SA114 : GNU C Library (glibc) Remote Code Execution February 2016

SUMMARY

Blue Coat products using an affected version of the GNU C Library (glibc) are susceptible to a remote execution attack. A remote attacker can send a crafted DNS response to the glibc DNS resolver and cause the resolver to crash or execute arbitrary code.

AFFECTED PRODUCTS

The following products are vulnerable:

Advanced Secure Gateway (ASG)

CVE |Affected Version(s)|Remediation
All CVEs | 6.6 | Upgrade to 6.6.4.1.

Content Analysis System (CAS)

CVE |Affected Version(s)|Remediation
All CVEs | 1.3 | Upgrade to 1.3.6.1.

Malware Analysis Appliance (MAA)

CVE |Affected Version(s)|Remediation
All CVEs | 4.2 | Upgrade to 4.2.8.

Management Center (MC)

CVE |Affected Version(s)|Remediation
All CVEs | 1.6 and later | Not vulnerable, fixed in 1.6.1.1
1.5 | Upgrade to 1.5.3.1.

Norman Shark Industrial Control System Protection (ICSP)

CVE |Affected Version(s)|Remediation
All CVEs | 5.3 | Upgrade to 5.3.6.

Norman Shark Network Protection (NNP)

CVE |Affected Version(s)|Remediation
All CVEs | 5.3 | Upgrade to 5.3.6.

Norman Shark SCADA Protection (NSP)

CVE |Affected Version(s)|Remediation
All CVEs | 5.3 | Upgrade to 5.3.6.

PacketShaper (PS) S-Series

CVE |Affected Version(s)|Remediation
All CVEs | 11.6 and later | Not vulnerable, fixed in 11.6.1.1
11.5 | Upgrade to 11.5.3.1.
11.2, 11.3, 11.4 | Upgrade to later release with fixes.

PolicyCenter (PC) S-Series

CVE |Affected Version(s)|Remediation
All CVEs | 1.1 | Upgrade to 1.1.2.1.

Reporter

CVE |Affected Version(s)|Remediation
All CVEs | 10.1 | Upgrade to 10.1.4.1.
9.4, 9.5 | Not vulnerable

Security Analytics

CVE |Affected Version(s)|Remediation
All CVEs | 7.2 | Not vulnerable, fixed in 7.2.1
7.1 | Upgrade to 7.1.11.
7.0 | Upgrade to later release with fixes.
6.6 | Upgrade to 6.6.12.

SSL Visibility

CVE |Affected Version(s)|Remediation
All CVEs | 3.9 | Upgrade to 3.9.3.3.
3.8.4FC | Upgrade to 3.8.4FC-55.
3.8 | Upgrade to 3.8.6-14.

X-Series XOS

CVE |Affected Version(s)|Remediation
All CVEs | 11.0 | Upgrade to 11.0.2.
10.0 | Upgrade to 10.0.6.
9.7 | Not vulnerable

ADDITIONAL PRODUCT INFORMATION

Blue Coat products that use a native installation of glibc, but do not install or maintain that implementation are not vulnerable. However, the underlying platform that provides the glibc library may be vulnerable. Blue Coat urges our customers to update the versions of glibc that are natively installed for Client Connector, ProxyClient, and Reporter 9.x for Linux.

The following products are not vulnerable:
Android Mobile Agent
AuthConnector
BCAAA
Blue Coat HSM Agent for the Luna SP
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
Director
General Auth Connector Login Application
IntelligenceCenter
IntelligenceCenter Data Collector
K9
Mail Transfer Defense
PacketShaper
PolicyCenter
ProxyClient
ProxyAV
ProxyAV ConLog and ConLogXP
ProxySG
Unified Agent

Blue Coat no longer provides vulnerability information for the following products:

DLP
Please, contact Digital Guardian technical support regarding vulnerability information for DLP.

ISSUES

The stack-based buffer overflow exists in the glibc client DNS resolver implementation (libresolv) when invoked from the libnss_dns module. The buffer overflow occurs in the libnss_dns send_dg() and send_vc() functions when a userspace application resolves a DNS name by calling getaddrinfo() with the AF_UNSPEC parameter. The AF_UNSPEC parameter does not tell the resolver whether to resolve the DNS name to an IPv4 or IPv6 address, so the resolver sends both type A (IPv4) and AAAA (IPv6) DNS queries in parallel. A mismanagement of the buffers allocated for the queries may cause an oversized response of a DNS query to be written beyond the bounds of the query's buffer.

A remote attacker can exploit this vulnerability by sending a crafted, oversized DNS response to the DNS resolver. The resolver will crash or execute arbitrary code with the access privileges of the application requesting the DNS name resolution. If the application runs with root privileges, the remote attacker will gain root access and have complete control of the target.

CVE-2015-7547

Severity / CVSSv2 | High / 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C) References| SecurityFocus: BID 83265 / NVD: CVE-2015-7547 Impact| Denial of service, code execution Description | A stack-based buffer overflow in the client DNS resolver allows a remote attacker to send a crafted DNS response and cause cause an application crash or execute arbitrary code.

MITIGATION

Blue Coat's ProxySG appliance can be used to protect against the glibc remote code execution attack. Customers using ProxySG as a reverse proxy can protect network hosts by blocking the oversized DNS responses that trigger the stack-based buffer overflow. DNS responses over TCP should be limited to 1024 bytes and DNS responses over UDP should be limited to 512 bytes. ProxySG 6.5 and 6.6 customers can use the following CPL syntax:

<dns-proxy>
dns.request.threat_risk.level=7.. dns.respond(refused)

<dns-proxy> dns.client_transport=tcp
dns.response.cname.length=1024.. dns.respond(refused)
dns.response.ptr.length=1024.. dns.respond(refused)

<dns-proxy> dns.client_transport=udp
dns.response.cname.length=512.. dns.respond(refused)
dns.response.ptr.length=512.. dns.respond(refused)

REFERENCES

Google Security Team announcement and analysis - <https://security.googleblog.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html&gt;

REVISION

2017-02-07 MC 1.8 is not vulnerable. Vulnerability inquiries for DLP should be addressed to Digital Guardian technical support. SA status moved to Final.
2016-12-04 SSLV 3.11 is not vulnerable. PacketShaper S-Series 11.7 is not vulnerable.
2016-11-17 Cloud Data Protection for Oracle Field Service Cloud is not vulnerable.
2016-11-11 SSLV 3.10 is not vulnerable.
2016-10-26 MC 1.6 and 1.7 are not vulnerable.
2016-09-01 A fix for SSLV 3.8.4FC is available in 3.8.4FC-55.
2016-08-12 Security Analytics 7.2 is not vulnerable.
2016-07-16 A fix for XOS 10.0 is available in 10.0.6. A fix for XOS 11.0 is available in 11.0.2.
2016-06-30 PacketShaper S-Series 11.6 is not vulnerable.
2016-06-27 Fixes will not be provided for PacketShaper S-Series 11.2, 11.3, and 11.4. Please upgrade to a later version with the vulnerability fixes.
2016-06-23 A fix for ASG is available in 6.6.4.1.
2016-06-14 A fix for SA 7.0 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2016-06-13 Fixes for ICSP, NNP, and NSP are available in 5.3.6.
2016-05-19 Fixes are available in Security Analytics 6.6.12 and 7.1.11.
2016-05-11 No Cloud Data Protection products are vulnerable.
2016-04-28 A fix for PacketShaper S-Series 11.5 is available in 11.5.3.1. A fix for PolicyCenter S-Series is available in 1.1.2.1.
2016-04-24 Mail Transfer Defense is not vulnerable.
2016-04-15 A fix will not be provided for CAS 1.2. Please upgrade to a later version with the vulnerability fixes.
2016-04-01 A fix for Reporter 10.1 is available in 10.1.4.1.
2016-03-23 XOS 9.7 is not vulnerable.
2016-03-17 A fix for SSLV 3.8 is available in 3.8.6-14.
2016-03-14 Fixes are available for CAS 1.3 in 1.3.6.1 and for MC 1.5 in 1.5.3.1.
2016-03-10 A fix for MAA 4.2 is available in 4.2.8
2016-03-04 A fix for SSLV 3.9 is available in 3.9.3.3.
2016-02-29 Added CVSS v2 score
2016-02-19 initial public release