SA134 : Linux Kernel Vulnerabilities Oct/Nov 2016

SUMMARY

Blue Coat products that include a vulnerable version of the Linux kernel are susceptible to several vulnerabilities. A remote attacker, with access to the management interface, can exploit these vulnerabilities to cause denial of service through system crashes or have unspecified other impact. A local attacker can also escalate their privileges on the system (aka Dirty COW).

AFFECTED PRODUCTS

The following products are vulnerable:

Content Analysis System (CAS)

CVE |Affected Version(s)|Remediation
CVE-2016-7039 | 2.2 and later | Not vulnerable, fixed in 2.2.1.1
2.1 | Upgrade to later release with fixes.
1.3 | Upgrade to 1.3.7.5.

Director

CVE |Affected Version(s)|Remediation
CVE-2016-5195, CVE-2016-9555 | 6.1 | Not available at this time

Malware Analysis Appliance (MAA)

CVE |Affected Version(s)|Remediation
CVE-2016-5195 | 4.2 | Upgrade to 4.2.11.
CVE-2016-7039, CVE-2016-8666,
CVE-2016-9555 | 4.2 | Upgrade to 4.2.12.

Mail Threat Defense (MTD)

CVE |Affected Version(s)|Remediation
CVE-2016-7039 | 1.1 | Not available at this time

Management Center (MC)

CVE |Affected Version(s)|Remediation
CVE-2016-7039 | 1.9 and later | Not vulnerable, fixed in 1.9.1.1
1.8 | Upgrade to later release with fixes.
1.7 | Upgrade to later release with fixes.

Norman Shark Industrial Control System Protection (ICSP)

CVE |Affected Version(s)|Remediation
CVE-2016-5195, CVE-2016-8666,
CVE-2016-9555 | 5.4 and later | Not vulnerable, fixed in 5.4.1
5.3 | Not available at this time

Norman Shark Network Protection (NNP)

CVE |Affected Version(s)|Remediation
CVE-2016-5195, CVE-2016-8666,
CVE-2016-9555 | 5.3 | A fix will not be provided.

Norman Shark SCADA Protection (NSP)

CVE |Affected Version(s)|Remediation
CVE-2016-5195, CVE-2016-8666,
CVE-2016-9555 | 5.3 | A fix will not be provided. Customers who use NSP for USB cleaning can switch to a version of ICSP with fixes.

Reporter

CVE |Affected Version(s)|Remediation
CVE-2016-7039 | 10.2 and later | Not vulnerable, fixed in 10.2.1.1
10.1 | Upgrade to 10.1.5.4.
9.5 | Not vulnerable
9.4 | Not vulnerable

Security Analytics (SA)

CVE |Affected Version(s)|Remediation
All CVEs | 7.3 and later | Not vulnerable, fixed in 7.3.1
CVE-2016-5195 | 7.2 | Upgrade to 7.2.2.
6.6, 7.1 | Upgrade to later release with fixes.
CVE-2016-9555 | 7.2 | Upgrade to 7.2.3.
6.6, 7.1 | Upgrade to later release with fixes.

SSL Visibility (SSLV)

CVE |Affected Version(s)|Remediation
All CVEs | 4.1 and later | Not vulnerable, fixed in 4.1.1.1
3.12 | Not vulnerable, fixed in 3.12.1.1
CVE-2016-7039 | 4.0 | Upgrade to later release with fixes.
CVE-2016-5195 | 3.11 (not vulnerable to known vectors of attack) | Not vulnerable, fixed in 3.11.1.1
3.10 (not vulnerable to known vectors of attack) | Upgrade to 3.10.2.1.
3.9 (not vulnerable to known vectors of attack) | Upgrade to 3.9.7.1.
3.8.4FC (not vulnerable to known vectors of attack) | Upgrade to later release with fixes.
CVE-2016-9555 | 3.11 (not vulnerable to known vectors of attack) | Upgrade to 3.11.3.1.
3.10 (not vulnerable to known vectors of attack) | Not available at this time
3.9 (not vulnerable to known vectors of attack) | Upgrade to later release with fixes.
3.8.4FC (not vulnerable to known vectors of attack) | Upgrade to later release with fixes.

X-Series XOS

CVE |Affected Version(s)|Remediation
CVE-2016-5195 | 11.0 | Not available at this time
10.0 | Not available at this time
9.7 | Upgrade to later release with fixes.

The following products have a vulnerable version of the Linux kernel, but are not vulnerable to known vectors of attack:

Advanced Secure Gateway (ASG)

CVE |Affected Version(s)|Remediation
CVE-2016-5195, CVE-2016-9555 | 6.7 and later | Not vulnerable, fixed in 6.7.2.1
6.6 | Upgrade to 6.6.5.8.

PacketShaper (PS) S-Series

CVE |Affected Version(s)|Remediation
CVE-2016-5195, CVE-2016-9555 | 11.9 and later | Not vulnerable, fixed in 11.9.1.1
11.7, 11.8 | Upgrade to later release with fixes.
11.6 | Upgrade to 11.6.4.2.
11.5 | Upgrade to later release with fixes.

PolicyCenter (PC) S-Series

CVE |Affected Version(s)|Remediation
CVE-2016-5195, CVE-2016-9555 | 1.1 | Upgrade to 1.1.4.2.

ADDITIONAL PRODUCT INFORMATION

Blue Coat products that use a native installation of the Linux kernel but do not install or maintain the kernel are not vulnerable to the attacks using the CVEs in this Security Advisory. However, the underlying platform that installs and maintains the Linux kernel may be vulnerable. Blue Coat urges our customers to update the versions of the Linux kernel that are natively installed for Client Connector, Cloud Data Protection, ProxyClient, and Reporter 9.x for Linux.

Some Blue Coat products do not provide Linux shell access, do not execute arbitrary code from external sources, or do not act as an SCTP server. The products listed below do not utilize the functionality described in the CVEs below and are thus not known to be vulnerable to them. However, fixes for these CVEs will be included in the patches that are provided.

• ASG: CVE-2016-5195 (Dirty COW) and CVE-2016-9555
• CAS: CVE-2016-5195 (Dirty COW) (1.3 only) and CVE-2016-9555
• MTD: CVE-2016-5195 (Dirty COW) and CVE-2016-9555
• MC: CVE-2016-5195 (Dirty COW) and CVE-2016-9555
• PacketShaper S-Series: CVE-2016-5195 (Dirty COW) and CVE-2016-9555
• PolicyCenter S-Series: CVE-2016-5195 (Dirty COW) and CVE-2016-9555
• Reporter: CVE-2016-5195 (Dirty COW)
• SSL Visibility: CVE-2016-5195 (Dirty COW) (3.x only) and CVE-2016-9555
• XOS: CVE-2016-9555

The following products are not vulnerable:
Android Mobile Agent
AuthConnector
BCAAA
Blue Coat HSM Agent for the Luna SP
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
IntelligenceCenter
IntelligenceCenter Data Collector
K9
PacketShaper
PolicyCenter
ProxyClient
ProxyAV
ProxyAV ConLog and ConLogXP
ProxySG
Unified Agent
Web Isolation

Blue Coat no longer provides vulnerability information for the following products:

DLP
Please, contact Digital Guardian technical support regarding vulnerability information for DLP.

ISSUES

CVE-2016-5195

Severity / CVSSv2 | High / 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C) References| SecurityFocus: BID 93793 / NVD: CVE-2016-5195 Impact| Privilege escalation Description | A race condition in the memory manager copy-on-write (COW) functionality allows a local attacker to write to read-only memory mappings and escalate their privileges on the system.

CVE-2016-7039

Severity / CVSSv2 | High / 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) References| SecurityFocus: BID 93476 / NVD: CVE-2016-7039 Impact| Denial of service Description | An unbound recursion flaw in VLAN and Transparent Ethernet Bridging (TEB) Generic Receive Offload (GRO) handling allows a remote attacker to send large crafted packets and cause a system crash, resulting in denial of service.

CVE-2016-8666

Severity / CVSSv2 | High / 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) References| SecurityFocus: BID 93562 / NVD: CVE-2016-8666 Impact| Denial of service Description | An unbound recursion flaw in Generic Receive Offload (GRO) handling allows a remote attacker to send crafted packets with tunnel stacking and cause a system crash, resulting in denial of service.

CVE-2016-9555

Severity / CVSSv2 | High / 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) References| SecurityFocus: BID 94479 / NVD: CVE-2016-9555 Impact| Denial of service, unspecified impact Description | A buffer overread flaw in SCTP packet handling allows a remote attacker to send crafted SCTP packets and cause denial or service or have unspecified other impact.

MITIGATION

CVE-2016-7039, CVE-2016-8666, and CVE-2016-9555 can be exploited only through the management interfaces for all vulnerable products. Allowing only machines, IP addresses and subnets from a trusted network to access the management interface reduces the threat of exploiting the vulnerabilities.

By default, Director and Security Analytics do not act as an SCTP server. Customers who leave this behavior unchanged prevent attacks using CVE-2016-9555 against these products.

REFERENCES

Dirty COW - <https://dirtycow.ninja/&gt;

REVISION

2020-04-23 Advisory status moved to Closed.
2020-04-04 A fix for PolicyCenter S-Series is available in 1.1.4.2.
2019-10-02 Web Isolation is not vulnerable.
2019-01-28 SA 8.0 is not vulnerable. ICSP 5.4 is not vulnerable because a fix is available in 5.4.1.
2019-01-12 A fix for Security Analytics 7.1 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-01-11 A fix for CAS 2.1 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-09-24 A fix for SSLV 3.8.4FC will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-08-07 A fix for CVE-2016-7039, CVE-2016-8666, and CVE-2016-9555 for MA is available in 4.2.12.
2018-08-03 Customers who use NSP for USB cleaning can switch to a version of Industrial Control System Protection (ICSP) with fixes.
2018-06-29 A fix for Norman Shark Network Protection (NNP) 5.3 and Norman Shark SCADA Protection (NSP) 5.3 will not be provided.
2018-04-26 A fix for SSLV 4.0 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-04-25 A fix for XOS 9.7 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-04-22 CA 2.3 is not vulnerable. A fix for PacketShaper S-Series 11.6 is available in 11.6.4.2. PacketShaper S-Series 11.10 is not vulnerable.
2017-11-16 A fix for PacketShaper S-Series 11.5, 11.7, and 11.8 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2017-11-15 SSLV 3.12 is not vulnerable because a fix is available in 3.12.1.1.
2017-11-08 CAS 2.2 is not vulnerable because a fix is available in 2.2.1.1.
2017-11-06 ASG 6.7 is not vulnerable because a fix is available in 6.7.2.1.
2017-08-03 SSLV 4.1 is not vulnerable because a fix is available in 4.1.1.1.
2017-07-25 PS S-Series 11.9 is not vulnerable because a fix is available in 11.9.1.1.
2017-07-20 MC 1.10 is not vulnerable.
2017-06-22 Security Analytics 7.3 is not vulnerable.
2017-06-22 A fix for all CVEs in Reporter 10.1 is available in 10.1.5.4.
2017-06-05 PS S-Series 11.8 has a vulnerable version of the Linux kernel. A fix is not available at this time.
2017-05-29 A fix for Security Analytics 6.6 will not be provided. Please, upgrade to a later version with the vulnerability fixes.
2017-05-26 A fix for CAS 1.3 is available in 1.3.7.5.
2017-05-19 A fix for ASG 6.6 is available in 6.6.5.8.
2017-05-18 CAS 2.1 is vulnerable to CVE-2016-7039. It also has a vulnerable version of the Linux kernel for CVE-2016-9555, but is not vulnerable to known vectors of attack.
2017-04-12 A fix for CVE-2016-9555 in SSLV 3.11 is available in 3.11.3.1.
2017-03-30 It was previously reported that CAS, MTD, MC, Reporter 10.1, and SSLV 4.0 are vulnerable to CVE-2016-8666. Further investigation indicates that these products are not vulnerable to CVE-2016-8666. MC 1.9 is not vulnerable because a fix for all CVEs is available in 1.9.1.1.
2017-03-16 A fix for CVE-2016-5195 in SSLV 3.10 is available in 3.10.2.1.
2017-03-09 A fix for all CVEs in Security Analytics 7.2 is available in 7.2.3.
2017-03-08 MC 1.8 and SSLV 4.0 are vulnerable to CVE-2016-7039 and CVE-2016-8666.
2017-01-25 It was previously reported that Security Analytics 6.6, 7.1, and 7.2 are vulnerable to CVE-2016-7039 and CVE-2016-8666. Further investigation indicates that Security Analytics is not vulnerable. Fixes for CVE-2016-5195 (Dirty COW) in SA 6.6 and 7.1 are not available at this time.
2017-01-13 A fix for CVE-2016-5195 in SSLV 3.9 is available in 3.9.7.1.
2016-12-19 A fix for CVE-2016-5195 (Dirty COW) in MAA 4.2 is available in 4.2.11.
2016-12-08 initial public release