SA126 : OpenSSH Vulnerabilities January/April 2016

SUMMARY

Blue Coat products that include a vulnerable version of OpenSSH are susceptible to two vulnerabilities. A malicious user with local shell access** **can escalate their privileges and execute arbitrary code with root privileges. A remote attacker acting as an SSH server can establish trusted X11 connections to take screenshots and inject mouse movements and keypresses on an SSH client host.

AFFECTED PRODUCTS

The following products are vulnerable:

Director

CVE |Affected Version(s)|Remediation
CVE-2015-8325 | 6.1 | Upgrade to 6.1.23.1.

Malware Analysis Appliance (MAA)

CVE |Affected Version(s)|Remediation
CVE-2015-8325 | 4.2 | Upgrade to 4.2.10.

Norman Shark Industrial Control System Protection (ICSP)

CVE |Affected Version(s)|Remediation
All CVEs | 5.4 and later | Not vulnerable, fixed in 5.4.1
5.3 | Upgrade to 5.3.6.

Norman Shark Network Protection (NNP)

CVE |Affected Version(s)|Remediation
All CVEs | 5.3 | Upgrade to 5.3.6.

Norman Shark SCADA Protection (NSP)

CVE |Affected Version(s)|Remediation
All CVEs | 5.3 | Upgrade to 5.3.6.

Security Analytics

CVE |Affected Version(s)|Remediation
All CVEs | 7.2 and later | Not vulnerable, fixed in 7.2.1
7.1 | Apply patch RPM from customer support.
7.0 | Upgrade to later release with fixes.
6.6 | Apply patch RPM from customer support.

X-Series XOS

CVE |Affected Version(s)|Remediation
All CVEs | 11.0 | Not available at this time
10.0 | Not available at this time
9.7 | Upgrade to later release with fixes.

The following products contain a vulnerable version of OpenSSH, but are not vulnerable to known vectors of attack:

Advanced Secure Gateway (ASG)

CVE |Affected Version(s)|Remediation
CVE-2015-8325 | 7.1 and later | Not vulnerable, fixed in 71.1.1
6.7 | Upgrade to 6.7.3.1.
6.6 | Upgrade to 6.6.5.8.
CVE-2016-1908 | 6.7 and later | Not vulnerable, fixed in 6.7.2.1
6.6 | Upgrade to 6.6.5.1.

Content Analysis System (CAS)

CVE |Affected Version(s)|Remediation
CVE-2015-8325 | 2.2 and later | Not vulnerable, fixed in 2.2.1.1
2.1 | Upgrade to later release with fixes.
1.3 | Upgrade to 1.3.7.5.
CVE-2016-1908 | 1.3 | Upgrade to 1.3.7.1.

Mail Threat Defense (MTD)

CVE |Affected Version(s)|Remediation
All CVEs | 1.1 | Not available at this time

Management Center (MC)

CVE |Affected Version(s)|Remediation
CVE-2015-8325 | 1.10 and later | Not vulnerable, fixed in 1.10.1.1
1.5 - 1.9 | Upgrade to later release with fixes.
CVE-2016-1908 | 1.6 and later | Not vulnerable, fixed in 1.6.1.1.
1.5 | Upgrade to later release with fixes.

PacketShaper (PS)

CVE |Affected Version(s)|Remediation
CVE-2015-8325 | 9.2 | Not vulnerable, fixed in 9.2.13p7

PacketShaper (PS) S-Series

CVE |Affected Version(s)|Remediation
CVE-2015-8325 | 11.9 and later | Not vulnerable, fixed in 11.9.1.1
11.7 - 11.8 | Upgrade to later release with fixes.
11.6 | Upgrade to 11.6.4.2.
11.5 | Upgrade to later release with fixes.
CVE-2016-1908 | 11.6 and later | Not vulnerable, fixed in 11.6.1.1
11.5 | Upgrade to later release with fixes.

PolicyCenter (PC) S-Series

CVE |Affected Version(s)|Remediation
CVE-2015-8325 | 1.1 | Upgrade to 1.1.4.2.
CVE-2016-1908 | 1.1 | Upgrade to 1.1.2.2.

Reporter

CVE |Affected Version(s)|Remediation
All CVEs | 10.2 | Not vulnerable, fixed in 10.2.1.1
9.4, 9.5 | Not vulnerable
CVE-2015-8325 | 10.1 | Upgrade to 10.1.5.4.
CVE-2016-1908 | 10.1 | Upgrade to 10.1.4.2.

SSL Visibility

CVE |Affected Version(s)|Remediation
CVE-2015-8325 | 4.1 and later | Not vulnerable, fixed in 4.1.1.1
4.0 | Upgrade to later release with fixes.
3.10 - 3.12 | Not vulnerable, fixed in 3.10.1.1
CVE-2016-1908 | 3.10 and later | Not vulnerable, fixed in 3.10.1.1
All CVEs | 3.9 | Upgrade to 3.9.4.1.
3.8.4FC | Upgrade to 3.8.4FC-55.

ADDITIONAL PRODUCT INFORMATION

Some Blue Coat products do not enable or use all functionality within OpenSSH. The products listed below do not utilize the functionality described in the CVEs below and are thus not known to be vulnerable to them. However, fixes for these CVEs will be included in the patches that are provided.

• ASG: CVE-2015-8325 and CVE-2016-1908 (6.6 only)
• CAS: CVE-2015-8325 and CVE-2016-1908 (1.x only)
• Director: CVE-2016-1908
• MTD: CVE-2015-8325 and CVE-2016-1908
• MAA: CVE-2016-1908
• MC: CVE-2015-8325 and CVE-2016-1908
• PS: CVE-2015-8325
• PS S-Series: CVE-2015-8325 and CVE-2016-1908
• PC S-Series: CVE-2015-8325 and CVE-2016-1908
• Reporter 10.1: CVE-2015-8325 and CVE-2016-1908
• SSLV: CVE-2015-8325 and CVE-2016-1908 (3.x only)

The following products are not vulnerable:
Android Mobile Agent
AuthConnector
BCAAA
Blue Coat HSM Agent for the Luna SP
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Communication Server
Cloud Data Protection Integration Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
IntelligenceCenter
IntelligenceCenter Data Collector
K9
PolicyCenter
ProxyAV
ProxyAV ConLog and ConLogXP
ProxyClient
ProxySG
Unified Agent
Web Isolation

Blue Coat no longer provides vulnerability information for the following products:

DLP
Please, contact Digital Guardian technical support regarding vulnerability information for DLP.

ISSUES

CVE-2015-8325

Severity / CVSSv2 | High / 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C) References| SecurityFocus: BID 86187 / NVD: CVE-2015-8325 Impact| Privilege escalation Description | A flaw in the SSH server implementation allows a local, non-root user with shell access to execute arbitrary code with root privileges. The vulnerability is only exploitable when the SSH server accepts user-provided environment variables and uses the ‘login’ tool to authenticate users.

CVE-2016-1908

Severity / CVSSv2 | High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) References| SecurityFocus: BID 84427 / NVD: CVE-2016-1908 Impact| Information disclosure, code execution Description | A flaw in the SSH client implementation allows a remote attacker acting as a malicious SSH server to establish a trusted X11 connection with the SSH client when the client has requested only an untrusted connection. The trusted X11 connection allows the attacker to take screenshots and inject mouse movements and keypresses on the SSH client host.

MITIGATION

By default, Director, MAA, ICSP, NNP, and NSP do not use the ‘login’ tool for user authentication and do not use PAM to read user-provided environment variables. Customers who leave this default behavior unchanged prevent attacks against these products using CVE-2015-8325.

By default, Security Analytics does not use the ‘login’ tool for user authentication. Customers who leave this default behavior unchanged prevent attacks against Security Analytics using CVE-2015-8325.

REVISION

2020-04-22 Advisory status moved to Closed.
2019-10-07 Web Isolation is not vulnerable.
2019-01-11 A fix for CA 2.1 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-07-01 A fix for PacketShaper 9.2 is available in 9.2.13p7.
2018-04-26 A fix for CVE-2015-8325 in SSLV 4.0 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-04-25 A fix for XOS 9.7 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-04-23 A fix for CVE-2015-8325 in PolicyCenter S-Series 1.1 is available in 1.1.4.2.
2018-04-22 CAS 2.3 is not vulnerable. A fix for CVE-2015-8325 in PacketShaper S-Series 11.6 is available in 11.6.4.2. PacketShaper S-Series 11.10 is not vulnerable.
2018-01-31 A fix for ASG 6.7 is available in 6.7.3.1.
2017-11-16 A fix for PS S-Series 11.5, 11.7, and 11.8 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2017-11-08 CAS 2.2 is not vulnerable because a fix is available in 2.2.1.1.
2017-11-06 ASG 6.7 has a vulnerable version of OpenSSH for CVE-2015-8325, but is not vulnerable to known vectors of attack.
2017-08-03 SSLV 4.1 is not vulnerable because a fix is available in 4.1.1.1.
2017-07-25 PS S-Series 11.9 is not vulnerable because a fix is available in 11.9.1.1.
2017-07-20 A fix for CVE-2015-8325 in MC 1.10 is available in 1.10.1.1. A fix for CVE-2015-8325 in MC 1.9 will not be provided. Please upgrade to a later version with the vulnerability fix.
2017-06-26 A fix for CVE-2015-8325 in ASG 6.6 is available in 6.6.5.8.
2017-06-22 Security Analytics 7.3 is not vulnerable.
2017-06-22 A fix for CVE-2015-8325 in Reporter 10.1 is available in 10.1.5.4.
2017-06-05 PacketShaper S-Series 11.8 has a vulnerable version of OpenSSH for CVE-2015-8325, but is not vulnerable to known vectors of attack. A fix is not available at this time.
2017-05-26 A fix for CVE-2015-8325 in CAS 1.3 is available in 1.3.7.5.
2017-05-18 CAS 2.1 has a vulnerable version of OpenSSH for CVE-2015-8325, but is not vulnerable to known vectors of attack.
2017-04-30 A fix for Director 6.1 is available in 6.1.23.1.
2017-04-26 Added CVSS v2 score for CVE-2016-1908 and base score for Security Advisory.
2017-03-30 MC 1.8 and 1.9 have a vulnerable version of OpenSSH for CVE-2015-8325, but are not vulnerable to known vectors of attack.
2017-03-06 MC 1.8 is not vulnerable. SSLV 4.0 has a vulnerable version of OpenSSH for CVE-2015-8325, but is not vulnerable to known vectors of attack.
2017-02-16 Previously, it was reported that Security Analytics by default is not vulnerable to CVE-2016-1908 because it does not act as an SSH client. Further investigation has shown that Security Analytics acts as an SSH client and is vulnerable to CVE-2016-1908 by default.
2016-12-04 PacketShaper S-Series 11.7 has a vulnerable version of OpenSSH for CVE-2015-8325, but is not vulnerable to known vectors of attack. A fix is not available at this time.
2016-12-04 SSLV 3.11 is not vulnerable.
2016-11-17 Cloud Data Protection for Oracle Field Service Cloud is not vulnerable.
2016-11-11 SSLV 3.10 is not vulnerable.
2016-11-06 It was previously reported that SA 7.2 is vulnerable to CVE-2015-8325. Further information indicates that SA 7.2 is not vulnerable because a fix is available in 7.2.1. Fixes for CVE-2015-8325 in Security Analytics 6.6 and 7.1 are available through patch RPMs from customer support.
2016-11-03 A fix for CVE-2015-8325 will not be provided for MC 1.6. Please upgrade to a later version with the vulnerability fixes.
2016-11-03 A fix for CVE-2016-1908 in ASG is available in 6.6.5.1. A fix for CVE-2016-1908 in MC 1.6 is available in 1.6.1.1. MC 1.6 and 1.7 have vulnerable code for CVE-2015-8325, but are not vulnerable to known vectors of attack. A fix for CVE-2016-1908 in Reporter 10.1 is available in 10.1.4.2. A fix for MAA is available in 4.2.10. A fix for SSLV 3.8.4FC is available in 3.8.4.FC-55.
2016-08-12 A fix for CVE-2016-1908 in CAS 1.3 is available in 1.3.7.1. Security Analytics 7.2 is vulnerable to CVE-2015-8325.
2016-08-10 A fix for SSLV 3.9 is available in 3.9.4.1.
2016-07-01 A fix for CVE-2016-1908 in Security Analytics 6.6 and 7.1 is available through a patch RPM from customer support.
2016-06-30 A fix for CVE-2016-1908 in PacketShaper S-Series 11.6 is available in 11.6.1.1.
2016-06-27 Fixes will not be provided for PacketShaper S-Series 11.2, 11.3, and 11.4. Please upgrade to a later version with the vulnerability fixes.
2016-06-24 A fix for CVE-2016-1908 in PacketShaper S-Series 11.5 is available in 11.5.3.2. A fix for CVE-2016-1908 in PolicyCenter S-Series is available in 1.1.2.2.
2016-06-14 initial public release