SA119 : Multiple NSS Vulnerabilities

SUMMARY

Blue Coat products that include affected versions of NSS are susceptible to multiple vulnerabilities. A remote attacker can exploit these vulnerabilities to trigger arbitrary code execution. The attacker can also cause denial of service through application crashes and memory corruption.

AFFECTED PRODUCTS

The following products are vulnerable:

Advanced Secure Gateway (ASG)

CVE |Affected Version(s)|Remediation
All CVEs | 6.7 and later | Not vulnerable, fixed in 6.7.2.1
CVE-2015-7181, CVE-2015-7182,
CVE-2015-7183 | 6.6 | Upgrade to 6.6.4.1.
CVE-2016-1950 | 6.6 | Upgrade to 6.6.5.1.

Content Analysis System (CAS)

CVE |Affected Version(s)|Remediation
All CVEs | 2.1 and later | Not vulnerable, fixed in 2.1.1.1
CVE-2015-7181, CVE-2015-7182,
CVE-2015-7183 | 1.3 | Upgrade to 1.3.6.1.
CVE-2016-1950 | 1.3 | Upgrade to 1.3.7.1.
All CVEs | 1.2 | Upgrade to later release with fixes.

Director

CVE |Affected Version(s)|Remediation
CVE-2016-1950 | 6.1 | Upgrade to 6.1.22.1.

Mail Threat Defense (MTD)

CVE |Affected Version(s)|Remediation
CVE-2016-1950 | 1.1 | Not available at this time

PacketShaper (PS) S-Series

CVE |Affected Version(s)|Remediation
All CVEs | 11.6 and later | Not vulnerable, fixed in 11.6.1.1
11.5 | Upgrade to 11.5.3.1.
11.2, 11.3, 11.4 (not vulnerable to known vectors of attack) | Upgrade to later release with fixes.

PolicyCenter (PC) S-Series

CVE |Affected Version(s)|Remediation
All CVEs | 1.1 | Upgrade to 1.1.2.1.

Reporter

CVE |Affected Version(s)|Remediation
All CVEs | 10.2 and later | Not vulnerable, fixed in 10.2.1.1
10.1 | Upgrade to 10.1.4.2.
9.4, 9.5 | Not vulnerable

Security Analytics (SA)

CVE |Affected Version(s)|Remediation
All CVEs | 7.2 and later | Not vulnerable, fixed in 7.2.1
CVE-2015-7181, CVE-2015-7182 | 7.1 | Upgrade to 7.1.11.
7.0 | Upgrade to later release with fixes.
6.6 | Upgrade to 6.6.12.
CVE-2015-7183, CVE-2016-1950 | 7.1 | Apply RPM patch from customer support.
7.0 | Upgrade to later release with fixes.
6.6 | Apply RPM patch from customer support.

X-Series XOS

CVE |Affected Version(s)|Remediation
All CVEs | 11.0 | Upgrade to 11.0.2
10.0 | Upgrade to 10.0.6.
9.7 | Upgrade to later release with fixes.

The following products contain a vulnerable version of NSS, but are not vulnerable to known vectors or attack:

Management Center (MC)

CVE |Affected Version(s)|Remediation
All CVEs | 1.6 and later | Not vulnerable, fixed in 1.6.1.1
1.5 | Upgrade to later release with fixes.

ADDITIONAL PRODUCT INFORMATION

Blue Coat products may act as both client and server in SSL/TLS connections, and may use application functionality for cryptographic operations. Blue Coat products act as a client when connecting to Blue Coat services such as WebPulse, DRTR, and licensing and subscription services. Products should be considered vulnerable in all interfaces that provide SSL/TLS connections for data and management interfaces unless the CVE is specific to SSL/TLS client or server functionality (as noted in the descriptions above) or unless otherwise stated below:

• PacketShaper S-Series 11.5: all CVEs affect connections to PolicyCenter S-Series appliances.
• PolicyCenter S-Series: all CVEs affect management connections.
• Security Analytics: all CVEs affect connections to Blue Coat, connections between a Central Manager and Sensors, and downloads of favorites (commonly used filters).

Some Blue Coat products do not enable or use all functionality within NSS. The products listed below do not utilize the functionality described in the CVEs below and are thus not known to be vulnerable to them. However, fixes for these CVEs will be included in the patches that are provided.

• MC: CVE-2016-1950
• PS S-Series 11.2, 11.3, and 11.4: CVE-2015-7181, CVE-2015-7182, CVE-2015-7183, and CVE-2016-1950

The following products are not vulnerable:
Android Mobile Agent
AuthConnector
BCAAA
Blue Coat HSM Agent for the Luna SP
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
IntelligenceCenter
IntelligenceCenter Data Collector
K9
Malware Analysis Appliance
Norman Shark Industrial Control System Protection
Norman Shark Network Protection
Norman Shark SCADA Protection
PacketShaper
PolicyCenter
ProxyAV
ProxyAV ConLog and ConLogXP
ProxyClient
ProxySG
SSL Visibility
Unified Agent
Web Isolation

Blue Coat no longer provides vulnerability information for the following products:

DLP

Please, contact Digital Guardian technical support regarding vulnerability information for DLP.

ISSUES

This Security Advisory addresses multiple NSS vulnerabilities announced in November 2015 and March 2016. Blue Coat products that include a vulnerable version of NSS and make use of the vulnerable functionality are vulnerable.

• CVE-2015-7181 is a use-after-poison flaw in the ASN.1 decoder that allows a remote attacker to send crafted OCTET STRING data and cause arbitrary code execution or denial of service through application crashes.
• CVE-2015-7182 is a heap-based buffer overflow in the ASN.1 decoder that allows a remote attacker to send crafted OCTET STRING data and cause arbitrary code execution or denial of service through application crashes.
• CVE-2015-7183 is an integer overflow in the NSPR component of NSS that allows a remote attacker to cause arbitrary code execution or denial of service through memory corruption or application crashes.
• CVE-2016-1950 is heap-based buffer overflow in the ASN.1 decoder that allows a remote attacker to send crafted X.509 certificates and cause arbitrary code execution or denial of service through application crashes.
  CVE-2015-7181

---

Severity / CVSSv2 | High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) References| SecurityFocus: BID 77416 / NVD: CVE-2015-7181 Impact| Code Execution, Denial of service Description | The attacker can cause arbitrary code execution or denial of service through application crashes.

CVE-2015-7182

Severity / CVSSv2 | High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) References| SecurityFocus: BID 77416 / NVD: CVE-2015-7182 Impact| Code Execution, Denial of service Description | The attacker can cause arbitrary code execution or denial of service through application crashes.

CVE-2015-7183

Severity / CVSSv2 | High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) References| SecurityFocus: BID 77415 / NVD: CVE-2015-7183 Impact| Code Execution, Denial of service Description | The attacker can cause arbitrary code execution or denial of service through application crashes.

CVE-2016-1950

Severity / CVSSv2 | Medium / 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) References| SecurityFocus: BID 84223/ NVD: CVE-2016-1950 Impact| Code Execution, Denial of service Description | The attacker can cause arbitrary code execution or denial of service through application crashes.

REFERENCES

Mozilla Foundation Security Advisory 2015-133 - <https://www.mozilla.org/en-US/security/advisories/mfsa2015-133/&gt;
Mozilla Foundation Security Advisory 2016-35 - <https://www.mozilla.org/en-US/security/advisories/mfsa2016-35/&gt;

REVISION

2020-04-25 Reporter 10.1 is vulnerable and a fix is available in 10.1.4.2. Reporter 10.2 and later releases are not vulnerable because a fix is available in 10.2.1.1. Advisory status changed to Closed.
2019-10-02 Web Isolation is not vulnerable.
2018-04-25 A fix for XOS 9.7 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-04-22 PacketShaper S-Series 11.10 is not vulnerable.
2017-11-06 ASG 6.7 is not vulnerable because a fix is available in 6.7.2.1.
2017-07-24 PacketShaper S-Series 11.9 is not vulnerable.
2017-07-20 MC 1.10 is not vulnerable.
2017-06-05 PacketShaper S-Series 11.8 is not vulnerable.
2017-05-18 CAS 2.1 is not vulnerable.
2017-03-30 MC 1.9 is not vulnerable.
2017-03-06 MC 1.8 is not vulnerable. Intelligence Center and Intelligence Center Data Collector are not vulnerable.
2016-11-29 A fix for Director is available in 6.1.22.1. PacketShaper S-Series 11.7 is not vulnerable. Customers should contact Digital Guardian regarding vulnerability information for DLP.
2016-11-17 Cloud Data Protection for Oracle Field Service Cloud is not vulnerable.
2016-10-26 A fix for ASG is available in 6.6.5.1. A fix for MC is available in 1.6.1.1. MC 1.7 is not vulnerable. A fix will not be provided for MC 1.5.
2016-08-12 A fix for CAS 1.3 is available in 1.3.7.1. Security Analytics 7.2 is not vulnerable.
2016-07-16 A fix for XOS 10.0 is available in 10.0.6. A fix for XOS 11.0 is available in 11.0.2.
2016-06-30 PacketShaper S-Series 11.6 is not vulnerable.
2016-06-27 Fixes will not be provided for PacketShaper S-Series 11.2, 11.3, and 11.4. Please upgrade to a later version with the vulnerability fixes.
2016-06-23 A fix for CVE-2015-7181, CVE-2015-7182, and CVE-2015-7183 in ASG is available in 6.6.4.1.
2016-06-13 A fix for SA 7.0 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2016-05-11 No Cloud Data Protection products are vulnerable.
2016-05-09 Fixes for CVE-2015-7181 and CVE-2015-7182 are available in SA 6.6.12 and 7.1.11. Fixes for CVE-2015-7183 and CVE-2016-1950 are available for SA 6.6 and 7.1 through patch RPMs from customer support.
2016-04-28 Fixes are available in PS S-Series 11.5.3.1 and PC S-Series 1.1.2.1.
2016-04-25 MTD 1.1 is vulnerable to CVE-2016-1950.
2016-04-15 A fix will not be provided for CAS 1.2. Please upgrade to a later version with the vulnerability fixes.
2016-03-22 initial public release