SA135 : OpenSSL Vulnerabilities 10-Nov-2016

SUMMARY

Blue Coat products using affected versions of OpenSSL are susceptible to multiple vulnerabilities. A remote attacker can exploit these vulnerabilities to cause denial of service and obtain SSL/TLS session key information.

AFFECTED PRODUCTS

The following products are vulnerable:

Director

CVE |Affected Version(s)|Remediation
CVE-2016-7055 | 6.1 | Upgrade to 6.1.23.1.

Malware Analysis Appliance (MAA)

CVE |Affected Version(s)|Remediation
CVE-2016-7055 | 4.2 | Upgrade to 4.2.12.

Norman Shark Industrial Control System Protection (ICSP)

CVE |Affected Version(s)|Remediation
CVE-2016-7055 | 5.4 and later | Not vulnerable, fixed in 5.4.1
5.3 | Upgrade to later release with fixes.

Norman Shark Network Protection (NNP)

CVE |Affected Version(s)|Remediation
CVE-2016-7055 | 5.3 | A fix will not be provided.

Norman Shark SCADA Protection (NSP)

CVE |Affected Version(s)|Remediation
CVE-2016-7055 | 5.3 | A fix will not be provided. Customers who use NSP for USB cleaning can switch to a version of ICSP with fixes.

SSL Visibility (SSLV)

CVE |Affected Version(s)|Remediation
CVE-2016-7055 | 4.1 and later | Not vulnerable, fixed in 4.1.1.1
4.0 | Upgrade to 4.0.2.1.
3.12 | Not vulnerable, fixed in 3.12.1.1
3.11 | Upgrade to 3.11.3.1.
3.10 | Upgrade to 3.10.4.1.
3.9 | Upgrade to later releases with fixes.
3.8.4FC | Upgrade to later releases with fixes.

Unified Agent (UA)

CVE |Affected Version(s)|Remediation
CVE-2016-7055 | 4.8 and later | Not vulnerable, fixed in 4.8.0
4.7 | Upgrade to later release with fixes.
4.6 | Upgrade to later release with fixes.

ADDITIONAL PRODUCT INFORMATION

Blue Coat products that use a native installation of OpenSSL but do not install or maintain that implementation are not vulnerable to any of these CVEs. However, the underlying platform or application that installs and maintains OpenSSL may be vulnerable. Blue Coat urges our customers to update the versions of OpenSSL that are natively installed for Client Connector for OS X, Proxy Client for OS X, and Reporter 9.x for Linux.

Blue Coat products may act as both client and server in SSL/TLS connections. Blue Coat products act as a client when connecting to Blue Coat services such as WebPulse, DRTR, and licensing and subscription services. Products that are vulnerable to CVE-2016-7055 should be considered vulnerable in all interfaces that provide SSL/TLS client and server connections.

The following products are not vulnerable:
Advanced Secure Gateway
Android Mobile Agent
AuthConnector
BCAAA
Blue Coat HSM Agent for the Luna SP
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
Content Analysis System
General Auth Connector Login Application
IntelligenceCenter
IntelligenceCenter Data Collector
K9
Mail Threat Defense
Management Center
PacketShaper
PacketShaper S-Series
PolicyCenter
PolicyCenter S-Series
ProxyClient
ProxyAV
ProxyAV ConLog and ConLogXP
ProxySG
Reporter
Security Analytics
Web Isolation
X-Series XOS

Blue Coat no longer provides vulnerability information for the following products:

DLP
Please, contact Digital Guardian technical support regarding vulnerability information for DLP.

ISSUES

CVE-2016-7053

Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) References| SecurityFocus: BID 94244 / NVD: CVE-2016-7053 Impact| Denial of service Description | A flaw in CMS parsing allows a remote attacker to send invalid CMS data and cause denial of service through application crashes.

CVE-2016-7054

Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) References| SecurityFocus: BID 94238 / NVD: CVE-2016-7054 Impact| Denial of service Description | A flaw in the SSL/TLS client and server modules allows a remote attacker to send large amount of encrypted data and cause denial of service through application crashes.

CVE-2016-7055

Severity / CVSSv2 | Low / 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) References| SecurityFocus: BID 94242 / NVD: CVE-2016-7055 Impact| Information disclosure Description | A flaw in Montgomery multiplication allows a remote attacker to compromise ECDH key negotiation in SSL/TLS connections that use Brainpool P-512 curves. The attacker may be able to obtain information about session keys computed during ECDH key negotiation.

REFERENCES

OpenSSL Security Advisory - <https://www.openssl.org/news/secadv/20161110.txt&gt;

REVISION

2020-04-28 A fix will not be provided for ICSP 5.3. Please upgrade to a later version with the vulnerability fixes. Advisory status changed to Closed.
2019-10-07 Web Isolation is not vulnerable.
2019-01-29 ICSP 5.4 is not vulnerable because a fix is provided in 5.4.1.
2018-09-24 A fix for SSLV 3.8.4FC will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-08-03 Customers who use NSP for USB cleaning can switch to a version of Industrial Control System Protection (ICSP) with fixes.
2018-07-27 A fix for MA 4.2 is available in 4.2.12.
2018-06-29 A fix for Norman Shark Network Protection (NNP) 5.3 and Norman Shark SCADA Protection (NSP) 5.3 will not be provided.
2018-02-22 A fix for SSLV 3.10 is available in 3.10.4.1.
2018-01-11 Added NVD CVSS v2 scores. Adjusted advisory severity to Medium based on CVSS v2 scores.
2017-11-16 A fix for SSLV 3.9 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2017-11-15 SSLV 3.12 is not vulnerable because a fix is available in 3.12.1.1.
2017-08-02 SSLV 4.1 is not vulnerable.
2017-05-22 UA 4.8 is not vulnerable because a fix is available in 4.8.0.
2017-04-30 A fix for Director 6.1 is available in 6.1.23.1.
2017-04-12 A fix for SSLV 3.11 is available in 3.11.3.1.
2017-03-30 A fix for SSLV 4.0 is available in 4.0.2.1.
2017-03-08 SSLV 4.0 is vulnerable to CVE-2016-7055.
2016-11-30 initial public release