SA105 : OpenSSL Vulnerabilities 3-Dec-2015

SUMMARY

Blue Coat products using affected versions of OpenSSL 1.0.2, 1.0.1, 1.0.0 and 0.9.8 are susceptible to one or more vulnerabilities. A remote attacker may exploit these vulnerabilities to obtain private key information and information stored in the target’s volatile memory. The attacker can also cause denial of service through application crashes due to memory corruption or illegal memory accesses.

AFFECTED PRODUCTS

The following products are vulnerable:

Advanced Secure Gateway (ASG)

CVE |Affected Version(s)|Remediation
CVE-2015-3194 | 6.7 and later | Not vulnerable, fixed in 6.7.2.1
6.6 | Upgrade to 6.6.4.1
CVE-2015-3195, CVE-2015-3196 | 6.7 and later | Not vulnerable, fixed in 6.7.2.1
6.6 | Upgrade to later release with fixes.

Android Mobile Agent

CVE |Affected Version(s)|Remediation
CVE-2015-3194 | All versions prior to 1.3.8 | Upgrade to 1.3.8.

BCAAA

CVE |Affected Version(s)|Remediation
All CVEs | 6.1 (only when a Novell SSO realm is used) | An updated Novell SSO SDK is no longer available. Please, contact Novell for more information.

Content Analysis System (CAS)

CVE |Affected Version(s)|Remediation
All CVEs | 2.1 and later | Not vulnerable, fixed in 2.1.1.1
CVE-2015-3194, CVE-2015-3195 | 1.3 | Upgrade to 1.3.6.1.
1.1, 1.2 | Upgrade to later release with fixes.

Director

CVE |Affected Version(s)|Remediation
CVE-2015-3195 | 6.1 | Upgrade to 6.1.22.1.

Malware Analysis Appliance (MAA)

CVE |Affected Version(s)|Remediation
CVE-2015-3194, CVE-2015-3195,
CVE-2015-3196 | 4.2 | Upgrade to 4.2.8.

Management Center (MC)

CVE |Affected Version(s)|Remediation
CVE-2015-3194, CVE-2015-3195,
CVE-2015-3196 | 1.6 and later | Not vulnerable, fixed in 1.6.1.1
1.5 | Upgrade to 1.5.3.1.
1.4 | Upgrade to later release with fixes.

Norman Shark Industrial Control System Protection (ICSP)

CVE |Affected Version(s)|Remediation
CVE-2015-3194, CVE-2015-3196 | 5.4 and later | Not vulnerable, fixed in 5.4.1
5.3 | Upgrade to 5.3.6.

Norman Shark Network Protection (NNP)

CVE |Affected Version(s)|Remediation
CVE-2015-3194, CVE-2015-3196 | 5.3 | Upgrade to 5.3.6.

Norman Shark SCADA Protection (NSP)

CVE |Affected Version(s)|Remediation
CVE-2015-3194, CVE-2015-3196 | 5.3 | Upgrade to 5.3.6.

PacketShaper (PS)

CVE |Affected Version(s)|Remediation
CVE-2015-3194 | 9.2 | Upgrade to 9.2.13p1.

PacketShaper (PS) S-Series

CVE |Affected Version(s)|Remediation
CVE-2015-3194 | 11.6 and later | Not vulnerable, fixed in 11.6.1.1
11.5 | Upgrade to 11.5.3.1.
11.2, 11.3, 11.4 | Upgrade to later release with fixes.

PolicyCenter (PC)

CVE |Affected Version(s)|Remediation
CVE-2015-3194 | 9.2 | Upgrade to 9.2.13p1.

PolicyCenter (PC) S-Series

CVE |Affected Version(s)|Remediation
CVE-2015-3194 | 1.1 | Upgrade to 1.1.2.1.

ProxyAV

CVE |Affected Version(s)|Remediation
CVE-2015-3194, CVE-2015-3195 | 3.5 | Upgrade to 3.5.4.1.

ProxyClient

CVE |Affected Version(s)|Remediation
CVE-2015-3195 | 3.4 | Upgrade to latest release of Unified Agent with fixes.

ProxySG

CVE |Affected Version(s)|Remediation
CVE-2015-3194 | 6.7 and later | Not vulnerable, fixed in 6.7.1.1
6.6 | Upgrade to 6.6.4.1.
6.5 | Upgrade to 6.5.9.2.
CVE-2015-3195, CVE-2015-3196 | 6.7 and later | Not vulnerable, fixed in 6.7.1.1
6.6 (not vulnerable to known vectors of attack) | Upgrade to later release with fixes.
6.5 (not vulnerable to known vectors of attack) | Upgrade to 6.5.10.4.

Reporter

CVE |Affected Version(s)|Remediation
CVE-2015-3194, CVE-2015-3196 | 10.2 and later | Not vulnerable, fixed in 10.2.1.1
10.1 | Upgrade to 10.1.4.1.
9.5 | Upgrade to 9.5.3.1.
CVE-2015-3195 | 10.2 and later | Not vulnerable, fixed in 10.2.1.1
10.1 | Upgrade to 10.1.4.1.
9.5 | Upgrade to 9.5.3.1.
9.4 | Upgrade to later release with fixes.

SSL Visibility (SSLV)

CVE |Affected Version(s)|Remediation
All CVEs | 3.10 and later | Not vulnerable, fixed in 3.10.1.1
CVE-2015-3194, CVE-2015-3195 | 3.9 | Upgrade to 3.9.3.1.
3.8.4FC | Upgrade to 3.8.4FC-55.
3.8 | Upgrade to later release with fixes.
CVE-2015-3193, CVE-2015-1794 | 3.9 | Upgrade to 3.9.3.1.

Unified Agent (UA)

CVE |Affected Version(s)|Remediation
CVE-2015-3193, CVE-2015-3194 | 4.7 and later | Not vulnerable, fixed in 4.7.1
4.6 | Upgrade to later release with fixes.
4.1 | Not vulnerable

X-Series XOS

CVE |Affected Version(s)|Remediation
CVE-2015-3195 | 11.0 | Not available at this time
10.0 | Not available at this time
9.7 | Upgrade to later release with fixes.
CVE-2015-3194, CVE-2015-3196 | 11.0 | Not available at this time

The following products contain a vulnerable version of OpenSSL, but are not vulnerable to known vectors of attack:

CacheFlow

CVE |Affected Version(s)|Remediation
CVE-2015-3195 | 3.4 | Upgrade to 3.4.2.5.

Client Connector

CVE |Affected Version(s)|Remediation
CVE-2015-3195 | 1.6 | Upgrade to latest release of Unified Agent with fixes.

Security Analytics

CVE |Affected Version(s)|Remediation
CVE-2015-3195 | 7.2 and later | Not vulnerable, fixed in 7.2.1
7.1 | Upgrade to 7.1.11.
7.0 | Upgrade to later release with fixes.
6.6 | Upgrade to 6.6.12.

ADDITIONAL PRODUCT INFORMATION

Blue Coat products may act as both client and server in SSL/TLS connections, and may use application functionality for cryptographic operations. Blue Coat products act as a client when connecting to Blue Coat services such as WebPulse, DRTR, and licensing and subscription services. Products should be considered vulnerable in all interfaces that provide SSL/TLS connections for data and management interfaces unless the CVE is specific to SSL/TLS client or server functionality (as noted in the descriptions above) or unless otherwise stated below:

• CAS: CVE-2015-3195 only affects management connections when importing PKCS#7 formatted certificates.
• Director: CVE-2015-3195 only affects management connections when importing PKCS#7 formatted certificates.
• MAA: CVE-2015-3195 only affects management connections when importing PKCS#7 and CMS formatted data.
• MC: CVE-2015-3195 only affects management connections when importing PKCS#7 formatted certificates.
• PacketShaper: CVE-2015-3194 only affects SSL client connections.
• PolicyCenter: CVE-2015-3194 only affects SSL client connections.
• ProxyAV: CVE-2015-3195 only affects management connections when importing PKCS#7 formatted certificates.
• SSLV: CVE-2015-3194 only affects SSL client connections. CVE-2015-3195 only affects management connections when importing PKCS#7 formatted certificates.

Blue Coat products that use a native installation of OpenSSL but do not install or maintain that implementation are not vulnerable to any of these CVEs. However, the underlying platform or application that installs and maintains OpenSSL may be vulnerable. Blue Coat urges our customers to update the versions of OpenSSL that are natively installed for Client Connector, ProxyClient, and Reporter 9.x for Linux.

Blue Coat products do not enable or use all functionality within OpenSSL. Products that do not utilize or enable the functionality described in a CVE are not vulnerable to that CVE. However, fixes for those CVEs will be included in the patches that are provided. The following products include vulnerable versions of OpenSSL, but do not use the functionality described in the CVEs and are not known to be vulnerable.

• Android Mobile Agent: CVE-2015-3195 and CVE-2015-3196
• ASG: CVE-2015-3195 and CVE-2015-3196
• CacheFlow: CVE-2015-3195
• CAS: CVE-2015-3196
• Client Connector: CVE-2015-3195
• ICSP, NNP, and NSP: CVE-2015-3195
• PS: CVE-2015-3195 and CVE-2015-3196
• PS S-Series: CVE-2015-3195 and CVE-2015-3196
• PC: CVE-2015-3195 and CVE-2015-3196
• PC S-Series: CVE-2015-3195 and CVE-2015-3196
• ProxyAV: CVE-2015-3196
• ProxySG: CVE-2015-3195 and CVE-2015-3196
• Reporter 10.1: CVE-2015-3195
• Security Analytics: CVE-2015-3195
• SSLV: CVE-2015-3196
• Unified Agent: CVE-2015-3195, CVE-2015-3196, and CVE-2015-1794

The following products are not vulnerable:
AuthConnector
Blue Coat HSM Agent for the Luna SP
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
K9
Mail Threat Defense
ProxyAV ConLog and ConLogXP
Web Isolation

Symantec no longer provides vulnerability information for the following products:

DLP
Please, contact Digital Guardian technical support regarding vulnerability information for DLP.

IntelligenceCenter **IntelligenceCenter Data Collector
NetDialog NetX is a replacement product for IntelligenceCenter. **

ISSUES

CVE-2015-3193

Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) References| SecurityFocus: BID 78705 / NVD: CVE-2015-3193 Impact| Information disclosure Description | A flaw in the modular exponentiation routine used by the DH, RSA, and DSA protocols allows a remote attacker to obtain private key information from targets running on 64-bit platforms.

CVE-2015-3194

Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) References| SecurityFocus: BID 78623 / NVD: CVE-2015-3194 Impact| Denial of service Description | A flaw in RSA PSS signature verification allows a remote attacker to cause illegal memory accesses on the target, resulting in application crashes and denial of service.

CVE-2015-3195

Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) References| SecurityFocus: BID 78626 / NVD: CVE-2015-3195 Impact| Information disclosure Description | A flaw in PKCS#7 and CMS data parsing allows a remote attacker to access information from the process memory of vulnerable applications.

CVE-2015-3196

Severity / CVSSv2 | Medium / 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) References| SecurityFocus: BID 78622 / NVD: CVE-2015-3196 Impact| Denial of service Description | A flaw in PSK parameter handling allows a remote attacker to cause memory corruption on the target, resulting in application crashes and denial of service.

CVE-2015-1794

Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) References| NVD: CVE-2015-1794 Impact| Denial of service Description | A flaw in anonymous Diffie-Hellman parameter handling allows a remote attacker to cause denial of service in SSL clients.

MITIGATION

Blue Coat's SSL Visibility appliance can be used to prevent attacks using CVE-2015-3196 and CVE-2015-1794. Customers using SSLV in inline outbound deployments can protect SSL clients by blocking SSL flows that use PSK cipher suites (CVE-2015-3196) and ADH cipher suites (CVE-2015-1794). SSLV 3.x customers can use the following configuration steps:

1. Open the Policies > Cipher Suites Lists web UI page and create a new cipher suites list.
2. Select the new cipher suites list and use the Add button in the Cipher Suites panel repeatedly to add all PSK and ADH cipher suites to the list. PSK cipher suites have the string "PSK" in their names. ADH cipher suites have the string “DH_Anon” in their names.
3. In the Policies > Rulesets web UI page, select the desired ruleset and add a "Drop" or "Reject" rule using the new cipher suites list. If necessary, re-order the rules in the ruleset to ensure that the new rule has the correct priority.

For SSLV versions other than 3.x, refer to the appropriate SSL Visibility Administration & Deployment Guide or contact Blue Coat support for instructions how to configure the SSLV policy with blocking rules. Before blocking SSL cipher suites in a production network, verify that no existing SSL applications require them to function properly.

CVE-2015-3195 can be remediated by ensuring that PKCS#7 and CMS content always come from a trusted source.

CVE-2015-3196 can be remediated in Reporter 9.5 by disabling PSK cipher suites for SSL connections.

By default ICSP, NNP, and NSP do not enable SSL/TLS cipher suites using PSK key exchange. Customers who do not enable these cipher suites prevent attacks against ICSP, NNP, and NSP using CVE-2015-3196.

By default XOS does not use SSL client connections and does not enable SSL/TLS cipher suites using PSK key exchange. Customers who do not change this default behavior prevent attacks against XOS using CVE-2015-3194 and CVE-2015-3196.

REFERENCES

OpenSSL Security Advisory - <https://openssl.org/news/secadv/20151203.txt&gt;

REVISION

2020-04-19 Information about IntelligenceCenter and IntelligenceCenter Data Collector is not available. NetDialog NetX is a replacement product for IntelligenceCenter. Advisory status moved to Closed.
2019-10-02 Web Isolation is not vulnerable.
2018-04-22 PacketShaper S-Series 11.10 is not vulnerable.
2017-11-06 ASG 6.7 is not vulnerable.
2017-08-02 SSLV 4.1 is not vulnerable.
2017-07-24 PacketShaper S-Series 11.9 is not vulnerable.
2017-07-20 MC 1.10 is not vulnerable.
2017-06-30 A fix for the remaining CVEs in ProxySG 6.5 is available in 6.5.10.4.
2017-06-23 A fix for the remaining CVEs in ASG 6.6 will not be provided. Please upgrade to the latest version with the vulnerability fixes.
2017-06-22 Security Analytics 7.3 is not vulnerable.
2017-06-05 PacketShaper S-Series 11.8 is not vulnerable.
2017-05-17 CAS 2.1 is not vulnerable.
2017-03-30 MC 1.9 is not vulnerable.
2017-03-06 MC 1.8 is not vulnerable. SSLV 4.0 is not vulnerable. ProxySG 6.7 is not vulnerable because the fixes are available in 6.7.1.1. Fixes for the remaining CVEs in ProxySG 6.5 and 6.6 will not be provided. Please upgrade to the latest version with the vulnerability fixes. Vulnerability inquiries for DLP should be addressed to Digital Guardian technical support.
2017-02-07 A fix for Android Mobile Agent is available in 1.3.8.
2016-11-29 A fix for Director is available in 6.1.22.1. PacketShaper S-Series 11.7 is not vulnerable. SSLV 3.11 is not vulnerable.
2016-11-17 Cloud Data Protection for Oracle Field Service Cloud is not vulnerable.
2016-11-11 SSLV 3.10 is not vulnerable.
2016-09-22 MC 1.6 and 1.7 are not vulnerable.
2016-09-13 PacketShaper S-Series 11.2, 11.3, 11.4, and 11.5 are vulnerable. PacketShaper S-Series 11.6 is not vulnerable. A fix for PacketShaper S-Series 11.5 is available in 11.5.3.1. Fixes for PacketShaper S-Series 11.2, 11.3, and 11.4 will not be provided.
2016-09-01 A fix for SSLV 3.8.4FC is available in 3.8.4FC-55.
2016-08-12 Security Analytics 7.2 is not vulnerable.
2016-08-10 A fix for Unified Agent is available in 4.7.1.
2016-06-23 A fix for CVE-2015-3194 is available in 6.6.4.1. A fix for the other CVEs is not available at this time.
2016-06-21 A fix for CVE-2015-3194 in ProxySG 6.6 is available in 6.6.4.1. A fix for the other CVEs is not available at this time.
2016-06-16 PolicyCenter S-Series 1.1 is vulnerable to CVE-2015-3194. It also has vulnerable code for CVE-2015-3195 and CVE-2015-3196, but is not vulnerable to known vectors of attack. A fix is available in 1.1.2.1.
2016-06-13 Fixes for ICSP, NNP, and NSP are available in 5.3.6.
2016-05-18 Fixes are available in Security Analytics 6.6.12 and 7.1.11.
2016-05-11 No Cloud Data Protection products are vulnerable.
2016-05-06 A fix for PacketShaper 9.2 is available in 9.2.13p1. A fix for PolicyCenter 9.2 is available in 9.2.13p1.
2016-05-02 It was previously reported that ProxyClient is not vulnerable. Further investigation has shown that ProxyClient 3.4 for Windows is vulnerable to CVE-2015-3195. A fix for ProxyClient will not be provided. Please upgrade to the latest version of Unified Agent with the vulnerability fix.
2016-04-24 Mail Threat Defense is not vulnerable.
2016-04-01 A fix for Reporter 10.1 is available in 10.1.4.1.
2016-03-14 A fix for CAS 1.3 is available in 1.3.6.1. A fix for MC 1.5 is available in 1.5.3.1.
2016-03-10 A fix for MAA 4.2 is available in 4.2.8.
2016-03-04 A fix for Reporter 9.5 is available in 9.5.3.1.
2016-02-16 A fix for CVE-2015-3194 is available in ProxySG 6.5.9.2.
2016-02-12 MC 1.5 is vulnerable. A fix for MC 1.4 will not be provided. Please upgrade to the latest version with the vulnerability fixes.
2016-01-22 A fix is available for SSLV 3.9.
2016-01-19 A fix is available for ProxyAV.
2016-01-18 A patch is available for CacheFlow.
2015-12-21 CacheFlow, ProxyAV, Security Analytics and SSLV have vulnerable OpenSSL software for some CVEs listed in the Advisory Details section, but do not use the vulnerable functionality and are not known to be vulnerable. The vulnerable OpenSSL software will be patched in future releases.
2015-12-17 Client Connector has a vulnerable version of OpenSSL, but does not use the vulnerable code. A fix will not be provided - customers should upgrade to the latest version of Unified Agent with the vulnerability fix.
2015-12-16 Customers can use SSL Visibility to defend against attacks using CVE-2015-3196 and CVE-2015-1794.
2015-12-13 Reporter is vulnerable. CVE-2015-3194 in SSLV only affects SSL client connections.
2015-12-10 initial public release