Symantec Security ResponseSMNTC-1395SA141 : OpenSSL Vulnerabilities 26-Jan-2017
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
SUMMARY
Symantec Network Protection products using affected versions of OpenSSL are susceptible to several vulnerabilities. A remote attacker can exploit these vulnerabilities to cause denial of service and obtain private key information.
AFFECTED PRODUCTS
The following products are vulnerable:
CacheFlow
CVE |Affected Version(s)|Remediation
CVE-2017-3731 | 3.4 | Upgrade to 3.4.2.8.
Director
CVE |Affected Version(s)|Remediation
CVE-2017-3731 | 6.1 starting with 6.1.22.1 | Upgrade to 6.1.23.1.
IntelligenceCenter (IC)
CVE |Affected Version(s)|Remediation
CVE-2017-3731 | 3.3 | Upgrade to a version of NetDialog NetX with fixes.
Malware Analysis (MA)
CVE |Affected Version(s)|Remediation
CVE-2017-3732 | 4.2 | Upgrade to 4.2.12.
PacketShaper (PS)
CVE |Affected Version(s)|Remediation
CVE-2017-3731 | 9.2 | Fixed in 9.2.13p7
PolicyCenter (PC)
CVE |Affected Version(s)|Remediation
CVE-2017-3731 | 9.2 | Fixed in 9.2.13p7
ProxyAV
CVE |Affected Version(s)|Remediation
CVE-2017-3731 | 3.5 | Upgrade to a version of CAS with fixes.
ProxySG
CVE |Affected Version(s)|Remediation
CVE-2017-3731 | 7.1 and later | Not vulnerable, fixed in 7.1.1.1
6.7 | Upgrade to 6.7.1.2.
6.6 | Upgrade to 6.6.5.8.
6.5 | Upgrade to 6.5.10.4.
Reporter
CVE |Affected Version(s)|Remediation
CVE-2017-3731 | 10.2 and later | Not vulnerable, fixed in 10.2.1.1.
10.1 (has vulnerable version of OpenSSL, but not vulnerable to known vectors of impact). | Upgrade to 10.1.5.5.
9.5 | Not vulnerable
CVE-2017-3732 | 10.2 and later | Not vulnerable
10.1 | Not vulnerable
9.5 | Upgrade to 9.5.4.1.
All CVEs | 9.4 | Not vulnerable
SSL Visibility (SSLV)
CVE |Affected Version(s)|Remediation
CVE-2017-3731 | 4.1 and later | Not vulnerable, fixed in 4.1.1.1.
4.0 (has vulnerable version of OpenSSL, but not vulnerable to known vectors of impact). | Upgrade to 4.0.2.1.
3.x | Not vulnerable
CVE-2017-3732 | 3.12 and later | Not vulnerable
3.11 | Upgrade to 3.11.3.1.
3.10 | Upgrade to 3.10.4.1.
3.9 | Not available at this time
Unified Agent (UA)
CVE |Affected Version(s)|Remediation
CVE-2017-3732 | 4.8 and later | Not vulnerable, fixed in 4.8.0
4.7 | Upgrade to later release with fixes
4.6 | Upgrade to later release with fixes
4.1 | Not vulnerable
The following products contain a vulnerable version of OpenSSL, but are not vulnerable to known vectors of attack:
Advanced Secure Gateway (ASG)
CVE |Affected Version(s)|Remediation
CVE-2017-3731 | 7.1 | Not vulnerable, fixed in 7.1.1.1
6.7 | Upgrade to 6.7.3.1.
6.6 | Upgrade to later release with fixes.
Android Mobile Agent
CVE |Affected Version(s)|Remediation
CVE-2017-3731 | 2.0 | Not vulnerable, fixed
1.3 | Upgrade to 1.3.8.
Content Analysis (CA)
CVE |Affected Version(s)|Remediation
CVE-2017-3731 | 2.2 and later | Not vulnerable, fixed in 2.2.1.1.
2.1 | Upgrade to later release with fixes.
1.3 | Upgrade to later release with fixes.
Mail Threat Defense (MTD)
CVE |Affected Version(s)|Remediation
CVE-2017-3731 | 1.1 | Not available at this time
Management Center (MC)
CVE |Affected Version(s)|Remediation
CVE-2017-3731 | 1.11 and later | Not vulnerable, fixed in 1.11.1.1.
1.10 | Upgrade to later release with fixes.
1.9 | Upgrade to later release with fixes.
1.8 | Upgrade to later release with fixes.
Norman Shark Industrial Control System Protection (ICSP)
CVE |Affected Version(s)|Remediation
CVE-2017-3731 | 5.4 and later | Not vulnerable, fixed in 5.4.1
5.3 | Not available at this time
Norman Shark Network Protection (NNP)
CVE |Affected Version(s)|Remediation
CVE-2017-3731 | 5.3 | A fix will not be provided.
Norman Shark SCADA Protection (NSP)
CVE |Affected Version(s)|Remediation
CVE-2017-3731 | 5.3 | A fix will not be provided. Customers who use NSP for USB cleaning can switch to a version of ICSP with fixes.
PacketShaper (PS) S-Series
CVE |Affected Version(s)|Remediation
CVE-2017-3731 | 11.9 and later | Not vulnerable, fixed in 11.9.1.1.
11.8 | Upgrade to later release with fixes.
11.7 | Upgrade to later release with fixes.
11.6 | Upgrade to 11.6.4.2.
11.5 | Upgrade to later release with fixes.
PolicyCenter (PC) S-Series
CVE |Affected Version(s)|Remediation
CVE-2017-3731 | 1.1 | Upgrade to 1.1.4.2.
Security Analytics
CVE |Affected Version(s)|Remediation
CVE-2017-3731 | 7.3 and later | Not vulnerable, fixed in 7.3.1.
7.2 | Upgrade to 7.2.3.
7.1 | Upgrade to later release with fixes.
6.6 | Upgrade to later release with fixes.
X-Series XOS
CVE |Affected Version(s)|Remediation
CVE-2017-3731 | 11.0 | Not available at this time
10.0 | Upgrade to later release with fixes.
9.7 | Upgrade to later release with fixes.
ADDITIONAL PRODUCT INFORMATION
Symantec Network Protection products that use a native installation of OpenSSL but do not install or maintain that implementation are not vulnerable to any of these CVEs. However, the underlying platform or application that installs and maintains OpenSSL may be vulnerable. Symantec urges our customers to update the versions of OpenSSL that are natively installed for Client Connector for OS X, Proxy Client for OS X, and Reporter 9.x for Linux.
Some Symantec Network Protection products do not enable or use all functionality within OpenSSL. The products listed below do not utilize the functionality described in the CVEs below and are thus not known to be vulnerable to them. However, fixes for these CVEs will be included in the patches that are provided.
- Android Mobile Agent: CVE-2017-3731
- ASG: CVE-2017-3731
- CA: CVE-2017-3731
- Director 6.1.22.1: CVE-2017-3732
- MTD: CVE-2017-3731
- MA: CVE-2017-3731
- MC: CVE-2017-3731
- ICSP: CVE-2017-3731
- NNP: CVE-2017-3731
- NSP: CVE-2017-3731
- PacketShaper S-Series: CVE-2017-3731
- PolicyCenter S-Series: CVE-2017-3731
- Reporter 9.5 and 10.1: CVE-2017-3731
- Security Analytics: CVE-2017-3731
- SSLV: CVE-2017-3731
- Unified Agent: CVE-2017-3731
The following products are not vulnerable:
AuthConnector BCAAA Symantec HSM Agent for the Luna SP
Client Connector Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
IntelligenceCenter Data Collector
K9
ProxyClient
ProxyAV ConLog and ConLogXP
Web Isolation
Symantec no longer provides vulnerability information for the following products:
DLP
Please, contact Digital Guardian technical support regarding vulnerability information for DLP.
ISSUES
CVE-2017-3730
Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) References| SecurityFocus: BID 95812 / NVD: CVE-2017-3730 Impact| Denial of service Description | A NULL pointer dereference flaw in the SSL client implementation allows a remote attacker to send crafted DHE or ECDHE key exchange parameters to an SSL client and cause an application crash, resulting in denial of service.
CVE-2017-3731
Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) References| SecurityFocus: BID 95813 / NVD: CVE-2017-3731 Impact| Denial of service Description | An out-of-bounds read flaw in the 32-bit SSL client and server implementations allows a remote attacker to send crafted packets and cause an application crash, resulting in denial of service.
CVE-2017-3732
Severity / CVSSv2 | Medium / 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) References| SecurityFocus: BID 95814 / NVD: CVE-2017-3732 Impact| Information disclosure Description | A flaw in the 64-bit Montgomery squaring implementation (used in RSA, DSA, and DHE) allows a remote attacker to obtain private key information.
REFERENCES
OpenSSL Security Advisory - <https://www.openssl.org/news/secadv/20170126.txt>
REVISION
2020-04-23 Advanced Secure Gateway (ASG) and ProxySG 7.1 and later versions are not vulnerable because fixes are available in 7.1.1.1. Industrial Control System Protection (ICSP) 5.4 is not vulnerable because a fix is available in 5.4.1. A fix for Security Analytics 7.2 is available in 7.2.3. Advisory status moved to Closed.
2020-01-15 A fix will not be provided for ProxyAV 3.5. Content Analysis System (CAS) is a replacement product for ProxyAV. Please switch to a version of CAS with the vulnerability fixes.
2019-10-02 Web Isolation is not vulnerable.
2019-08-21 A fix for IntelligenceCenter (IC) 3.3 will not be provided. NetDialog NetX is a replacement product for IntelligenceCenter. Please switch to a version of NetX with the vulnerability fixes.
2019-08-07 A fix for ASG 6.6 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-01-29 ICSP 5.4 is not vulnerable because a fix is available in 5.4.1.
2019-01-21 Security Analytics 8.0 is not vulnerable.
2019-01-12 A fix for Security Analytics 7.1 will not be provided. Please upgrade to a later release with the vulnerability fixes.
2019-01-11 A fix for CA 2.1 will not be provided. Please upgrade to a later release with the vulnerability fixes.
2018-08-07 A fix for CA 1.3 will not be provided. Please upgrade to a later release with the vulnerability fixes.
2018-08-03 Customers who use NSP for USB cleaning can switch to a version of Industrial Control System Protection (ICSP) with fixes.
2018-07-27 A fix for MA 4.2 is available in 4.2.12.
2018-07-02 A fix for PolicyCenter 9.2 is available in 9.2.13p7.
2018-07-01 A fix for PacketShaper 9.2 is available in 9.2.13p7.
2018-06-29 A fix for Norman Shark Network Protection (NNP) 5.3 and Norman Shark SCADA Protection (NSP) 5.3 will not be provided.
2018-06-04 A fix for PolicyCenter S-Series is available in 1.1.4.2.
2018-04-22 CA 2.3 is not vulnerable. Reporter 10.2 is not vulnerable because a fix is available in 10.2.1.1. A fix for PacketShaper S-Series 11.6 is available in 11.6.4.2. PacketShaper S-Series 11.10 is not vulnerable.
2018-04-12 A fix for Reporter 10.1 is available in 10.1.5.5.
2018-02-22 A fix for SSLV 3.10 is available in 3.10.4.1.
2018-02-05 A fix for Reporter 9.5 is available in 9.5.4.1.
2018-01-31 A fix for ASG 6.7 is avaialble in 6.7.3.1.
2017-11-16 A fix for PS S-Series 11.5, 11.7, and 11.8 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2017-11-15 SSLV 3.12 is not vulnerable because a fix is available in 3.12.1.1.
2017-11-09 MC 1.11 is not vulnerable because a fix is available in 1.11.1.1. A fix for MC 1.10 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2017-11-08 CA 2.2 is not vulnerable because a fix is available in 2.2.1.1.
2017-11-06 ASG 6.7 has a vulnerable version of OpenSSL, but is not vulnerable to known vectors of attack.
2017-09-08 Added CVSS v2 base scores. Corrected response for Reporter 9.5 - it is vulnerable to CVE-2017-3732.
2017-08-02 SSLV 4.1 is not vulnerable.
2017-07-25 PS S-Series 11.9 is not vulnerable because a fix is available in 11.9.1.1.
2017-07-23 MC 1.10 has a vulnerable version of OpenSSL, but is not vulnerable to known vectors of attack. A fix for MC 1.9 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2017-06-30 A fix for ProxySG 6.5 is available in 6.5.10.4.
2017-06-22 Security Analytics 7.3 is not vulnerable because a fix is available in 7.3.1.
2017-06-05 PS S-Series 11.8 has a vulnerable version of OpenSSL, but is not vulnerable to known vectors of attack. A fix is not available a this time.
2017-05-22 UA 4.8 is not vulnerable because a fix is available in 4.8.0.
2017-05-19 A fix for ProxySG 6.6 is available in 6.6.5.8.
2017-05-18 CAS 2.1 has a vulnerable version of OpenSSL, but is not vulnerable to known vectors of attack.
2017-04-30 A fix for Director 6.1 is available in 6.1.23.1.
2017-04-29 A fix for CacheFlow 3.4 is available in 3.4.2.8.
2017-04-19 A fix for ProxySG 6.7 is available in 6.7.1.2.
2017-04-11 A fix for SSLV 3.11 is available in 3.11.3.1.
2017-03-30 A fix for SSLV 4.0 is available in 4.0.2.1. MC 1.9 has a vulnerable version of OpenSSL, but is not vulnerable to known vectors of attack.
2017-03-08 ProxySG 6.7 is vulnerable to CVE-2017-3731. SSLV 4.0 has a vulnerable version of OpenSSL, but is not vulnerable to known vectors of attack.
2017-02-09 initial public release
| CPE | Name | Operator | Version |
|---|---|---|---|
| cacheflow | eq | 3 | |
| director | eq | 6 | |
| intelligencecenter (ic) | eq | 3 | |
| malware analysis (ma) | eq | 4 | |
| packetshaper (ps) | eq | 9 | |
| policycenter (pc) | eq | 9 | |
| proxyav | eq | 3 | |
| proxysg | eq | 7 | |
| proxysg | eq | 6 | |
| proxysg | eq | 6 |
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P