Lucene search

K
symantecSymantec Security ResponseSMNTC-1361
HistoryApr 28, 2016 - 8:00 a.m.

SA121 : OpenSSH Shell Command Restriction Bypass

2016-04-2808:00:00
Symantec Security Response
24

6.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

5.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:P/A:N

SUMMARY

Blue Coat products that include vulnerable versions of OpenSSH and enable X11 forwarding are susceptible to a command injection vulnerability due to insufficient input data sanitization. An authenticated remote attacker can exploit this vulnerability to bypass intended command restrictions enforced by a restricted shell or the target’s SSH configuration. The attacker can also execute arbitrary commands.

AFFECTED PRODUCTS

Norman Shark Industrial Control System Protection (ICSP)

CVE |Affected Version(s)|Remediation
CVE-2016-3115 | 5.4 and later | Not vulnerable, fixed in 5.4.1
5.3 | Upgrade to 5.3.6.

Norman Shark Network Protection (NNP)

CVE |Affected Version(s)|Remediation
CVE-2016-3115 | 5.3 | Upgrade to 5.3.6.

Norman Shark SCADA Protection (NSP)

CVE |Affected Version(s)|Remediation
CVE-2016-3115 | 5.3 | Upgrade to 5.3.6.

The following products contain a vulnerable version of OpenSSH, but are not vulnerable to known vectors of attack:

Advanced Secure Gateway (ASG)

CVE |Affected Version(s)|Remediation
CVE-2016-3115
| 6.7 and later | Not vulnerable, fixed in 6.7.2.1.
6.6 | Upgrade to 6.6.5.1.

Content Analysis System (CAS)

CVE |Affected Version(s)|Remediation
CVE-2016-3115

| 2.1 and later | Not vulnerable
1.3 | Upgrade to 1.3.7.1.
1.2 | Upgrade to later releases with fixes.

Director

CVE |Affected Version(s)|Remediation
CVE-2016-3115 | 6.1 | Upgrade to 6.1.23.1.

Mail Threat Defense (MTD)

CVE |Affected Version(s)|Remediation
CVE-2016-3115 | 1.1 | Upgrade to 1.1.2.1.

Malware Analysis Appliance (MAA)

CVE |Affected Version(s)|Remediation
CVE-2016-3115 | 4.2 | Upgrade to 4.2.10.

Management Center (MC)

CVE |Affected Version(s)|Remediation
CVE-2016-3115
| 1.6 and later | Not vulnerable, fixed in 1.6.1.1
1.5 | Upgrade to later releases with fixes.

PacketShaper (PS)

CVE |Affected Version(s)|Remediation
CVE-2016-3115 | 9.2 | Fixed in 9.2.13p7

PacketShaper (PS) S-Series

CVE |Affected Version(s)|Remediation
CVE-2016-3115

| 11.6 and later | Not vulnerable, fixed in 11.6.1.1
11.5 | Upgrade to 11.5.3.2.
11.2, 11.3, 11.4 | Upgrade to later releases with fixes.

PolicyCenter (PC) S-Series

CVE |Affected Version(s)|Remediation
CVE-2016-3115 | 1.1 | Upgrade to 1.1.2.2.

Reporter

CVE |Affected Version(s)|Remediation
CVE-2016-3115 | 10.2 and later | Not vulnerable, fixed in 10.2.1.1
10.1 | Upgrade to 10.1.4.2.

Security Analytics

CVE |Affected Version(s)|Remediation
CVE-2016-3115 | 7.2 and later | Not vulnerable, fixed in 7.2.1
7.1 | Apply RPM patch from Blue Coat Support.
7.0 | Upgrade to later releases with fixes.
6.6 | Apply RPM patch from Blue Coat Support.

SSL Visibility (SSLV)

CVE |Affected Version(s)|Remediation
CVE-2016-3115

| 3.10 and later | Not vulnerable, fixed in 3.10.1.1
3.9 | Upgrade to 3.9.4.1.
3.8, 3.8.4FC | Upgrade to later releases with fixes.

X-Series XOS

CVE |Affected Version(s)|Remediation
CVE-2016-3115 | 11.0 | Not available at this time
10.0 | Upgrade to later release with fixes.
9.7 | Upgrade to later release with fixes.

ADDITIONAL PRODUCT INFORMATION

Blue Coat products do not enable or use all functionality within OpenSSH. The products listed below do not support X11 forwarding and are thus not known to be vulnerable. However, OpenSSH patches will be provided.

  • ASG
  • CAS
  • Director
  • MTD
  • MAA
  • MC
  • PacketShaper
  • PacketShaper S-Series
  • PolicyCenter S-Series
  • Reporter
  • Security Analytics
  • SSLV
  • XOS

The following products are not vulnerable:
Android Mobile Agent
AuthConnector
BCAAA
Blue Coat HSM Agent for the Luna SP
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
IntelligenceCenter
IntelligenceCenter Data Collector
K9
PolicyCenter
ProxyClient
ProxyAV
ProxyAV ConLog and ConLogXP
ProxySG
Unified Agent
Web Isolation

Blue Coat no longer provides vulnerability information for the following products:

DLP
Please, contact Digital Guardian technical support regarding vulnerability information for DLP.

ISSUES

This Security Advisory addresses a shell command restriction bypass vulnerability when X11 forwarding is enabled in OpenSSH server (CVE-2016-3115). Blue Coat products that include a vulnerable version of OpenSSH and use the affected functionality are vulnerable.

When establishing an X11 forwarding session, the SSH client sends an X11 authentication credential to the SSH server. The credential consists of an authentication scheme and credential data. The SSH server passes the credential components as command line arguments to the xauth utility, which stores them in an X11 authorization file. Affected versions of OpenSSH do not sufficiently sanitize the credential components before invoking xauth with them. A remote attacker can exploit this vulnerability by acting as an SSH client and sending crafted credential components to inject arbitrary commands in xauth. The attacker can use xauth commands to read and overwrite arbitrary files, connect to local ports on the target, and perform attacks against xauth.

CVE-2016-3115

Severity / CVSSv2 | Medium / 5.5 (AV:N/AC:L/Au:S/C:P/I:P/A:N) References| SecurityFocus: BID 84314 / NVD: CVE-2015-3115 Impact| Security bypass Description | An authenticated remote attacker can exploit this vulnerability to bypass intended command restrictions enforced by a restricted shell or the target’s SSH configuration.

REFERENCES

OpenSSH security advisory - <https://www.openssh.com/txt/x11fwd.adv&gt;

REVISION

2020-04-21 Advisory status changes to Closed.
2019-10-02 Web Isolation is not vulnerable.
2018-07-01 A fix for PacketShaper 9.2 is available in 9.2.13p7.
2018-04-22 PacketShaper S-Series 11.10 is not vulnerable.
2017-11-06 ASG 6.7 is not vulnerable because a fix is available in 6.7.2.1.
2017-08-02 SSLV 4.1 is not vulnerable.
2017-07-24 PacketShaper S-Series 11.9 is not vulnerable.
2017-07-20 MC 1.10 is not vulnerable.
2017-06-22 Security Analytics 7.3 is not vulnerable.
2017-06-05 PacketShaper S-Series 11.8 is not vulnerable.
2017-05-29 SSLV 4.0 is not vulnerable.
2017-05-18 CAS 2.1 is not vulnerable.
2017-04-30 A fix for Director 6.1 is available in 6.1.23.1.
2017-03-30 MC 1.9 is not vulnerable.
2017-03-06 MC 1.8 is not vulnerable. Vulnerability inquiries for DLP should be addressed to Digital Guardian technical support.
2016-12-04 PacketShaper S-Series 11.7 is not vulnerable.
2016-12-04 SSLV 3.11 is not vulnerable.
2016-11-17 Cloud Data Protection for Oracle Field Service Cloud is not vulnerable.
2016-11-11 SSLV 3.10 is not vulnerable.
2016-10-26 A fix for ASG is available in 6.6.5.1. A fix for MAA is available in 4.2.10. A fix for Reporter 10.1 is available in 10.1.4.2. A fix for MC 1.6 is available in 1.6.1.1. MC 1.7 is not vulnerable. A fix for MC 1.5 will not be provided.
2016-08-12 A fix for CAS 1.3 is available in 1.3.7.1. Security Analytics 7.2 is not vulnerable.
2016-08-10 A fix for SSLV 3.9 is available in 3.9.4.1.
2016-06-30 PacketShaper S-Series 11.6 is not vulnerable.
2016-06-24 A fix for PacketShaper S-Series is available in 11.5.3.2. A fix for PolicyCenter S-Series is available in 1.1.2.2.
2016-06-16 PS S-Series 11.2, 11.3, 11.4, and 11.5 have a vulnerable version of OpenSSH, but are not vulnerable to known vectors of attack. PC S-Series 1.1 has a vulnerable version of OpenSSH, but is not vulnerable to known vectors of attack. Fixes are not available at this time.
2016-06-13 Fixes for ICSP, NNP, and NSP are available in 5.3.6.
2016-05-26 Fixes are available for Security Analytics 6.6 and 7.1 through patch RPMs from Blue Coat Support.
2016-05-11 No Cloud Data Protection products are vulnerable.
2016-04-28 initial public release

6.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

5.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:P/A:N