SA148: Linux Kernel Vulnerabilities Feb-Apr 2017

SUMMARY

Symantec Network Protection products that include a vulnerable version of the Linux kernel are susceptible to multiple vulnerabilities. A remote attacker, with access to the management interface, can exploit these vulnerabilities to execute arbitrary code. The attacker can also cause denial of service through system crashes and excessive CPU consumption.

AFFECTED PRODUCTS

The following products are vulnerable:

Advanced Secure Gateway (ASG)

CVE |Affected Version(s)|Remediation
CVE-2016-10229, CVE-2017-5970
CVE-2017-6214 | 6.7 | Not vulnerable, fixed in 6.7.2.1
6.6 | Upgrade to 6.6.5.10.
CVE-2017-5897 | 6.7 starting with 6.7.4.2, 7.1, and later (has vulnerable Linux kernel, but not vulnerable to known vectors of attack) | A fix will not be provided because the vulnerability is not considered to have security impact.
6.6 (has vulnerable Linux kernel, but not vulnerable to known vectors of attack) | Upgrade to 6.6.5.10.
CVE-2017-5972 | 6.6 and later (has vulnerable Linux kernel, but not vulnerable to known vectors of attack) | A fix will not be provided because no suitable fix is available for the upstream Linux kernel.
CVE-2017-7645 | 6.7 (has vulnerable Linux kernel, but not vulnerable to known vectors of attack) | Not vulnerable, fixed in 6.7.2.1
6.6 (has vulnerable Linux kernel, but not vulnerable to known vectors of attack) | Upgrade to 6.6.5.10.

Content Analysis (CA)

CVE |Affected Version(s)|Remediation
CVE-2016-10229, CVE-2017-5970
CVE-2017-6214 | 2.2 and later | Not vulnerable, fixed in 2.2.1.1.
2.1 | Upgrade to later release with fixes.
1.3 | Upgrade to 1.3.7.8.
CVE-2017-5897 | 3.0 and later (has vulnerable Linux kernel, but not vulnerable to known vectors of attack) | A fix will not be provided because this vulnerability is not considered to have security impact.
2.2, 2.3, 2.4 | Not vulnerable, fixed in 2.2.1.1
2.1 (has vulnerable Linux kernel, but not vulnerable to known vectors of attack) | Upgrade to later release with fixes.
1.3 (has vulnerable Linux kernel, but not vulnerable to known vectors of attack) | Upgrade to 1.3.7.8.
CVE-2017-5972 | 1.3 and later | A fix will not be provided because no suitable fix is available for the upstream Linux kernel.
CVE-2017-6745 | 2.2 and later | Not vulnerable, fixed in 2.2.1.1.
2.1 (has vulnerable Linux kernel, but not vulnerable to known vectors of attack) | Upgrade to later release with fixes.
| 1.3 (has vulnerable Linux kernel, but not vulnerable to known vectors of attack) | Upgrade to 1.3.7.8

Director

CVE |Affected Version(s)|Remediation
CVE-2017-7645 | 6.1 | Upgrade to a version of MC with the fixes.

Integrated Security Gateway (ISG)

CVE |Affected Version(s)|Remediation
CVE-2017-5972 | 2.1, 2.2, 2.3 | A fix will not be provided because no suitable fix is available for the upstream Linux kernel.

Mail Threat Defense (MTD)

CVE |Affected Version(s)|Remediation
CVE-2017-5970, CVE-2017-6214,
CVE-2016-10229 | 1.1 | Upgrade to a version of CAS and SMG with the fixes.
CVE-2017-5972 | 1.1 | A fix will not be provided because no suitable fix is available for the upstream Linux kernel.

Malware Analysis (MA)

CVE |Affected Version(s)|Remediation **CVE-2016-10229, **CVE-2017-5970, CVE-2017-6214 | 4.2 | Upgrade to 4.2.12. **CVE-2017-5897, **CVE-2017-7645 | Upgrade to a version of Content Analysis with fixes.
CVE-2017-5972 | A fix will not be provided because no suitable fix is available for the upstream Linux kernel.

Management Center (MC)

CVE |Affected Version(s)|Remediation
CVE-2017-5970, CVE-2017-6214,
CVE-2016-10229 | 1.10 and later | Not vulnerable, fixed in 1.10.1.1
1.9 | Upgrade to later release with fixes.
CVE-2017-5972 | 1.9 and later | A fix will not be provided because no suitable fix is available for the upstream Linux kernel.

Norman Shark Industrial Control System Protection (ICSP)

CVE |Affected Version(s)|Remediation
All CVEs except CVE-2016-10229 | 5.4 and later | Not vulnerable, fixed in 5.4.1
5.3 | Upgrade to later release with fixes.

PacketShaper (PS) S-Series

CVE |Affected Version(s)|Remediation
CVE-2017-6214 | 11.9 and later | Not vulnerable, fixed in 11.9.1.1
11.5, 11.6, 11.7, 11.8 | Upgrade to later release with fixes.
CVE-2017-5972 | 11.5 and later | A fix will not be provided because no suitable fix is available for the upstream Linux kernel.
CVE-2017-7645 | 11.5 and later (not vulnerable to known vectors of attack) | A fix will not be provided.

PolicyCenter (PC) S-Series

CVE |Affected Version(s)|Remediation
CVE-2017-5972 | 1.1 | A fix will not be provided because no suitable fix is available for the upstream Linux kernel.
CVE-2017-6214 | 1.1 | Upgrade to 1.1.4.2.
CVE-2017-7645 | 1.1 (not vulnerable to known vectors of attack) | A fix will not be provided.

Reporter

CVE |Affected Version(s)|Remediation
CVE-2017-5897 | 10.3 and later (not vulnerable to known vectors of attack) | A fix will not be provided because the vulnerability is not considered to have security impact.
10.2 | Not vulnerable, fixed in 10.2.1.1
10.1 (not vulnerable to known vectors of attack) | Upgrade to 10.1.5.5.
CVE-2017-5970, CVE-2017-6214 | 10.2 and later | Not vulnerable, fixed in 10.2.1.1
10.1 | Upgrade to 10.1.5.5.
CVE-2017-5972 | 10.1 and later | A fix will not be provided because no suitable fix is available for the upstream Linux kernel.
All CVEs | 9.4, 9.5 | Not vulnerable

Security Analytics

CVE |Affected Version(s)|Remediation
All CVEs except CVE-2017-5897, CVE-2017-5972,
CVE-2017-7645 | 8.0 and later | Not vulnerable, fixed in 8.0.1
7.1, 7.2, 7.3 | Upgrade to later release with fixes.
CVE-2017-5897 | 7.1 and later | A fix will not be provided because the vulnerability is not considered to have security impact.
CVE-2017-5972 | 7.1 and later | A fix will not be provided because no suitable fix is available for the upstream Linux kernel.

SSL Visibility (SSLV)

CVE |Affected Version(s)|Remediation
CVE-2016-10229, CVE-2017-5970
CVE-2017-6214 | 4.2 and later | Not vulnerable, fixed in 4.2.1.1
4.0, 4.1 | Upgrade to later release with fixes.
3.12 | Not vulnerable, fixed in 3.12.1.1
3.11 | Upgrade to later release with fixes.
3.10 | Upgrade to 3.10.4.1.
3.8.4FC, 3.9 | Upgrade to later release with fixes.
CVE-2017-5897 | 4.5, 5.0 (not vulnerable to known vectors of attack) | A fix will not be provided because the vulnerability is not considered to have security impact.
4.2, 4.3, 4.4 | Not vulnerable, fixed in 4.2.1.1
4.0, 4.1 (not vulnerable to known vectors of attack) | Upgrade to later release with fixes.
3.12 | Not vulnerable, fixed in 3.12.1.1
3.11 (not vulnerable to known vectors of attack) | Upgrade to later release with fixes.
3.10 (not vulnerable to known vectors of attack) | Upgrade to 3.10.4.1.
3.8.4FC, 3.9 (not vulnerable to known vectors of attack) | Upgrade to later release with fixes.
CVE-2017-5972 | All versions | A fix will not be provided because no suitable fix is available for the upstream Linux kernel.

X-Series XOS

CVE |Affected Version(s)|Remediation
CVE-2017-5972 | 9.7 and later | A fix will not be provided because no suitable fix is available for the upstream Linux kernel.
CVE-2017-6214,
CVE-2017-7645 | 9.7, 10.0, 11.0 | Not available at this time

ADDITIONAL PRODUCT INFORMATION

Symantec Network Protection products that use a native installation of the Linux kernel but do not install or maintain the kernel are not vulnerable to the attacks using the CVEs in this Security Advisory. However, the underlying platform that installs and maintains the Linux kernel may be vulnerable. Symantec urges our customers to update the versions of the Linux kernel that are natively installed for Client Connector, Cloud Data Protection, ProxyClient, and Reporter 9.x for Linux.

Some Symantec Network Protection products do not support UDP, IPv6, and NFS. The products listed below do not utilize the functionality described in the CVEs below and are thus not known to be vulnerable to them. However, fixes for these CVEs will be included in the patches that are provided.

• ASG: CVE-2017-5897 (6.6 only), CVE-2017-5972 and CVE-2017-7645 (6.6 only)
• CA: CVE-2017-5897 (1.3 only) and CVE-2017-7645
• MTD: CVE-2017-5897 and CVE-2017-7645
• MC: CVE-2017-5897 and CVE-2017-7645
• PacketShaper S-Series: CVE-2017-7645
• PolicyCenter S-Series: CVE-2017-7645
• Reporter 10.1: CVE-2016-10229, CVE-2017-5897, and CVE-2017-7645
• Security Analytics: CVE-2017-7645
• SSLV 4.0: CVE-2017-5897 and CVE-2017-7645

The following products are not vulnerable:
Android Mobile Agent
AuthConnector
BCAAA
Blue Coat HSM Agent for the Luna SP
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
IntelligenceCenter
IntelligenceCenter Data Collector
K9
PacketShaper
PolicyCenter
ProxyClient
ProxyAV
ProxyAV ConLog and ConLogXP
ProxySG
Unified Agent
Web Isolation

ISSUES

CVE-2016-10229

Severity / CVSSv2 | High / 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) References| SecurityFocus: BID 97397 / NVD: CVE-2016-10229 Impact| Denial of service, code execution Description | A flaw in UDP packet handling that allows a remote attacker to send crafted UDP packets and cause memory corruption. The attacker can execute arbitrary code or cause a system crash, resulting in denial of service.

CVE-2017-5897

Severity / CVSSv2 | High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) References| SecurityFocus: BID 96037 / NVD: CVE-2017-5897 Impact| Unspecified Description | A flaw in the IPv6 GRE implementation allows a remote attacker to have unspecified impact via vectors related to GRE flags.

CVE-2017-5970

Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) References| SecurityFocus: BID 96233 / NVD: CVE-2017-5970 Impact| Denial of service Description | A flaw in IP option handling allows a remote attacker to send crafted IP packets and cause a system crash, resulting in denial of service.

CVE-2017-5972

Severity / CVSSv2 | High / 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) References| SecurityFocus: BID 96231 / NVD: CVE-2017-5972 Impact| Denial of service Description | A flaw in the TCP implementation allows remote attackers to send TCP SYN packets and cause excessive CPU consumption, resulting in denial of service.

CVE-2017-6214

Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) References| SecurityFocus: BID 96421 / NVD: CVE-2017-6214 Impact| Denial of service Description | A flaw in TCP packet handling allows a remote attacker to send crafted TCP packets and cause an infinite loop in the Linux kernel thread, resulting in denial of service.

CVE-2017-7645

Severity / CVSSv2 | High / 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) References| SecurityFocus: BID 97950 / NVD: CVE-2017-7645 Impact| Denial of service Description | A flaw in the NFSv2/NFSv3 implementation allows a remote attacker to send crafted RPC responses and cause a system crash, resulting in denial of service.

MITIGATION

These vulnerabilities can be exploited only through the management interfaces for Director, MA, MC, ICSP, PS S-Series, PC S-Series, Reporter, Security Analytics, and SSLV. Allowing only machines, IP addresses and subnets from a trusted network to access the management interface reduces the threat of exploiting the vulnerabilities.

By default, ICSP does not use NFS. Customers who leave this default behavior unchanged prevent attacks against these products using CVE-2017-7645.

REVISION

2021-07-13 A fix for Security Analytics 7.2 will not be provided. Please upgrade to a later version with the vulnerability fixes. Moving Advisory Status to Closed.
2021-05-03 ISG 2.1, 2.2, and 2.3 are vulnerable to CVE-2017-5972. A fix will not be provided because no suitable fix is available for the upstream Linux kernel.
2020-11-17 A fix for MTD 1.1 will not be provided. Please upgrade to a version of CAS and SMG with the vulnerability fixes. A fix for SA 7.3 will not be provided. Please upgrade to a later version with the vulnerability fixes. A fix for XOS 9.7, 10.0, and 11.0 will not be provided. A fix for Director 6.1 will not be provided. Please upgrade to a version of MC with the vulnerability fixes.
2020-11-13 Content Analysis 3.1 has vulnerable Linux kernel for CVE-2017-5897, but not vulnerable to known vectors of attack.
2020-04-30 Advanced Secure Gateway (ASG) 6.6 has a vulnerable Linux kernel for CVE-2017-5897, CVE-2017-5972, and CVE-2017-6745, but is not vulnerable to known vectors of attack. A fix for CVE-2017-5897 and CVE-2017-6745 in ASG 6.6 is available in 6.6.5.10. ASG 6.7 is not vulnerable to CVE-2017-6745 because a fix is available in 6.7.2.1. Content Analysis (CA) 1.3 and 2.1 have a vulnerable Linux kernel for CVE-2017-5897, but are not vulnerable to known vectors of attack. Fixes for CVE-2017-5897 are available in 1.3.7.8 and 2.2.1.1. SSL Visibility (SSLV) 4.0, 4.1, 4.5, and 5.0 have a vulnerable Linux kernel for CVE-2017-5897, but are not vulnerable to known vectors of attack. SSLV 4.2, 4.3, 4.4 are not vulnerable to CVE-2017-5897 because a fix is available in 4.2.1.1. A fix will not be provided for CVE-2017-5897 in SSLV 4.5 and 5.0 because the vulnerability is not considered to have security impact.
2020-04-23 A fix for CVE-2017-6745 in Advanced Secure Gateway (ASG) 6.7 is available in 6.7.4.2. ASG 7.1 and later versions are not vulnerable to CVE-2017-6745 because a fix is available in 7.1.1.1. ASG 6.7 starting with 6.7.4.2, 7.1, and later versions have a vulnerable Linux kernel for CVE-2017-5897, but are not vulnerable to known vectors of attack. Content Analysis (CA) 3.0 is vulnerable to CVE-2017-5897. Security Analytics 8.0 is not vulnerable to all CVEs except CVE-2017-5897 and CVE-2017-5972 because a fix is available in 8.0.1. Fixes will not be provided for CVE-2017-5897 in ASG 6.7 and later versions, CA 3.0, Reporter 10.3 and later versions, and Security Analytics because the vulnerability does not have security impact. A fix will not be provided for ICSP 5.3. Please upgrade to a later version with the vulnerability fixes.
2020-04-04 A fix for CVE-2017-6214 in PolicyCenter S-Series is available in 1.1.4.2. A fix for CVE-2017-6547 for PacketShaper S-Series and PolicyCenter S-Series will not be provided. The products are not vulnerable to known vectors of attack for this CVE.
2020-01-19 A fix for Malware Analysis will not be provided. Please upgrade to a version of Content Analysis with the vulnerability fixes.
2019-10-02 Web Isolation is not vulnerable.
2019-08-29 Reporter 10.3 and 10.4 have a vulnerable version of the Linux kernel, but are not vulnerable to known vectors of attack.
2019-01-23 ICSP 5.4 is not vulnerable because a fix is available in 5.4.1.
2019-01-12 A fix for Security Analytics 7.1 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-01-11 A fix for CA 2.1 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-10-25 A fix for CVE-2017-5970, CVE-2017-6214, and CVE-2016-10229 in CA 1.3 is available in 1.3.7.8.
2018-09-24 A fix for SSLV 3.8.4FC will not be provided. Please upgrade to a later version with the vulnerability fixes.
\2018-08-07 A fix for CVE-2016-10229, CVE-2017-5970, and CVE-2017-6214 in MA is available in 4.2.12.
2018-08-03 A fix for CVE-2017-5972 will not be provided for any Network Protection products because no suitable fix is available for the Linux kernel.
2018-07-26 MC 2.0 is vulnerable to CVE-2017-5972.
2018-06-26 A fix for CVE-2016-10229, CVE-2017-5970, CVE-2017-6214, CVE-2017-6745, and CVE-2017-5972 in SSLV 4.1 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-06-25 A fix for SSLV 3.11 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-04-26 A fix for SSLV 4.0 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-04-25 A fix for XOS 9.7 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2017-04-22 CA 2.3, PacketShaper S-Series 11.10, and Reporter 10.2 are vulnerable to CVE-2017-5972.
2018-04-12 A fix for all CVEs except CVE-2017-5972 in Reporter 10.1 is available in 10.1.5.5.
2018-02-22 A fix for all CVEs except CVE-2017-5972 in SSLV 3.10 is available in 3.10.4.1.
2017-11-16 A fix for PS S-Series 11.5, 11.7, and 11.8 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2017-11-16 A fix for SSLV 3.9 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2017-11-15 A fix for all CVEs except CVE-2017-5972 in SSLV 3.12 is available in 3.12.1.1.
2017-11-15 A fix for all CVEs except CVE-2017-5972 in SSLV 4.2 is available in 4.2.1.1.
2017-11-09 MC 1.11 is vulnerable to CVE-2017-5972. MC 1.11 is not vulnerable to CVE-2016-10229, CVE-2017-5897, CVE-2017-5970, CVE-2017-6214, and CVE-2017-7645 because a fix is available in 1.11.1.1. A fix for MC 1.10 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2017-11-08 A fix for all CVEs except CVE-2017-5972 in CA 2.2 is available in 2.2.1.1.
2017-11-06 ASG 6.7 has a vulnerable version of the Linux kernel for CVE-2017-5972, but is not vulnerable to known vectors of attack.
2017-08-03 SSLV 4.1 is vulnerable to CVE-2016-10229, CVE-2017-5970, CVE-2017-5972, and CVE-2017-6214. It also has vulnerable code for CVE-2017-5897 and CVE-2017-7645, but is not vulnerable to known vectors of attack.
2017-07-25 PS S-Series 11.9 is vulnerable to CVE-2017-5972 and CVE-2017-7645. PS S-Series 11.9 is not vulnerable to CVE-2017-6214 because a fix is available in 11.9.1.1.
2017-07-23 MC 1.10 is vulnerable to CVE-2017-5972. MC 1.10 is not vulnerable to CVE-2016-10229, CVE-2017-5897, CVE-2017-5970, CVE-2017-6214, and CVE-2017-7645 because a fix is available in 1.10.1.1. A fix for MC 1.9 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2017-06-26 A fix for all CVEs except CVE-2017-5972 in ASG 6.6 is available in 6.6.5.10.
2017-06-22 Security Analytics 7.3 is vulnerable to CVE-2016-10229, CVE-2017-5897, CVE-2017-5970, CVE-2017-5972, and CVE-2017-6214. It also has a vulnerable version of the Linux kernel for CVE-2017-7645, but is not vulnerable to known vectors of attack.
2017-06-05 PS S-Series 11.8 is vulnerable to CVE-2017-5972 and CVE-2017-6214.
2017-05-19 CA 2.1 is vulnerable to CVE-2016-10229, CVE-2017-5897, CVE-2017-5970, CVE-2017-5972, and CVE-2017-6214.
2017-05-09 initial public release