SA154: Apache httpd Vulnerabilities June 2017

SUMMARY

Symantec Network Protection products using affected versions of Apache httpd are susceptible to multiple security vulnerabilities. A remote attacker, with access to the management interface, can cause denial of service through application crashes or bypass required authentication.

AFFECTED PRODUCTS

The following products are vulnerable:

Content Analysis (CA)

CVE |Affected Version(s)|Remediation
CVE-2017-3169
CVE-2017-7679 | 2.3 and later | Not vulnerable, fixed in 2.3.1.1
2.2 | Upgrade to later release with fixes.
1.3, 2.1 | Not vulnerable

Director

CVE |Affected Version(s)|Remediation
CVE-2017-3167, CVE-2017-3169
CVE-2017-7679 | 6.1 | Upgrade to a version of MC with the fixes.

Malware Analysis (MA)

CVE |Affected Version(s)|Remediation
CVE-2017-3167, CVE-2017-3169
CVE-2017-7668, CVE-2017-7679 | 4.2 | Upgrade to 4.2.12.

Security Analytics

CVE |Affected Version(s)|Remediation
CVE-2017-3167, CVE-2017-3169
CVE-2017-7679 | 8.0 and later | Not vulnerable, fixed in 8.0.1.
7.3 | Upgrade to 7.3.2.
7.2 | Upgrade to 7.2.5.
7.1 | Upgrade to later release with fixes.

ADDITIONAL PRODUCT INFORMATION

The following products are not vulnerable:
**Advanced Secure Gateway
Android Mobile Agent
AuthConnector
BCAAA
Blue Coat HSM Agent for the Luna SP
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
IntelligenceCenter
IntelligenceCenter Data Collector
K9
Mail Threat Defense
Management Center
Norman Shark Industrial Control System Protection
PacketShaper
PacketShaper S-Series
PolicyCenter
PolicyCenter S-Series
ProxyAV
ProxyAV ConLog and ConLogXP
ProxyClient
ProxySG
Reporter SSL Visibility
Unified Agent
Web Isolation
WSS Agent
****X-Series XOS

---

ISSUES

CVE-2017-3167

Severity / CVSSv2 | High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) References| SecurityFocus: BID 99135 / NVD: CVE-2017-3167 Impact| Authentication bypass Description | A flaw in third-party Apache httpd modules allows a remote attacker to bypass required authentication.

CVE-2017-3169

Severity / CVSSv2 | High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) References| SecurityFocus: BID 99134 / NVD: CVE-2017-3169 Impact| Denial of service Description | A flaw in third-party Apache httpd modules allows a remote attacker to send HTTP requests to an HTTPS port and cause denial of service through application crashes.

CVE-2017-7659

Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) References| SecurityFocus: BID 99132 / NVD: CVE-2017-7659 Impact| Denial of service Description | A flaw in HTTP/2 request parsing allows a remote attacker to send crafted HTTP/2 requests and cause denial of service through application crashes.

CVE-2017-7668

Severity / CVSSv2 | High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) References| SecurityFocus: BID 99137 / NVD: CVE-2017-7668 Impact| Denial of service Description | A buffer overread flaw in HTTP request parsing allows a remote attacker to send crafted HTTP requests and cause denial of service through application crashes or have unspecified other impact.

CVE-2017-7679

Severity / CVSSv2 | High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) References| SecurityFocus: BID 99170 / NVD: CVE-2017-7679 Impact| Denial of service Description | A buffer overread flaw in HTTP response generation allows a remote attacker to send crafted HTTP requests and cause denial of service through application crashes.

MITIGATION

These vulnerabilities can be exploited only through the management interfaces for all vulnerable products. Allowing only machines, IP addresses and subnets from a trusted network to access the management interface reduces the threat of exploiting the vulnerabilities.

By default, Director and MA do not use HTTP Basic Access Authentication in Apache httpd. Customers who leave this behavior unchanged prevent attacks against these products using CVE-2017-3167.

REFERENCES

Apache httpd 2.2 vulnerabilities - <https://httpd.apache.org/security/vulnerabilities_22.html&gt;
Apache httpd 2.4 vulnerabilities - <https://httpd.apache.org/security/vulnerabilities_24.html&gt;

REVISION

2021-05-19 A fix for Security Analytics 7.2 is available in 7.2.5. WSS Agent is not vulnerable. Moving Advisory Status to Closed.
2020-11-18 A fix for Director 6.1 will not be provided. Please upgrade to a version of MC with the vulnerability fixes.
2019-10-03 Web Isolation is not vulnerable.
2019-09-05 A fix for Security Analytics 7.3 is available in 7.3.2. Fixes will not be provided for Security Analytics 7.1 and CA 2.2. Please upgrade to a later release with the vulnerabilities fixes. IntelligenceCenter and IntelligenceCenter Data Collector are not vulnerable.
2019-01-21 A fix for Security Analytics 7.3 is available in 7.3.4. Security Analytics 8.0 is not vulnerable because a fix is available in 8.0.1.
2018-07-23 A fix for MA is available in 4.2.12.
2018-04-22 Previously it was reported that Content Analysis is not vulnerable. Further investigation indicates that CA 2.2 is vulnerable to CVE-2017-3169 and CVE-2017-7679. CA 2.3 is not vulnerable because a fix is available in 2.3.1.1.
2017-08-30 Added remaining CVSS v2 scores.
2017-07-20 initial public release