SA150: NSS Vulnerability April 2017

SUMMARY

Symantec Network Protection products using affected versions of NSS are susceptible to a security vulnerability. A remote attacker can send crafted Base64-encoded data and execute arbitrary code or cause denial of service through an application crash.

AFFECTED PRODUCTS

The following products are vulnerable:

Director

CVE |Affected Version(s)|Remediation
All CVEs | 6.1 | Upgrade to a version of MC with the fixes.

PacketShaper (PS) S-Series

CVE |Affected Version(s)|Remediation
All CVEs | 11.9 and later | Not vulnerable, fixed in 11.9.1.1
11.8 | Upgrade to later release with fixes.
11.7 | Upgrade to later release with fixes.
11.6 | Upgrade to 11.6.4.2.
11.5 | Upgrade to later release with fixes.

PolicyCenter (PC) S-Series

CVE |Affected Version(s)|Remediation
All CVEs | 1.1 | Upgrade to 1.1.4.2.

Security Analytics

CVE |Affected Version(s)|Remediation
All CVEs | 8.0 and later | Not vulnerable, fixed in 8.0.1.
7.3 | Upgrade to 7.3.2.
7.2, 7.1 | Upgrade to later release with fixes.

SSL Visibility (SSLV)

CVE |Affected Version(s)|Remediation
All CVEs | 4.2 and later | Not vulnerable, fixed in 4.2.1.1
4.1 | Upgrade to later release with fixes.
4.0 | Upgrade to later release with fixes.
3.x | Not vulnerable

X-Series XOS

CVE |Affected Version(s)|Remediation
All CVEs | 9.7, 10.0, 11.0 | A fix will not be provided.

The following products have a vulnerable version of NSS, but are not vulnerable to known vectors of attack:

Advanced Secure Gateway (ASG)

CVE |Affected Version(s)|Remediation
All CVEs | 7.1 and later | Not vulnerable, fixed in 7.1.1.1
6.7 | Upgrade to 6.7.3.1.
6.6 | Upgrade to 6.6.5.10.

Content Analysis (CA)

CVE |Affected Version(s)|Remediation
All CVEs | 2.2 and later | Not vulnerable, fixed in 2.2.1.1
2.1 | Upgrade to later release with fixes.
1.3 | Fixed in 1.3.7.8.

Mail Threat Defense (MTD)

CVE |Affected Version(s)|Remediation
All CVEs | 1.1 | Upgrade to a version of CAS and SMG with the fixes.

Management Center (MC)

CVE |Affected Version(s)|Remediation
All CVEs | 1.11 and later | Not vulnerable, fixed in 1.11.1.1
1.10 | Upgrade to later release with fixes.
1.9 | Upgrade to later release with fixes.

Reporter

CVE |Affected Version(s)|Remediation
All CVEs | 10.2 and later | Not vulnerable, fixed in 10.2.1.1
10.1 | Upgrade to 10.1.5.5.
9.5 | Not vulnerable
9.4 | Not vulnerable.

ADDITIONAL PRODUCT INFORMATION

PacketShaper S-Series and PolicyCenter S-Series are only vulnerable through LDAPS client connections.

The following products are not vulnerable:
Android Mobile Agent
AuthConnector
BCAAA
Blue Coat HSM Agent for the Luna SP
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
IntelligenceCenter
IntelligenceCenter Data Collector
K9
Malware Analysis Norman Shark Industrial Control System Protection
PacketShaper PolicyCenter
ProxyAV
ProxyAV ConLog and ConLogXP **ProxyClient
ProxySG
Unified Agent
Web Isolation

**

ISSUES

CVE-2017-5461

Severity / CVSSv2 | High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) References| SecurityFocus: BID 98050 / NVD: CVE-2017-5461 Impact| Denial of service, code execution Description | An out-of-bounds write flaw in the Base64 encoder/decoder allows a remote attacker to send crafted Base64 data, such as an X.509 certificate, and cause denial of service through an application crash. The attacker could also execute arbitrary code with the permission of the application using NSS.

MITIGATION

By default, Director, Security Analytics, and XOS do not use NSS to parse Base64 data from external sources. Customers who leave this behavior unchanged prevent attacks against these products using CVE-2017-5461.

CVE-2017-5461 only affects LDAPS client connections in PacketShaper S-Series and PolicyCenter S-Series. Deploying these products in a secure, trusted network reduces the threat of exploiting this vulnerability.

REFERENCES

MFSA 2017-10 - <https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/&gt;

REVISION

2021-07-13 A fix for Security Analytics 7.2 will not be provided. Please upgrade to a later version with the vulnerability fixes. Moving Advisory Status to Closed.
2020-11-18 A fix for MTD 1.1 will not be provided. Please upgrade to a version of CAS and SMG with the vulnerability fixes. A fix for XOS 9.7, 10.0, and 11.0 will not be provided. A fix for Director 6.1 will not be provided. Please upgrade to a version of MC with the vulnerability fixes.
2020-04-17 Advanced Secure Gateway (ASG) 7.1 and later versions are not vulnerable because a fix is available in 7.1.1.1.
2019-10-02 Web Isolation is not vulnerable.
2019-01-21 A fix for Security Analytics 7.3 is available in 7.3.2. Security Analytics 8.0 is not vulnerable because a fix is available in 8.0.1.
2019-01-12 A fix for Security Analytics 7.1 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-01-11 A fix for CA 2.1 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-10-25 A fix for CA 1.3 is available in 1.3.7.8.
2018-08-07 A fix for CA 1.3 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-06-26 A fix for SSLV 4.1 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-04-26 A fix for SSLV 4.0 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-04-25 A fix for XOS 9.7 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-04-22 CA 2.3 is not vulnerable. PacketShaper S-Series 11.10 is not vulnerable. Reporter 10.2 is not vulnerable because a fix is available in 10.2.1.1.
2018-04-12 A fix for Reporter 10.1 is available in 10.1.5.5.
2018-01-31 A fix for ASG 6.7 is avaialble in 6.7.3.1.
2017-12-13 A fix for PS S-Series 11.6 is available in 11.6.4.2.
2017-12-12 A fix for PC S-Series 1.1 is available in 1.1.4.2.
2017-11-16 A fix for PS S-Series 11.5, 11.7, and 11.8 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2017-11-15 SSLV 4.2 is not vulnerable because a fix is available in 4.2.1.1.
2017-11-09 MC 1.11 is not vulnerable because a fix is available in 1.11.1.1. A fix for MC 1.10 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2017-11-08 CAS 2.2 is not vulnerable because a fix is available in 2.2.1.1.
2017-11-06 ASG 6.7 has a vulnerable version of NSS, but is not vulnerable to known vectors of attack.
2017-08-03 SSLV 4.1 is vulnerable.
2017-06-22 Security Analytics 7.3 is vulnerable.2017-07-23 MC 1.10 has a vulnerable version of NSS, but is not vulnerable to known vectors of attack. A fix for MC 1.9 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2017-06-26 A fix for ASG 6.6 is available in 6.6.5.10.
2017-06-22 Security Analytics 7.3 is vulnerable.
2017-06-05 PS S-Series 11.8 has a vulnerable version of NSS.
2017-05-25 initial public release