5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
Symantec Network Protection products using affected versions of OpenSSH are susceptible to a security vulnerability. A remote attacker with read-only access to an SFTP server can create a large number of zero-length files and deplete the target’s hard disk space.
The following products are vulnerable:
CVE |Affected Version(s)|Remediation
CVE-2017-15906 | 6.1 | Upgrade to a version of MC with the fixes.
CVE |Affected Version(s)|Remediation
CVE-2017-15906 | 4.2 | Upgrade to 4.2.12.
CVE |Affected Version(s)|Remediation
CVE-2017-15906 | 6.0 | Not vulnerable, fixed in 6.0.1
CVE |Affected Version(s)|Remediation
CVE-2017-15906 | 8.1 and later | Not vulnerable, fixed in 8.1.1
7.2, 7.3, 8.0 | Upgrade to later version with fixes.
7.1 | Not vulnerable
The following products have a vulnerable version of OpenSSH, but are not vulnerable to known vectors of attack:
CVE |Affected Version(s)|Remediation
CVE-2017-15906 | 4.0 and later | Not vulnerable
3.12 (has vulnerable code, but not vulnerable to known vectors of attack) | Upgrade to later release with fixes.
3.11 (has vulnerable code, but not vulnerable to known vectors of attack) | Upgrade to later release with fixes.
3.10 (has vulnerable code, but not vulnerable to known vectors of attack) | Upgrade to later release with fixes.
3.8.4FC (has vulnerable code, but not vulnerable to known vectors of attack) | Upgrade to later release with fixes.
Some Symantec Network Protection products do not enable or use all functionality within OpenSSH. The products listed below do not provide an SFTP server and are thus not known to be vulnerable to CVE-2017-15906. However, a fixes will be included in the patches that are provided:
The following products are not vulnerable:
Advanced Secure Gateway
Android Mobile Agent
AuthConnector
BCAAA
Blue Coat HSM Agent for the Luna SP
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Content Analysis
General Auth Connector Login Application
IntelligenceCenter
IntelligenceCenter Data Collector
K9
Mail Threat Defense
Management Center
PacketShaper
PacketShaper S-Series
PolicyCenter
PolicyCenter S-Series
ProxyAV
ProxyAV ConLog and ConLogXP
ProxyClient
ProxySG
Reporter
Unified Agent
Web Isolation
X-Series XOS** **
Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N) References| SecurityFocus: BID 101552 / NVD: CVE-2017-15906 Impact| Denial of service Description | An unauthorized access flaw in sftp-server read-only mode allows remote attackers to create zero-length files and deplete the target’s hard disk space.
By default, Director and Security Analytics do not provide an SFTP server. Customers who leave this behavior unchanged prevent attacks against these products using CVE-2017-15906.
By default, Malware Analysis does not provide an SFTP server in read-only mode. Customers who leave this behavior unchanged prevent attacks again MA using CVE-2017-15906.
OpenSSH Security - <https://www.openssh.com/security.html>
2021-07-15 A fix for Security Analytics 7.2 will not be provided. Please upgrade to a later version with the vulnerability fixes. ICSP 6.0 is not vulnerable because a fix is available in 6.0.1. Moving Advisory Status to Closed.
2021-01-12 A fix for SSLV 3.10 and SSLV 3.12 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2020-11-18 A fix for SA 7.3 and 8.0 will not be provided. Please upgrade to a later version with the vulnerability fixes. A fix for Director 6.1 will not be provided. Please upgrade to a version of MC with the vulnerability fixes.
2020-04-17 Security Analytics 8.1 is not vulnerable because a fix is available in 8.1.1.
2019-10-02 Web Isolation is not vulnerable.
2019-01-21 Security Analytics 8.0 is vulnerable.
2018-07-27 A fix for MA 4.2 is available in 4.2.12.
2018-06-25 A fix for SSLV 3.11 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-01-30 initial public release
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N