SA109 : Multiple OpenSSH Vulnerabilities (January 2016)

SUMMARY

Blue Coat products using affected 5.x and 6.x versions of OpenSSH are susceptible to multiple vulnerabilities. An attacker, with access to the management interface, may exploit these vulnerabilities to execute arbitrary code and obtain information from the target’s process memory. The attacker can also cause denial of service due to buffer overflows and illegal memory accesses.

AFFECTED PRODUCTS

The following products are vulnerable:

Director

CVE |Affected Version(s)|Remediation
CVE-2016-0777, CVE-2016-0778 | 6.1 | Upgrade to 6.1.22.1.

Malware Analysis Appliance (MAA)

CVE |Affected Version(s)|Remediation
CVE-2016-0777, CVE-2016-0778 | 4.2 | Upgrade to 4.2.8.

Norman Shark Industrial Control System Protection (ICSP)

CVE |Affected Version(s)|Remediation
CVE-2016-0777, CVE-2016-0778 | 5.3 | Upgrade to 5.3.6.

Norman Shark Network Protection (NNP)

CVE |Affected Version(s)|Remediation
CVE-2016-0777, CVE-2016-0778 | 5.3 | Upgrade to 5.3.6.

Norman Shark SCADA Protection (NSP)

CVE |Affected Version(s)|Remediation
CVE-2016-0777, CVE-2016-0778 | 5.3 | Upgrade to 5.3.6.

Security Analytics

CVE |Affected Version(s)|Remediation
CVE-2016-0777, CVE-2016-0778 | 7.2 and later | Not vulnerable, fixed in 7.2.1
7.1 | Upgrade to 7.1.11.
7.0 | Upgrade to later release with fixes.
6.6 | Upgrade to 6.6.12.

The following products contain a vulnerable version of OpenSSH, but are not vulnerable to known vectors of attack:

SSL Visibility (SSLV)

CVE |Affected Version(s)|Remediation
CVE-2016-0777, CVE-2016-0778 | 3.10 and later | Not vulnerable, fixed in 3.10.1.1
3.9 | Upgrade to 3.9.3.1.
3.8.4FC | Upgrade to 3.8.4FC-55.
3.8 | Upgrade to later release with fixes.

ADDITIONAL PRODUCT INFORMATION

Blue Coat products do not enable or use all functionality within OpenSSH. Products that do not utilize or enable the functionality described in a CVE are not vulnerable to that CVE. However, fixes for those CVEs will be included in the patches that are provided. The following products include vulnerable versions of OpenSSH, but do not use the functionality described in the CVEs and are not known to be vulnerable.

• SSLV: CVE-2016-0777 and CVE-2016-0778

The following products are not vulnerable:
Advanced Secure Gateway
Android Mobile Agent
AuthConnector
BCAAA
Blue Coat HSM Agent for the Luna SP
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
Content Analysis System
General Auth Connector Login Application
IntelligenceCenter
IntelligenceCenter Data Collector
K9
Mail Threat Defense
Management Center
PacketShaper
PacketShaper S-Series
PolicyCenter
PolicyCenter S-Series
ProxyAV
ProxyAV ConLog and ConLogXP
ProxyClient
ProxySG
Reporter
Unified Agent
X-Series XOS

Blue Coat no longer provides vulnerability information for the following products:

DLP
Please, contact Digital Guardian technical support regarding vulnerability information for DLP.

ISSUES

CVE-2016-0777

Severity / CVSSv2 | Medium / 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N) References| SecurityFocus: BID 80695 / NVD: CVE-2016-0777 Impact| Information disclosure Description | A buffer overread flaw that allows a remote attacker to obtain information stored in the target process memory.

CVE-2016-0778

Severity / CVSSv2 | Medium / 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P) References| SecurityFocus: BID 80698 / NVD: CVE-2016-0778 Impact| Denial of service, code execution Description | A buffer overflow flaw in the SSH client that allows a remote attacker to execute arbitrary code or cause denial of service.

CVE-2016-1907

Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) References| SecurityFocus: BID 81293 / NVD: CVE-2016-1907 Impact| Denial of service Description | An out-of-bound read flaw that allows a remote attacker to send crafted messages and cause an application crash, resulting in denial of service.

MITIGATION

These vulnerabilities can be exploited only through the management interfaces for all vulnerable products. Allowing only machines, IP addresses and subnets from a trusted network to access the management interface reduces the threat of exploiting the vulnerabilities.

REFERENCES

OpenSSH security announcements - <https://www.openssh.com/security.html&gt;

REVISION

2017-02-16 Previously, it was reported that Security Analytics by default is not vulnerable to CVE-2016-0777 and CVE-2016-0778 because it does not act as an SSH client. Further investigation has shown that Security Analytics acts as an SSH client and is vulnerable to both CVEs by default.
2016-11-29 A fix for Director is available in 6.1.22.1. SSLV 3.11 is not vulnerable. Customers should contact Digital Guardian regarding vulnerability information for DLP. SA status moved to Final.
2016-11-17 Cloud Data Protection for Oracle Field Service Cloud is not vulnerable.
2016-11-11 SSLV 3.10 is not vulnerable.
2016-09-01 A fix for SSLV 3.8.4FC is available in 3.8.4FC-55.
2016-08-12 Security Analytics 7.2 is not vulnerable.
2016-06-16 PS S-Series, PC S-Series, and Reporter are not vulnerable.
2016-06-13 Fixes for ICSP, NNP, and NSP are available in 5.3.6.
2016-05-18 Fixes are available in Security Analytics 6.6.12 and 7.1.11.
2016-05-11 No Cloud Data Protection products are vulnerable.
2016-04-24 Mail Threat Defense is not vulnerable.
2016-03-17 A fix for SSLV 3.8 is available in 3.8.6-14. Clarified that SSLV 3.9 prior to 3.9.3.1 has a vulnerable version of OpenSSH.
2016-03-10 A fix for MAA 4.2 is available in 4.2.8.
2016-01-27 initial public release