SA163: OpenSSH Vulnerability October 2017

SUMMARY

Symantec Network Protection products using affected versions of OpenSSH are susceptible to a security vulnerability. A remote attacker with read-only access to an SFTP server can create a large number of zero-length files and deplete the target’s hard disk space.

AFFECTED PRODUCTS

The following products are vulnerable:

Director

CVE |Affected Version(s)|Remediation
CVE-2017-15906 | 6.1 | Upgrade to a version of MC with the fixes.

Malware Analysis (MA)

CVE |Affected Version(s)|Remediation
CVE-2017-15906 | 4.2 | Upgrade to 4.2.12.

Norman Shark Industrial Control System Protection (ICSP)

CVE |Affected Version(s)|Remediation
CVE-2017-15906 | 6.0 | Not vulnerable, fixed in 6.0.1

Security Analytics

CVE |Affected Version(s)|Remediation
CVE-2017-15906 | 8.1 and later | Not vulnerable, fixed in 8.1.1
7.2, 7.3, 8.0 | Upgrade to later version with fixes.
7.1 | Not vulnerable

The following products have a vulnerable version of OpenSSH, but are not vulnerable to known vectors of attack:

SSL Visibility (SSLV)

CVE |Affected Version(s)|Remediation
CVE-2017-15906 | 4.0 and later | Not vulnerable
3.12 (has vulnerable code, but not vulnerable to known vectors of attack) | Upgrade to later release with fixes.
3.11 (has vulnerable code, but not vulnerable to known vectors of attack) | Upgrade to later release with fixes.
3.10 (has vulnerable code, but not vulnerable to known vectors of attack) | Upgrade to later release with fixes.
3.8.4FC (has vulnerable code, but not vulnerable to known vectors of attack) | Upgrade to later release with fixes.

ADDITIONAL PRODUCT INFORMATION

Some Symantec Network Protection products do not enable or use all functionality within OpenSSH. The products listed below do not provide an SFTP server and are thus not known to be vulnerable to CVE-2017-15906. However, a fixes will be included in the patches that are provided:

• SSLV 3.x

The following products are not vulnerable:
Advanced Secure Gateway
Android Mobile Agent
AuthConnector
BCAAA
Blue Coat HSM Agent for the Luna SP
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Content Analysis
General Auth Connector Login Application
IntelligenceCenter
IntelligenceCenter Data Collector
K9
Mail Threat Defense
Management Center
PacketShaper
PacketShaper S-Series
PolicyCenter
PolicyCenter S-Series
ProxyAV
ProxyAV ConLog and ConLogXP
ProxyClient
ProxySG
Reporter
Unified Agent
Web Isolation
X-Series XOS** **

ISSUES

CVE-2017-15906

Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N) References| SecurityFocus: BID 101552 / NVD: CVE-2017-15906 Impact| Denial of service Description | An unauthorized access flaw in sftp-server read-only mode allows remote attackers to create zero-length files and deplete the target’s hard disk space.

MITIGATION

By default, Director and Security Analytics do not provide an SFTP server. Customers who leave this behavior unchanged prevent attacks against these products using CVE-2017-15906.

By default, Malware Analysis does not provide an SFTP server in read-only mode. Customers who leave this behavior unchanged prevent attacks again MA using CVE-2017-15906.

REFERENCES

OpenSSH Security - <https://www.openssh.com/security.html&gt;

REVISION

2021-07-15 A fix for Security Analytics 7.2 will not be provided. Please upgrade to a later version with the vulnerability fixes. ICSP 6.0 is not vulnerable because a fix is available in 6.0.1. Moving Advisory Status to Closed.
2021-01-12 A fix for SSLV 3.10 and SSLV 3.12 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2020-11-18 A fix for SA 7.3 and 8.0 will not be provided. Please upgrade to a later version with the vulnerability fixes. A fix for Director 6.1 will not be provided. Please upgrade to a version of MC with the vulnerability fixes.
2020-04-17 Security Analytics 8.1 is not vulnerable because a fix is available in 8.1.1.
2019-10-02 Web Isolation is not vulnerable.
2019-01-21 Security Analytics 8.0 is vulnerable.
2018-07-27 A fix for MA 4.2 is available in 4.2.12.
2018-06-25 A fix for SSLV 3.11 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-01-30 initial public release