log in as a different user, achieve privilege escalation, execute arbitrary code, and force SSH clients to skip security checks. The attacker can also cause denial of service due to memory corruption and illegal memory accesses.

AFFECTED PRODUCTS

The following products are vulnerable:

Advanced Secure Gateway (ASG)

CVE |Affected Version(s)|Remediation
All CVEs | 6.7 and later | Not vulnerable, fixed in 6.7.2.1
CVE-2014-2653 | 6.6 | Upgrade to 6.6.3.1.
CVE-2014-2532 | 6.6 (not vulnerable to known vectors of attack) | Upgrade to 6.6.3.1.
CVE-2015-5600, CVE-2015-6563,
CVE-2015-6564 | 6.6 (not vulnerable to known vectors of attack) | Upgrade to 6.6.5.1.

Content Analysis System (CAS)

CVE |Affected Version(s)|Remediation
All CVEs | 2.1 and later | Not vulnerable, fixed in 2.1.1.1
CVE-2014-2532, CVE-2014-2653 | 1.3 | Upgrade to 1.3.6.1.
1.1, 1.2 | Upgrade to later release with fixes.
CVE-2015-6563, CVE-2015-6564 | 1.3 | Upgrade to 1.3.7.1.
1.1, 1.2 | Upgrade to later release with fixes.
CVE-2015-5352, CVE-2015-5600 | 1.3 (not vulnerable to known vectors of attack) | Upgrade to 1.3.7.1.
1.1, 1.2 (not vulnerable to known vectors of attack0 | Upgrade to later release with fixes.

Director

CVE |Affected Version(s)|Remediation
CVE-2014-2532, CVE-2014-2653,
CVE-2015-5600, CVE-2015-6563,
CVE-2015-6564 | 6.1 | Upgrade to 6.1.22.1.

Mail Threat Defense (MTD)

CVE |Affected Version(s)|Remediation
CVE-2015-6563, CVE-2015-6564 | 1.1 | Not available at this time
CVE-2015-5600 | 1.1 (not vulnerable to known vectors of attack) | Upgrade to 1.1.2.1.
CVE-2015-5352 | 1.1 (not vulnerable to known vectors of attack) | Not available at this time

Malware Analysis Appliance (MAA)

CVE |Affected Version(s)|Remediation
CVE-2014-2532, CVE-2014-2653,
CVE-2015-5600, CVE-2015-6563,
CVE-2015-6564 | 4.2 | Upgrade to 4.2.8.

Management Center (MC)

CVE |Affected Version(s)|Remediation
CVE-2014-2532, CVE-2014-2653 | 1.5 and later | Not vulnerable, fixed in 1.5.1.1
1.4 | Upgrade to later release with fixes.
CVE-2015-6563, CVE-2015-6564 | 1.6 and later | Not vulnerable, fixed in 1.6.1.1
1.4, 1.5 | Upgrade to later release with fixes.

Norman Shark Industrial Control System Protection (ICSP)

CVE |Affected Version(s)|Remediation
CVE-2015-5352, CVE-2015-5600,
CVE-2015-6563, CVE-2015-6564 | 5.4 | Not vulnerable, fixed in 5.4.1
5.3 | Upgrade to 5.3.6.

Norman Shark Network Protection (NNP)

CVE |Affected Version(s)|Remediation
CVE-2015-5352, CVE-2015-5600,
CVE-2015-6563, CVE-2015-6564 | 5.3 | Upgrade to 5.3.6.

Norman Shark SCADA Protection (NSP)

CVE |Affected Version(s)|Remediation
CVE-2015-5352, CVE-2015-5600,
CVE-2015-6563, CVE-2015-6564 | 5.3 | Upgrade to 5.3.6.

PacketShaper (PS) S-Series

CVE |Affected Version(s)|Remediation
All CVEs | 11.6 and later | Not vulnerable, fixed in 11.6.1.1
CVE-2014-2532, CVE-2015-5600 | 11.5 | Upgrade to 11.5.2.1.
11.2, 11.3, 11.4 | Upgrade to later release with fixes.
CVE-2015-6563, CVE-2015-6564 | 11.5 | Upgrade to 11.5.3.2.
11.2, 11.3, 11.4 | Upgrade to later release with fixes.

PolicyCenter (PC) S-Series

CVE |Affected Version(s)|Remediation
CVE-2015-6563, CVE-2015-6564 | 1.1 | Upgrade to 1.1.2.2.

Reporter

CVE |Affected Version(s)|Remediation
CVE-2014-2532, CVE-2014-2653 | 10.2 and later | Not vulnerable, fixed in 10.2.1.1
10.1 (not vulnerable to known vectors of attack) | Upgrade to 10.1.3.1.
CVE-2014-9278 | 10.1 and later | Not vulnerable
CVE-2015-5352, CVE-2015-5600 | 10.2 and later | Not vulnerable, fixed in 10.2.1.1
10.1 (not vulnerable to known vectors of attack) | Upgrade to 10.1.4.2.
CVE-2015-6563, CVE-2015-6564 | 10.2 and later | Not vulnerable, fixed in 10.2.1.1
10.1 | Upgrade to 10.1.4.2.
All CVEs | 9.4, 9.5 | Not vulnerable

Security Analytics (SA)

CVE |Affected Version(s)|Remediation
CVE-2014-2532 | 7.2 and later | Not vulnerable, fixed in 7.2.1
7.1 | Upgrade to 7.1.11.
7.0 | Upgrade to later release with fixes.
6.6 | Upgrade to 6.6.12.
CVE-2014-2653,
CVE-2015-5600, CVE-2015-6563,
CVE-2015-6564 | 7.2 and later | Not vulnerable, fixed in 7.2.1
7.1 | Upgrade to 7.1.11.
7.0 | Upgrade to later release with fixes.
6.6 | Upgrade to 6.6.12.
CVE-2015-5352 | 7.2 and later | Not vulnerable, fixed in 7.2.1
7.1 (not vulnerable to known vectors of attack) | Apply patch RPM available from customer support.
7.0 (not vulnerable to known vectors of attack) | Upgrade to later release with fixes.
6.6 (not vulnerable to known vectors of attack) | Apply patch RPM available from customer support.

SSL Visibility (SSLV)

CVE |Affected Version(s)|Remediation
CVE-2015-6563, CVE-2015-6564 | 3.10 and later | Fixed in 3.10.1.1
3.9 | Upgrade to 3.9.3.6.
3.8.4FC | Upgrade to 3.8.4FC-55.
3.8 | Upgrade to later release with fixes.

X-Series XOS

CVE |Affected Version(s)|Remediation
CVE-2014-2532, CVE-2014-2653,
CVE-2015-5600, CVE-2015-6563,
CVE-2015-6564 | 11.0 | Not available at this time
10.0 | Not available at this time
9.7 | Not available at this time

ADDITIONAL PRODUCT INFORMATION

In SSL Visibility, the OpenSSH vulnerabilities can be exploited only the product's management interfaces (web UI, CLD). Limiting the machines, IP addresses and subnets able to reach this physical network port reduces the threat. This reduces the CVSS v2 scores for multiple CVEs. The adjusted CVSS v2 base scores and severity are:

  • CVE-2014-2532 - 4.3 (MEDIUM) (AV:A/AC:M/Au:N/C:P/I:P/A:N)
  • CVE-2014-2653 - 4.3 (MEDIUM) (AV:A/AC:M/Au:N/C:P/I:P/A:N)
  • CVE-2015-5352 - 2.9 (LOW) (AV:A/AC:M/Au:N/C:N/I:P/A:N)
  • CVE-2015-5600 - 6.8 (MEDIUM) (AV:A/AC:L/Au:N/C:P/I:N/A:C)

Blue Coat products do not enable or use all functionality within OpenSSH. Products that do not utilize or enable the functionality described in a CVE are not vulnerable to that CVE. However, fixes for those CVEs will be included in the patches that are provided. The following products include vulnerable versions of OpenSSH, but do not use the functionality described in the CVEs and are not known to be vulnerable.

  • ASG: CVE-2014-2532, CVE-2015-5600, CVE-2015-6563, and CVE-2015-6564
  • CAS: CVE-2015-5352 and CVE-2015-5600
  • Director: CVE-2015-5352
  • MAA: CVE-2015-5352
  • MTD: CVE-2015-5352 and CVE-2015-5600
  • MC: CVE-2015-5352 and CVE-2015-5600
  • PS S-Series: CVE-2014-2653 and CVE-2015-5352
  • PC S-Series: CVE-2015-5352
  • Reporter 10.1: CVE-2014-2532, CVE-2014-2653, CVE-2015-5352, and CVE-2015-5600
  • Security Analytics: CVE-2015-5352
  • SSLV: CVE-2014-2653, CVE-2015-5352, and CVE-2015-5600
  • XOS: CVE-2015-5352

The following products are not vulnerable:
Android Mobile Agent
AuthConnector
BCAAA
Blue Coat HSM Agent for the Luna SP
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
IntelligenceCenter
IntelligenceCenter Data Collector
K9
PacketShaper
PolicyCenter
ProxyAV
ProxyAV ConLog and ConLogXP
ProxyClient
ProxySG
Unified Agent
Web Isolation

Blue Coat no longer provides vulnerability information for the following products:

DLP
Please, contact Digital Guardian technical support regarding vulnerability information for DLP.

ISSUES

CVE-2014-1692

Severity / CVSSv2 | High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) References| SecurityFocus: BID 65230 / NVD: CVE-2014-1692 Impact| Denial of service, unspecified other impact Description | A flaw allows an attacker to cause memory corruption, resulting in a denial of service or unspecified other impact.

CVE-2014-2532

Severity / CVSSv2 | Medium / 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N) References| SecurityFocus: BID 66355 / NVD: CVE-2014-2532 Impact| Security control bypass Description | A flaw allows an attacker to pass environment variables to a server SSH session and bypass intended environment variable restrictions.

CVE-2014-2653

Severity / CVSSv2 | Medium / 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N) References| SecurityFocus: BID 66459 / NVD: CVE-2014-2653 Impact| Security control bypass Description | A flaw allows an attacker to cause SSH clients to skip SSHFP DNS record checks when establishing SSH connections.

CVE-2014-9278

Severity / CVSSv2 | Medium / 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N) References| SecurityFocus: BID 71420 / NVD: CVE-2014-9278 Impact| Security control bypass Description | A flaw allows a remote attacker in a Kerberos environment to log in as a different user if changing users is allowed only after local authentication.

CVE-2015-5352

Severity / CVSSv2 | Medium / 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) References| SecurityFocus: BID 75525 / NVD: CVE-2015-5352 Impact| Security control bypass Description | A flaw allows an attacker to bypass intended time window access restrictions when establishing X11 connections to SSH clients.

CVE-2015-5600

Severity / CVSSv2 | High / 8.5 (AV:N/AC:L/Au:N/C:P/I:N/A:C) References| SecurityFocus: BID 75990 / NVD: CVE-2015-5600 Impact| Information disclosure Description | A flaw allows an attacker to conduct brute-force password guessing attacks or cause denial of service in SSH servers that use keyboard interactive authentication.

CVE-2015-6563

Severity / CVSSv2 | Low / 1.9 (AV:L/AC:M/Au:N/C:N/I:P/A:N) References| SecurityFocus: BID 76317 / NVD: CVE-2015-6563 Impact| Privilege escalation Description | A flaw allows a local attacker with valid user credentials to achieve privilege escalation if the attacker has already compromised a local non-privileged pre-authentication process.

CVE-2015-6564

Severity / CVSSv2 | Medium / 6.9 (AV:L/AC:M/Au:N/C:C/I:C/A:C) References| SecurityFocus: BID 76317 / NVD: CVE-2015-6564 Impact| Denial of service, privilege escalation Description | A flaw allows a local attacker to cause the SSH daemon to crash or execute arbitrary code with root privileges if the attacker has already compromised a local non-privileges pre-authentication process.

CVE-2015-6565

Severity / CVSSv2 | High / 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C) References| SecurityFocus: BID 76497 / NVD: CVE-2015-6565 Impact| Denial of service, unspecified other impact Description | A flaw that allows a local attacker to cause denial-of-service or have unspecified other impact through writing to TTY device files.

MITIGATION

These vulnerabilities can be exploited only through the management interfaces for all vulnerable products. Allowing only machines, IP addresses and subnets from a trusted network to access the management interface reduces the threat of exploiting the vulnerabilities.

By default, Director does not configure its OpenSSH software to accept environment variables from clients or to use keyboard interactive authentication. Customers who leave this default behavior unchanged prevent attacks against Director using CVE-2014-2532 and CVE-2015-5600.

By default, MAA does not use SSH as a client, does not use SSH in a Kerberos environment, and does not configure its OpenSSH software to use keyboard interactive authentication. Customers who leave this default behavior unchanged prevent attacks against MAA using CVE-2014-2653 and CVE-2015-5600.

By default, Security Analytics does not use SSH in a Kerberos environment. Also, it does not configure its OpenSSH software to accept environment variables from clients or to use keyboard interactive authentication. Customers who leave this default behavior unchanged prevent attacks against Security Analytics using CVE-2014-2532 and and CVE-2015-5600.

By default, XOS does not use SSH as a client and does not configure its OpenSSH software to accept environment variables from clients or to use keyboard interactive authentication. Customers who leave this default behavior unchanged prevent attacks against XOS using CVE-2014-2532, CVE-2014-2653, CVE-2015-5600.

REFERENCES

OpenSSH security announcements - <https://www.openssh.com/security.html&gt;

REVISION

2020-04-20 Security Analytics 7.3, 8.0, and 8.1 are not vulnerable to CVE-2014-2532. Industrial Control System Protection (ICSP) 5.4 is not vulnerable because a fix is available in 5.4.1. Advisory status moved to Closed.
2019-10-02 Web Isolation is not vulnerable.
2019-08-29 Reporter 10.3 and 10.4 have vulnerable versions of OpenSSH for CVE-2014-2532, but are not vulnerable to known vectors of attack.
2019-01-20 SA 7.3 starting with 7.3.2 and 8.0 are vulnerable to CVE-2014-2532.
2018-04-25 A fix for XOS 9.7 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-04-22 PacketShaper S-Series 11.10 is not vulnerable.
2017-11-06 ASG 6.7 is not vulnerable because a fix is available in 6.7.2.1.
2017-08-02 SSLV 4.1 is not vulnerable.
2017-07-24 PacketShaper S-Series 11.9 is not vulnerable.
2017-07-20 MC 1.10 is not vulnerable.
2017-06-22 Security Analytics 7.3 is not vulnerable.
2017-06-05 PacketShaper S-Series 11.8 is not vulnerable.
2017-05-17 CAS 2.1 is not vulnerable.
2017-03-06 MC 1.8 is not vulnerable. SSLV 4.0 is not vulnerable. Vulnerability inquiries for DLP should be addressed to Digital Guardian technical support.
2017-02-16 Previously, it was reported that Security Analytics by default is not vulnerable to CVE-2014-2653 because it does not act as an SSH client. Further investigation has shown that Security Analytics acts as an SSH client and is vulnerable to CVE-2014-2653 by default.
2016-11-29 A fix for Director is available in 6.1.22.1. PacketShaper S-Series 11.7 is not vulnerable. SSLV 3.11 is not vulnerable.
2016-11-17 Cloud Data Protection for Oracle Field Service Cloud is not vulnerable.
2016-11-08 A fix for all CVEs in ASG is available in 6.6.5.1.
2016-11-07 SSLV 3.10 is not vulnerable
2016-09-22 A fix for all CVEs in Reporter 10.1 is available in 10.1.4.2. MC 1.6 and 1.7 are not vulnerable because they have the vulnerability fixes. Further vulnerability fixes for MC 1.4 and 1.5 will not be provided. Please upgrade to the latest MC version with the vulnerability fixes.
2016-09-01 A fix for SSLV 3.8.4FC is available in 3.8.4FC-55.
2016-08-12 A fix for all CVEs in CAS 1.3 is available in 1.3.7.1. Security Analytics 7.2 is not vulnerable.
2016-06-30 PacketShaper S-Series is not vulnerable.
2016-06-28 Fixed typos in Affected Products, Advisory Details, and Patches sections.
2016-06-27 Fixes will not be provided for PacketShaper S-Series 11.2, 11.3, and 11.4. Please upgrade to a later version with the vulnerability fixes.
2016-06-24 A fix for CVE-2014-2653 in PS S-Series is available in 11.5.2.1. A fix for all CVEs in PS S-Series is available in 11.5.3.2. A fix for PC S-Series is available in 1.1.2.2.
2016-06-22 A fix for CVE-2014-2532 is available in ASG 6.6.3.1.
2016-06-22 Previously, it was reported that ASG 6.6 is not vulnerable to CVE-2014-2532, CVE-2015-5600, CVE-2015-6563, and CVE-2015-6564. Further investigation has shown that ASG 6.6 has a vulnerable version of OpenSSH for multiple CVEs, but is not vulnerable to known vectors of attack.
2016-06-16 PC S-Series is vulnerable to CVE-2015-6563 and CVE-2015-6564. It also has vulnerable code for CVE-2015-5352, but is not vulnerable to known vectors of attack. A fix is not available at this time.
2016-06-14 A fix for SA 7.0 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2016-06-13 Fixes for ICSP, NNP, and NSP are available in 5.3.6.
2016-05-26 Fixes for CVE-2015-5352 in Security Analytics 6.6 and 7.1 are available through patch RPMs from Blue Coat Support.
2016-05-19 Fixes for all CVEs except CVE-2015-5352 are available in Security Analytics 6.6.12 and 7.1.11.
2016-05-11 No Cloud Data Protection products are vulnerable.
2016-04-27 A fix for CVE-2015-5600 in MTD 1.1 is available in 1.1.2.1.
2016-04-24 MTD 1.1 is vulnerable to CVE-2015-6563 and CVE-2015-6564. It also have vulnerable code for CVE-2015-5352 and CVE-2015-5600, but is not vulnerable to known vectors of attack.
2016-04-22 It was previously reported that Security Analytics 6.6, 7.0, and 7.1 are vulnerable to CVE-2014-9278, and that Reporter 10.1 has vulnerable code for CVE-2014-9278. New information indicates that SA and Reporter are not vulnerable to this CVE.
2016-04-19 Fixes for CVE-2014-2532 and CVE-2015-5600 in PS S-Series 11.5 are available in 11.5.2.1.
2016-04-15 Fixes will not be provided for CAS 1.1 and 1.2. Please upgrade to a later version with the vulnerability fixes.
2016-03-14 A fix for CVE-2014-2532 and CVE-2014-2653 in CAS 1.3 is available in 1.3.6.1.
2016-03-10 A fix for MAA 4.2 is available in 4.2.8. It was previously reported that MAA 4.2 is vulnerable to CVE-2014-9278, but further investigation has shown that it is not vulnerable to that CVE.
2016-03-04 A fix for CVE-2014-2532 and CVE-2014-2653 is available in Reporter 10.1.3.1.
2016-01-21 A fix for SSLV 3.9 is available.
2016-01-15 A fix for SSLV 3.8 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2015-12-22 MC 1.5 contains fixes for CVE-2014-2532 and CVE-2014-2653. It is vulnerable to or has vulnerable code for other CVEs, and fixes are pending.
2015-12-21 CAS, Director, MAA, MC, PacketShaper, Reporter 10.1, Security Analytics, SSLV, and XOS have vulnerable OpenSSH software, but do not use the vulnerable functionality and are not known to be vulnerable. The vulnerable software will be patched in future releases.
2015-12-10 Security Analytics 6.6, 7.0, and 7.1 are vulnerable.
2015-12-09 initial public release

4.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N

8.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:P/I:N/A:C