SA112 : Linux Kernel Keyring Privilege Escalation

SUMMARY

Blue Coat products that include affected versions of the Linux kernel and provide means for executing arbitrary code are susceptible to a privilege escalation vulnerability. A malicious local unprivileged user can exploit this vulnerability to escalate their privileges on the system or cause denial of service.

AFFECTED PRODUCTS

Malware Analysis (MA)

CVE |Affected Version(s)|Remediation
CVE-2016-0728 | 4.2 | Upgrade to 4.2.9.

Norman Shark Industrial Control System Protection (ICSP)

CVE |Affected Version(s)|Remediation
CVE-2016-0728 | 5.4 | Not vulnerable, fixed in 5.4.1
5.3 | Upgrade to 5.3.6.

Norman Shark Network Protection (NNP)

CVE |Affected Version(s)|Remediation
CVE-2016-0728 | 5.3 | Upgrade to 5.3.6.

Norman Shark SCADA Protection (NSP)

CVE |Affected Version(s)|Remediation
CVE-2016-0728 | 5.3 | Upgrade to 5.3.6.

The following products have a vulnerable version of the Linux kernel, but are not vulnerable to known vectors of attack:

Advanced Secure Gateway (ASG)

CVE |Affected Version(s)|Remediation
CVE-2016-0728
| 6.7 and later | Not vulnerable, fixed in 6.7.2.1
6.6 | Upgrade to 6.6.5.1.

Content Analysis System (CAS)

CVE |Affected Version(s)|Remediation
CVE-2016-0728

| 2.1 and later | Not vulnerable, fixed in 2.1.1.1
1.3 | Upgrade to 1.3.7.1.
1.2 | Upgrade to later releases with fixes.

Mail Threat Defense (MTD)

CVE |Affected Version(s)|Remediation
CVE-2016-0728 | 1.1 | Not available at this time

Management Center (MC)

CVE |Affected Version(s)|Remediation
CVE-2016-0728
| 1.7 and later | Not vulnerable, fixed in 1.7.1.2.
1.6 | Upgrade to later releases with fixes.
1.5 | Upgrade to later releases with fixes.

Reporter

CVE |Affected Version(s)|Remediation
CVE-2016-0728 | 10.2 and later | Not vulnerable, fixed in 10.2.1.1
10.1 | Upgrade to 10.1.4.2.

SSL Visibility (SSLV)

CVE |Affected Version(s)|Remediation
CVE-2016-0728

| 3.10 and later | Not vulnerable, fixed in 3.10.1.1
3.9 | Upgrade to 3.9.4.1.
3.8.4FC | Upgrade to later releases with fixes.
3.8 | Upgrade to later releases with fixes.

ADDITIONAL PRODUCT INFORMATION

A Blue Coat product does not need to use the Linux keyring facility in order to be vulnerable. A malicious local unprivileged user can execute arbitrary code that uses the keyctl() system call to exploit the vulnerability and gain escalated privileges on the system or cause denial of service. A remote attacker has to either have shell access on the target system, or force the target system to execute arbitrary code to exploit this vulnerability.

Blue Coat products that use a native installation of the Linux kernel but do not install or maintain the kernel are not vulnerable to this attack. However, the underlying platform that installs and maintains the Linux kernel may be vulnerable. Blue Coat urges our customers to update the versions of the Linux kernel that are natively installed for Client Connector, ProxyClient, and Reporter 9.x for Linux.

Blue Coat products that do not provide Linux shell access and do not execute arbitrary code from untrusted sources are not known to be vulnerable to this attack. However, vulnerability fixes will be included in the patches that are provided. The following products include vulnerable versions of the Linux kernel, but do not provide Linux shell access, do not execute arbitrary code from untrusted sources, and are not known to be vulnerable:

• ASG *CAS *MTD *MC *Reporter 10.1 *SSLV

The following products are not vulnerable:
Android Mobile Agent
AuthConnector
BCAAA
Blue Coat HSM Agent for the Luna SP
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
Director
General Auth Connector Login Application
IntelligenceCenter
IntelligenceCenter Data Collector
K9
PacketShaper
PacketShaper S-Series
PolicyCenter
PolicyCenter S-Series
ProxyAV
ProxyAV ConLog and ConLogXP
ProxyClient
ProxySG
Security Analytics
Unified Agent
Web Isolation
X-Series XOS

Blue Coat no longer provides vulnerability information for the following products:

DLP
Please, contact Digital Guardian technical support regarding vulnerability information for DLP.

ISSUES

This Security Advisory addresses a privilege escalation vulnerability in the Linux kernel (CVE-2016-0728). A malicious local unprivileged user can exploit a reference leak and use-after-free flaw in the Linux kernel keyring facility. The malicious user can exploit the leaked keyring reference to cause the Linux kernel to execute arbitrary code, resulting in privilege escalation or denial of service.

The Linux kernel keyring facility is a mechanism for Linux drivers to cache authentication keys, encryption keys, and other security-related objects in the Linux kernel. Linux provides a system call interface, including a keyctl() system call, for userspace applications to manage the kernel objects and also use the keyring facility for their own purposes.

CVE-2016-0728​

Severity / CVSSv2 | High / 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C) References| SecurityFocus: BID 81054 / NVD: CVE-2016-0728 Impact| Privilege escalation Description | Blue Coat products that include affected versions of the Linux kernel and provide means for executing arbitrary code are susceptible to a privilege escalation vulnerability.

REFERENCES

Analysis and Exploitation of a Linux Kernel Vulnerability (from Perception Point) - <https://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/&gt;

REVISION

2020-04-20 Advisory status moved to Closed.
2019-10-03 Web Isolation is not vulnerable.
2018-09-24 A fix for SSLV 3.8.4FC will not be provided. Please upgrade to a later version with the vulnerability fixes.
2017-11-06 ASG 6.7 is not vulnerable.
2017-08-02 SSLV 4.1 is not vulnerable.
2017-07-20 MC 1.10 is not vulnerable.
2017-05-17 CAS 2.1 is not vulnerable.
2017-03-30 MC 1.9 is not vulnerable.
2017-03-06 MC 1.8 is not vulnerable. ProxySG 6.7 is not vulnerable. SSLV 4.0 is not vulnerable. Vulnerability inquiries for DLP should be addressed to Digital Guardian technical support.
2016-12-04 SSLV 3.11 is not vulnerable.
2016-11-17 Cloud Data Protection for Oracle Field Service Cloud is not vulnerable.
2016-11-11 SSLV 3.10 is not vulnerable.
2016-11-04 A fix for ASG is available in 6.6.5.1. A fix for Reporter 10.1 is available in 10.1.4.2.
2016-10-25 MC 1.6 has a vulnerable version of the Linux kernel, but is not vulnerable to known vectors of attack. MC 1.7 is not vulnerable because it contains the vulnerability fix.
2016-08-12 A fix for CAS 1.3 is available in 1.3.7.1.
2016-08-10 A fix for SSLV 3.9 is available in 3.9.4.1.
2016-06-13 Fixes for ICSP, NNP, and NSP are available in 5.3.6.
2016-06-03 A fix for MAA is available in 4.2.9.
2016-05-12 A fix for SSLV 3.8 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2016-05-11 No Cloud Data Protection products are vulnerable.
2016-04-25 MTD 1.1 has a vulnerable version of the Linux kernel, but is not vulnerable to known vectors of attack.
2016-04-15 A fix will not be provided for CAS 1.2. Please upgrade to a later version with the vulnerability fixes.
2016-02-25 initial public release