Lucene search

K
symantecSymantec Security ResponseSMNTC-1428
HistoryJan 16, 2018 - 8:00 a.m.

SA159: OpenSSL Vulnerabilities 7-Dec-2017

2018-01-1608:00:00
Symantec Security Response
31

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

SUMMARY

Symantec Network Protection products using affected versions of OpenSSL are susceptible to two security vulnerabilities. A remote attacker can obtain Diffie-Hellman private key information and sensitive information accidentally transmitted in plaintext over an SSL/TLS connection.

AFFECTED PRODUCTS

The following products are vulnerable:

Advanced Secure Gateway (ASG)

CVE |Affected Version(s)|Remediation
All CVEs | 6.7, 7.2, 7.3 | Not available at this time
7.1 | Upgrade to later release with fixes.
6.6 | Not vulnerable

Android Mobile Agent

CVE |Affected Version(s)|Remediation
All CVEs | 1.3 | Upgrade to 2.0.1.

Director

CVE |Affected Version(s)|Remediation
CVE-2017-3737 | Director 6.1 | Upgrade to a version of MC with the fixes.

Malware Analysis (MA)

CVE |Affected Version(s)|Remediation
CVE-2017-3737 | 4.2 | Upgrade to 4.2.12.

ProxySG

CVE |Affected Version(s)|Remediation
All CVEs | 6.7 (starting with 6.7.2.1) | Upgrade to 6.7.4.107 (EA).
6.6 | Not vulnerable
6.5 | Not vulnerable

Reporter

CVE |Affected Version(s)|Remediation
All CVEs | 10.5 | Not vulnerable, fixed in 10.5.1.1
10.3, 10.4 | Upgrade to later release with fixes.
10.1, 10.2 | Not vulnerable
9.5 (starting with 9.5.2.1) | Upgrade to later release with fixes.

Security Analytics

CVE |Affected Version(s)|Remediation
CVE-2017-3737 | 8.0 and later | Not vulnerable, fixed in 8.0.1
7.3 | Upgrade to 7.3.3.
7.2 | Upgrade to later release with fixes.
7.1 | Not vulnerable

Unified Agent (UA)

CVE |Affected Version(s)|Remediation
All CVEs | 4.10 | Not vulnerable, fixed in 4.10.1
4.9 | Upgrade to later release with fixes.
4.8 | Upgrade to later release with fixes.
4.7 | Upgrade to later release with fixes.
CVE-2017-3737 | 4.6 (starting with 4.6.1) | Upgrade to later release with fixes.
CVE-2017-3738 | 4.6 | Upgrade to later release with fixes.

The following products have a vulnerable version of OpenSSL, but are not vulnerable to known vectors of attack:

SSL Visibility (SSLV)

CVE |Affected Version(s)|Remediation
All CVEs | 4.3 and later | Not vulnerable, fixed in 4.3.1.1
4.0, 4.1, 4.2 | Upgrade to later release with fixes.
3.12 | Upgrade to later release with fixes.
3.11 | Upgrade to later release with fixes.
3.10 | Upgrade to later release with fixes.
3.8.4FC | Upgrade to later release with fixes.

ADDITIONAL PRODUCT INFORMATION

Symantec Network Protection products that use a native installation of OpenSSL but do not install or maintain that implementation are not vulnerable to any of these CVEs. However, the underlying platform or application that installs and maintains OpenSSL may be vulnerable. Symantec urges our customers to update the versions of OpenSSL that are natively installed for Client Connector for OS X, Proxy Client for OS X, and Reporter 9.x for Linux.

Some Symantec Network Protection products do not enable or use all functionality within OpenSSL. The products listed below do not utilize the functionality described in the CVEs below and are thus not known to be vulnerable to them. However, fixes for these CVEs will be included in the patches that are provided.

  • Director: CVE-2017-3738
  • Malware Analysis: CVE-2017-3738
  • Security Analytics 7.2 and 7.3: CVE-2017-3738
  • SSLV: all CVEs

The following products are not vulnerable:
AuthConnector BCAAA Symantec HSM Agent for the Luna SP
CacheFlow
**Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Content Analysis
General Auth Connector Login Application
IntelligenceCenter
IntelligenceCenter Data Collector
K9
Mail Threat Defense
Management Center
Norman Shark Industrial Control System Protection
PacketShaper
PacketShaper S-Series
PolicyCenter
PolicyCenter S-Series
ProxyAV
ProxyAV ConLog and ConLogXP
ProxyClient
Unified Agent
Web Isolation
WSS Agent
X-Series XOS

**

ISSUES

CVE-2017-3737

Severity / CVSSv2 | Medium / 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) References| SecurityFocus: BID 102103 / NVD: CVE-2017-3737 Impact| Information disclosure Description | An incorrect error handling flaw allows a remote attacker to obtain sensitive information accidentally transmitted in plaintext over an SSL/TLS connection.

CVE-2017-3738

Severity / CVSSv2 | Medium / 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) References| SecurityFocus: BID 102118 / NVD: CVE-2017-3738 Impact| Information disclosure Description | An overflow flaw in the AVX2 Montgomery multiplication procedure allows a remote attacker to obtain Diffie-Hellman private key information.

REFERENCES

OpenSSL Security Advisory [7 Dec 2017] - <https://www.openssl.org/news/secadv/20171207.txt&gt;

REVISION

2021-08-27 Unified Agent is not vulnerable.
2021-08-18 WSS Agent is not vulnerable.
2021-07-13 A fix for Security Analytics 7.2 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2021-01-12 A fix for SSLV 3.10 and SSLV 3.12 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2020-12-10 A fix for ASG 7.1 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2020-11-18 A fix for Director 6.1 will not be provided. Please upgrade to a version of MC with the vulnerability fixes. A fix for Reporter 10.4 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2020-04-17 Advanced Secure Gateway (ASG) 6.7, 7.1, and 7.2 are vulnerable. Reporter 10.5 is not vulnerable because a fix is available in 10.5.1.1. A fix for Reporter 10.3 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-10-02 Web Isolation is not vulnerable.
2019-08-30 Reporter 10.3 and 10.4 are vulnerable.
2019-08-05 A fix for Reporter 9.5 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-01-21 A fix for Security Analytics 7.3 is available in 7.3.3. Security Analytics 8.0 is not vulnerable because a fix is available in 8.0.1.
2019-01-18 A fix for SSLV 4.2 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-08-07 A fix for ASG 6.7 and ProxySG 6.7 is available in 6.7.4.107 (EA release). A fix for Android Mobile Agent is available in 2.0.1.
2018-07-27 UA 4.10 is not vulnerable because a fix is available in 4.10.1. A fix for MA 4.2 is available in 4.2.12.
2018-07-01 A fix for SSLV 4.3 is available in 4.3.1.1.
2018-02-05 A fix for SSLV 3.12 is available in 3.12.2.1.
2018-01-16 initial public release

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N