Lucene search

K
symantecSymantec Security ResponseSMNTC-1423
HistoryNov 30, 2017 - 8:00 a.m.

SA157: OpenSSL Vulnerabilities 28-Aug-2017 and 2-Nov-2017

2017-11-3008:00:00
Symantec Security Response
11

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

SUMMARY

Symantec Network Protection products using affected versions of OpenSSL are susceptible to several vulnerabilities. A remote attacker can send a crafted X.509 certificate to cause unspecified impact. They can exploit, under certain circumstances, a computational flaw in the Montgomery squaring implementation to obtain private DH key information.

AFFECTED PRODUCTS

The following products are vulnerable:

Advanced Secure Gateway (ASG)

CVE |Affected Version(s)|Remediation
All CVEs | 6.7, 7.2, 7.3 | Not available at this time
6.6, 7.1 | Upgrade to later version with fixes.

Android Mobile Agent

CVE |Affected Version(s)|Remediation
All CVEs | 1.3 | Upgrade to 2.0.1.

BCAAA

CVE |Affected Version(s)|Remediation
All CVEs | 6.1 (only when a Novell SSO realm is used) | A fix will not be provided. An updated Novell SSO SDK is no longer available. Please contact Novell for more information.

CacheFlow (CF)

CVE |Affected Version(s)|Remediation
CVE-2017-3735 | 3.4 | Upgrade to 3.4.2.9.

Client Connector

CVE |Affected Version(s)|Remediation
CVE-2017-3735 | 1.6 | Upgrade to latest version of Unified Agent with fixes.

Content Analysis (CA)

CVE |Affected Version(s)|Remediation
CVE-2017-3735 | 3.1 | Not vulnerable, fixed in 3.1.0.0.
3.0 | Not available at this time
2.4 and later | Not vulnerable, fixed in 2.4.1.1.
2.3 | Upgrade to 2.3.5.1.
1.3, 2.1, 2.2 | Upgrade to later version with fixes.

Director

CVE |Affected Version(s)|Remediation
All CVEs | 6.1 | Upgrade to a version of MC with the fixes.

IntelligenceCenter (IC)

CVE |Affected Version(s)|Remediation
All CVEs | 3.3 | Upgrade to a version of NetDialog NetX with fixes.

IntelligenceCenter Data Collector (DC)

CVE |Affected Version(s)|Remediation
All CVEs | 3.3 | Upgrade to a version of NetDialog NetX with fixes.

Mail Threat Defense (MTD)

CVE |Affected Version(s)|Remediation
CVE-2017-3735 | 1.1 | Upgrade to a version of CAS and SMG with the fixes.

Malware Analysis (MA)

CVE |Affected Version(s)|Remediation
CVE-2017-3735 | 4.2 | Upgrade to 4.2.12.

Management Center (MC)

CVE |Affected Version(s)|Remediation
CVE-2017-3735 | 3.0 | Not vulnerable, fixed in 3.0.1.1
2.4 and earlier | Upgrade to later version with fixes.

Norman Shark Industrial Control System Protection (ICSP)

CVE |Affected Version(s)|Remediation
CVE-2017-3735 | 5.4 | Not vulnerable, fixed in 5.4.1
5.3 | Not available at this time

PacketShaper (PS) S-Series

CVE |Affected Version(s)|Remediation
CVE-2017-3735 | 11.6, 11.9, 11.10 | A fix will not be provided. Allot Secure Services Gateway (SSG) is a replacement for PS S-Series. Switch to a version of SSG with the vulnerability fixes.

PolicyCenter (PC) S-Series

CVE |Affected Version(s)|Remediation
CVE-2017-3735 | 1.1 | A fix will not be provided. Allot NetXplorer is a replacement product for PC S-Series. Switch to a version of NetXplorer with the vulnerability fixes.

ProxyAV

CVE |Affected Version(s)|Remediation
All CVEs | 3.5 | Upgrade to a version of CAS with fixes.

ProxyClient

CVE |Affected Version(s)|Remediation
CVE-2017-3735 | 3.4 | Upgrade to the latest version of Unified Agent with fixes.

ProxySG

CVE |Affected Version(s)|Remediation
CVE-2017-3735 | 6.7 and later | Upgrade to 6.7.4.1.
6.6 | Upgrade to 6.6.5.14.
6.5 | Upgrade to 6.5.10.8.
CVE-2017-3736 | 6.7 and later | Upgrade to 6.7.4.1.

Reporter

CVE |Affected Version(s)|Remediation
CVE-2017-3736 | 10.1 and later | Not vulnerable
9.5 | Upgrade to later release with fixes.

Security Analytics

CVE |Affected Version(s)|Remediation
CVE-2017-3735, CVE-2017-3736 | 8.0 and later | Not vulnerable, fixed in 8.0.1.
7.3 | A fix is available in 7.3.3.
7.2, 7.1 | Upgrade to later version with fixes.

SSL Visibility (SSLV)

CVE |Affected Version(s)|Remediation
CVE-2017-3735 | 4.3 and later | Fixed in 4.3.1.1
4.0, 4.1, 4.2 | Upgrade to later version with fixes.
3.12 | Upgrade to 3.12.2.1.
3.11 | Upgrade to later version with fixes.
3.10 | Upgrade to 3.10.4.1.
3.8.4FC | Upgrade to later version with fixes.

Unified Agent (UA)

CVE |Affected Version(s)|Remediation
CVE-2017-3735 | 4.1 | Upgrade to later version with fixes.
All CVEs | 4.10 and later | Not vulnerable, fixed in 4.10.1.
4.9 | Upgrade to later version with fixes.
4.8 | Upgrade to later version with fixes.
4.7 | Upgrade to later version with fixes.
4.6 | Upgrade to later version with fixes.

X-Series XOS

CVE |Affected Version(s)|Remediation
CVE-2017-3735 | 9.7, 10.0, 11.0 | A fix will not be provided.

The following products have a vulnerable version of OpenSSL, but are not vulnerable to known vectors of attack:

PacketShaper

CVE |Affected Version(s)|Remediation
CVE-2017-3735 | 9.2 | Upgrade to a version of PacketShaper S-Series with fixes.

ADDITIONAL PRODUCT INFORMATION

The following products are not vulnerable:
**AuthConnector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
General Auth Connector Login Application
HSM Agent for the Luna SP
**K9 **ProxyAV ConLog and ConLogXP
************Unified Agent
Web Isolation
******WSS Agent

Symantec Network Protection products that use a native installation of OpenSSL but do not install or maintain that implementation are not vulnerable to any of these CVEs. However, the underlying platform or application that installs and maintains OpenSSL may be vulnerable. Symantec urges our customers to update the versions of OpenSSL that are natively installed for Client Connector for OS X, Proxy Client for OS X, and Reporter 9.x for Linux.

Some Symantec Network Protection products do not enable or use all functionality within OpenSSL. The products listed below do not utilize the functionality described in the CVEs below and are thus not known to be vulnerable to them. However, fixes for these CVEs will be included in the patches that are provided.

  • MA: CVE-2017-3736
  • PacketShaper: CVE-2017-3735
  • PolicyCenter: CVE-2017-3735
  • Reporter 9.5 and 10.x: CVE-2017-3735

ISSUES

CVE-2017-3735

Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N) References| SecurityFocus: BID 100515 / NVD: CVE-2017-3735 Impact| Unspecified Description | A buffer overread flaw in X.509 certificate parsing allows a remote attacker to send crafted X.509 certificates and have unspecified impact.

CVE-2017-3736

Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N) References| SecurityFocus: BID 100666 / NVD: CVE-2017-3736 Impact| Information disclosure Description | A carry propagating flaw in Montgomery squaring computations allows a remote attacker, under certain circumstances, to obtain private DH key information.

REFERENCES

OpenSSL Security Advisory [28 Aug 2017] - <https://www.openssl.org/news/secadv/20170828.txt&gt;
OpenSSL Security Advisory [02 Nov 2017] - <https://www.openssl.org/news/secadv/20171102.txt&gt;

REVISION

2021-08-27 Unified Agent is not vulnerable.
2021-08-18 WSS Agent is not vulnerable.
2021-07-13 A fix for Security Analytics 7.2 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2021-02-17 A fix for MC 2.4 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2020-12-10 A fix for ASG 7.1 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2020-11-18 A fix for MTD 1.1 will not be provided. Please upgrade to a version of CAS and SMG with the vulnerability fixes. A fix for XOS 9.7, 10.0, and 11.0 will not be provided. A fix for Director 6.1 will not be provided. Please upgrade to a version of MC with the vulnerability fixes.
2020-11-12 CA 3.1 is not vulnerable because a fix is available in 3.1.0.0. It was previously reported that CA 3.0 is vulnerable to CVE-2017-3736. CA 3.0 is not vulnerable to CVE-2017-3736. CA 3.0 is vulnerable to CVE-2017-3735.
2020-08-19 MC 3.0 is not vulnerable because a fix is available in 3.0.1.1. A fix for MC 2.3 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2020-04-17 Advanced Secure Gateway (ASG) 7.1 and 7.2 are vulnerable. A fix for Content Analysis (CA) 2.3 is available in 2.3.5.1. CA 2.4 is not vulnerable because a fix is available in 2.4.1.1. CA 3.0 is vulnerable to CVE-2017-3736. Management Center (MC) 2.4 is vulnerable to CVE-2017-3735.
2020-04-04 A fix for PacketShaper S-Series will not be provided. Allot Secure Services Gateway (SSG) is a replacement product for PacketShaper S-Series. Please switch to a version of Allot SSG with the vulnerability fixes. A fix for PolicyCenter S-Series will not be provided. Allot NetXplorer is a replacement product for PolicyCenter S-Series. Please switch to a version of NetXplorer with the vulnerability fixes.
2020-01-15 A fix will not be provided for ProxyAV 3.5. Please upgrade to a version of Content Analysis with the vulnerability fixes.
2019-10-10 A fix will not be provided for PacketShaper 9.2. Please upgrade to a version of PacketShaper S-Series with the vulnerability fixes.
2019-10-02 Web Isolation is not vulnerable.
2019-09-05 A fix for MC 2.1 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-08-30 Reporter 10.x is not vulnerable.
2019-08-22 A fix for IntelligenceCenter (IC) 3.3 and IntelligenceCenter Data Collector (DC) 3.3 will not be provided. NetDialog NetX is a replacement product for IntelligenceCenter. Please switch to a version of NetX with the vulnerability fixes.
2019-08-12 MC 2.2 and MC 2.3 are vulnerable to CVE-2017-3735. A fix for MC 2.0 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-08-07 A fix for ASG 6.6 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-08-05 A fix for Reporter 9.5 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-01-29 ICSP 5.4 is not vulnerable because a fix is available in 5.4.1.
2019-01-21 A fix for Security Analytics 7.3 is available in 7.3.3. Security Analytics 8.0 is not vulnerable because a fix is available in 8.0.1.
2019-01-18 A fix for SSLV 4.2 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-01-14 MC 2.1 is vulnerable to CVE-2017-3735. A fix for MC 1.11 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-10-31 A fix for ProxySG 6.7 is available in 6.7.4.107.
2018-08-07 A fix for ProxySG 6.6 is available in 6.6.5.14. A fix for Android Mobile Agent is available in 2.0.1.
2018-07-27 UA 4.10 is not vulnerable because a fix is available in 4.10.1. A fix for MA 4.2 is available in 4.2.12.
2018-07-26 A fix for CacheFlow is available in 3.4.2.9. MC 2.0 is vulnerable to CVE-2017-3735.
2018-07-01 A fix for SSLV 4.3 is available in 4.3.1.1.
2018-04-22 CA 2.3 and PacketShaper S-Series 11.10 are vulnerable to CVE-2017-3735.
2018-02-22 A fix for SSLV 3.10 is available in 3.10.4.1.
2018-02-05 A fix for SSLV 3.12 is available in 3.12.2.1.
2018-02-01 A fix for ProxySG 6.5 is available in 6.5.10.8.
2018-02-01 It was previously reported that ProxySG 6.5, 6.6, and 6.7 are vulnerable to CVE-2017-3736. Further investigation indicates that ProxySG 6.5 and 6.6 are not vulnerable to this CVE.
2017-11-30 initial public release

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N