SA136 : OpenSSH Vulnerabilities

SUMMARY

Blue Coat products using affected versions of OpenSSH are susceptible to several vulnerabilities. A remote attacker, with access to the management interface, can exploit these vulnerabilities to enumerate existing user accounts and cause denial of service through excessive CPU consumption and memory exhaustion.

AFFECTED PRODUCTS

The following products are vulnerable:

Advanced Secure Gateway (ASG)

CVE |Affected Version(s)|Remediation
CVE-2016-8858 | 6.7 | Not vulnerable, fixed in 6.7.2.1
6.6 | Upgrade to 6.6.5.4.

CacheFlow

CVE |Affected Version(s)|Remediation
CVE-2016-8858 | 3.4 | Upgrade to 3.4.2.8.

Director

CVE |Affected Version(s)|Remediation
CVE-2016-6515 | 6.1 | Upgrade to 6.1.23.1.
CVE-2016-6210, CVE-2016-8858 | 6.1.22.1 only | Upgrade to 6.1.23.1.

Malware Analysis Appliance (MAA)

CVE |Affected Version(s)|Remediation
CVE-2016-6210, CVE-2016-6515 | 4.2 | Upgrade to 4.2.10.
CVE-2016-8858 | 4.2 | See Mitigation section for workaround instructions.

Norman Shark Industrial Control System Protection (ICSP)

CVE |Affected Version(s)|Remediation
CVE-2016-6210, CVE-2016-6515 | 5.4 | Not vulnerable, fixed in 5.4.1
5.3 | Upgrade to a later release with fixes.
CVE-2016-8858 | 5.3, 5.4 | Not available at this time

Norman Shark Network Protection (NNP)

CVE |Affected Version(s)|Remediation
All CVEs | 5.3 | A fix will not be provided.

Norman Shark SCADA Protection (NSP)

CVE |Affected Version(s)|Remediation
All CVEs | 5.3 | A fix will not be provided. Customers who use NSP for USB cleaning can switch to a version of ICSP with fixes.

PacketShaper (PS)

CVE |Affected Version(s)|Remediation
CVE-2016-8858 | 9.2 (only affects other SSH management connections) | Not vulnerable, fixed in 9.2.13p7

ProxySG

CVE |Affected Version(s)|Remediation
CVE-2016-8858 | 6.7 and later | Not vulnerable, fixed in 6.7.1.1
6.6 | Upgrade to 6.6.5.4.
6.5 | Upgrade to 6.5.10.1.

SSL Visibility (SSLV)

CVE |Affected Version(s)|Remediation
All CVEs | 3.12 and later | Not vulnerable, fixed in 3.12.1.1
CVE-2016-6210, CVE-2016-6515 | 3.11 | Not vulnerable, fixed in 3.11.1.1
3.10 | Not vulnerable, fixed in 3.10.1.1
3.9 | Upgrade to 3.9.6.1.
3.8.4FC | Upgrade to a later release with fixes.
CVE-2016-8858 | 3.11 | Upgrade to 3.11.2.1.
3.10.3.1 | Upgrade to 3.10.3.1.
3.9 | Upgrade to a later release with fixes.
3.8.4FC | Upgrade to a later release with fixes.

Web Isolation (WI)

CVE |Supported Version(s)|Remediation
CVE-2016-8858 | 1.13, 1.14 | Not available at this time
1.12 | Upgrade to a later release with fixes.

X-Series XOS

CVE |Affected Version(s)|Remediation
CVE-2016-6210, CVE-2016-6515 | 9.7, 10.0, 11.0 (only APM software) | A fix will not be provided.

ADDITIONAL PRODUCT INFORMATION

Blue Coat products do not enable or use all functionality within OpenSSH. The products listed below do not utilize the functionality described in the CVEs below and are thus not known to be vulnerable to them. However, fixes for these CVEs will be included in the patches that are provided.

• PacketShaper: CVE-2016-6210 and CVE-2016-6515

The following products are not vulnerable:
Android Mobile Agent
AuthConnector
BCAAA
Blue Coat HSM Agent for the Luna SP
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
Content Analysis System
General Auth Connector Login Application
IntelligenceCenter
IntelligenceCenter Data Collector
K9
Mail Threat Defense
Management Center
PacketShaper S-Series
PolicyCenter
PolicyCenter S-Series
ProxyAV
ProxyAV ConLog and ConLogXP
ProxyClient
Reporter
Security Analytics
Unified Agent
WSS Agent

Blue Coat no longer provides vulnerability information for the following products:

DLP
Please, contact Digital Guardian technical support regarding vulnerability information for DLP.

ISSUES

CVE-2016-6210

Severity / CVSSv2 | Medium / 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) References| SecurityFocus: BID 91812 / NVD: CVE-2016-6210 Impact| Information disclosure Description | A timing difference between password authentication of existing and non-existing user accounts allows a remote attacker to make authentication attempts with large passwords and enumerate the existing user accounts on the target system.

CVE-2016-6515

Severity / CVSSv2 | High / 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) References| SecurityFocus: BID 92212 / NVD: CVE-2016-6515 Impact| Denial of service Description | An insufficient input validation flaw in password authentication allows a remote attacker to send a long password string and cause excessive CPU consumption, resulting in denial of service.

CVE-2016-8858

Severity / CVSSv2 | High / 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) References| SecurityFocus: BID 93776 / NVD: CVE-2016-8858 Impact| Denial of service Description | A flaw in message handling allows a remote attacker to repeatedly send the KEXINIT SSH message and cause memory exhaustion, resulting in denial of service.

MITIGATION

These vulnerabilities can be exploited only through the management interfaces for all vulnerable products. Allowing only machines, IP addresses and subnets from a trusted network to access the management interface reduces the threat of exploiting the vulnerabilities.

CVE-2016-8858 can be remediated in Malware Analysis by limiting the maximum number of concurrent unauthenticated connections to the SSH daemon. Customers should use the following steps in the management CLI:

1. Create a backup copy of the SSH daemon configuration file: cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
2. Add the line “MaxStartups 5:100:5” to /etc/ssh/sshd_config
3. Restart SSH daemon: service ssh restart

REVISION

2021-08-27 WSS Agent is not vulnerable.
2021-01-15 WI 1.14 is vulnerable to CVE-2016-8858. A fix is not available at this time. Fixes will not be provided for WI 1.12. Please upgrade to a later release with the vulnerability fixes.
2020-11-17 A fix for XOS 9.7, 10.0, and 11.0 will not be provided.
2020-04-29 A fix will not be provided for ICSP. Please upgrade to a later release with the vulnerability fixes.
2019-10-07 WI 1.12 and 1.13 are vulnerable to CVE-2016-8858. A fix is not available at this time. Fixes will not be provided for SSLV 3.8.4fc and XOS 9.7. Please upgrade to a later release with the vulnerability fixes.
2019-01-21 ICSP 5.4 is not vulnerable to CVE-2016-6210 and CVE-2016-6515 because a fix is available in 5.4.1.
2018-09-24 A fix for SSLV 3.8.4FC will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-08-03 Customers who use NSP for USB cleaning can switch to a version of Industrial Control System Protection (ICSP) with fixes.
2018-07-30 See Mitigation section for workaround instructions for CVE-2016-8858 in MA 4.2.
2018-07-01 A fix for PacketShaper 9.2 is available in 9.2.13p7.
2018-06-29 A fix for Norman Shark Network Protection (NNP) 5.3 and Norman Shark SCADA Protection (NSP) 5.3 will not be provided.
2018-04-25 A fix for XOS 9.7 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-04-06 A fix for CVE-2016-6210 and CVE-2016-6515 in SSLV 3.9 is available in 3.9.6.1
2017-11-16 A fix for SSLV 3.9 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2017-11-15 SSLV 3.12 is not vulnerable because a fix is available in 3.12.1.1.
2017-11-06 ASG 6.7 is not vulnerable because a fix is available in 6.7.2.1.
2017-08-15 A fix for CVE-2016-8858 in SSLV 3.10 is available in 3.10.3.1.
2017-08-02 SSLV 4.1 is not vulnerable.
2017-04-30 A fix for Director 6.1 is available in 6.1.23.1.
2017-04-29 A fix for CacheFlow 3.4 is available in 3.4.2.8.
2017-04-26 Added CVSS v2 score for CVE-2016-6210 and base score for Security Advisory.
2017-03-29 It was previously reported that ASG 6.6 is not vulnerable to CVE-2016-8858. Further investigation has shown that ASG 6.6 is vulnerable to CVE-2016-8858. A fix is available in 6.6.5.4.
2017-03-29 A fix for ProxySG 6.6 is available in 6.6.5.4.
2017-03-08 A fix for ProxySG 6.5 is available in 6.5.10.1.
2017-03-08 ProxySG 6.7 is not vulnerable because a fix is available in 6.7.1.1. SSLV 4.0 is not vulnerable.
2016-01-25 SSLV 3.11.2.1 remediates CVE-2016-8858 by restricting the number of concurrent unauthenticated incoming SSH connections.
2016-12-13 initial public release
2016-01-20 It was previously reported that ASG, CAS, MTD, MC, PacketShaper S-Series, PolicyCenter S-Series, Reporter 10.1, Security Analytics, and XOS are vulnerable to CVE-2016-8858. Further investigation has shows that these products are not vulnerable.