Symantec Security ResponseSMNTC-1462OpenSSL Vulnerabilities 16-Apr-2018 and 12-Jun-2018
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
SUMMARY
Symantec Network Protection products using affected versions of OpenSSL are susceptible to several vulnerabilities. A malicious SSL/TLS server can send large DH parameters during connections using DH/DHE cipher suites and cause denial-of-service in the SSL/TLS client. A local attacker can perform cache timing attacks against an application generating an RSA key and obtain the generated private key.
AFFECTED PRODUCTS
The following products are vulnerable:
Advanced Secure Gateway (ASG)
CVE |Affected Version(s)|Remediation
CVE-2018-0732 | 6.6, 7.1 | Upgrade to later release with fixes.
6.7, 7.2, 7.3 | Not available at this time
BCAAA
CVE |Affected Version(s)|Remediation
CVE-2018-0732 | 6.1 (only when Novell SSO realm is used) | Not available at this time
CacheFlow
CVE |Affected Version(s)|Remediation
CVE-2018-0732 | 3.4 | A fix will not be provided. Please switch to a version ProxySG MACH5 Edition with fixes.
Content Analysis (CA)
CVE |Affected Version(s)|Remediation
CVE-2018-0732 | 1.3, 2.1, 2.2, 2.3 | Upgrade to later version with fixes.
2.4, 3.0 | Not available at this time
3.1 | Not vulnerable, fixed in 3.1.0.0.
Director
CVE |Affected Version(s)|Remediation
CVE-2018-0732, CVE-2018-0737 | 6.1 | Upgrade to a version of MC with the fixes.
IntelligenceCenter (IC)
CVE |Affected Version(s)|Remediation
CVE-2018-0732 | 3.3 | Upgrade to a version of NetDialog NetX with fixes.
IntelligenceCenter Data Collector (DC)
CVE |Affected Version(s)|Remediation
CVE-2018-0732 | 3.3 | Upgrade to a version of NetDialog NetX with fixes.
Mail Threat Defense (MTD)
CVE |Affected Version(s)|Remediation
CVE-2018-0732 | 3.3 | Upgrade to a version of CAS and SMG with the fixes.
Malware Appliance (MA)
CVE |Affected Version(s)|Remediation
CVE-2018-0732, CVE-2018-0737 | 4.2 | Upgrade to a version of CA with fixes.
Management Center (MC)
CVE |Affected Version(s)|Remediation
CVE-2018-0732 | 2.4 and earlier | Upgrade to later version with fixes.
3.0 | Not vulnerable, fixed in 3.0.1.1
PacketShaper (PS)
CVE |Affected Version(s)|Remediation
CVE-2018-0732 | 9.2 | A fix will not be provided. Allot Secure Services Gateway (SSG) is a replacement product for PacketShaper. Switch to a version of SSG with the vulnerability fixes.
PacketShaper (PS) S-Series
CVE |Affected Version(s)|Remediation
CVE-2018-0732 | 11.6, 11.9, 11.10 | A fix will not be provided. Allot Secure Services Gateway (SSG) is a replacement product for PS S-Series. Switch to a version of SSG with the vulnerability fixes.
PolicyCenter (PC)
CVE |Affected Version(s)|Remediation
CVE-2018-0732 | 9.2 | A fix will not be provided. Allot NetXplorer is a replacement product for PolicyCenter. Switch to a version of NetXplorer with the vulnerability fixes.
PolicyCenter (PC) S-Series
CVE |Affected Version(s)|Remediation
CVE-2018-0732 | 1.1 | A fix will not be provided. Allot NetXplorer is a replacement product for PC S-Series. Switch to a version of NetXplorer with the vulnerability fixes.
ProxyAV
CVE |Affected Version(s)|Remediation
CVE-2018-0732 | 3.5 | Upgrade to a version of CA with fixes.
ProxySG
CVE |Affected Version(s)|Remediation
CVE-2018-0732 | 6.5, 6.6 | Upgrade to later release with fixes.
6.7 | Upgrade to 6.7.4.141.
7.1 and later | Not vulnerable, fixed in 7.1.1.1.
Reporter
CVE |Affected Version(s)|Remediation
CVE-2018-0732 | 9.5, 10.1, 10.2, 10.3, 10.4 | Upgrade to later release with fixes.
10.5 | Not vulnerable, fixed in 10.5.1.1
CVE-2018-0737 | 9.5 | Upgrade to later release with fixes.
Security Analytics (SA)
CVE |Affected Version(s)|Remediation
CVE-2018-0732, CVE-2018-0737 | 7.1, 7.2, 7.3, 8.0 | Upgrade to later version with fixes.
8.1, 8.2 | Not available at this time
SSL Visibility (SSLV)
CVE |Affected Version(s)|Remediation
CVE-2018-0732 | 3.10 | Upgrade to later release with fixes.
3.12 | Upgrade to later release with fixes.
4.2, 4.3 | Upgrade to later release with fixes.
4.4 and later | Not vulnerable, fixed in 4.4.1.1
Unified Agent (UA)
CVE |Affected Version(s)|Remediation
CVE-2018-0732 | 4.10 | Upgrade to a version of WSS Agent with fixes.
WSS Mobile Agent
CVE |Affected Version(s)|Remediation
CVE-2018-0732 | 2.0 | A fix will not be provided. Please switch to a version of SEP Mobile with fixes.
X-Series XOS
CVE |Affected Version(s)|Remediation
CVE-2018-0732, CVE-2018-0737 | 10.0, 11.0 | A fix will not be provided.
ADDITIONAL PRODUCT INFORMATION
The following products are not vulnerable:
**AuthConnector
Auth Connector Login Application
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM on Demand
Cloud Data Protection Communication Server
Cloud Data Protection Integration Server
HSM Agent for the Luna SP
ProxyAV ConLog and ConLogXP
Web Isolation
**WSS Agent
ISSUES
CVE-2018-0732
Severity / CVSSv3 | High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) References| SecurityFocus: BID 104442 / NVD: CVE-2018-0732 Impact| Denial of service Description | A flaw in the SSL client implementation allows malicious servers to send large DH parameters during connections using DH(E) cipher suites and cause denial of service.
CVE-2018-0737
Severity / CVSSv3 | Medium / 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) References| SecurityFocus: BID 103766 / NVD: CVE-2018-0737 Impact| Information disclosure Description | A cache timing side channel flaw in RSA key generation allows local attackers to mount cache timing attacks during RSA key generation and recover the generated private key.
MITIGATION
CVE-2018-0732 can be mitigated in ProxySG by disabling all DH and DHE cipher suites for all SSL device profiles.
REFERENCES
OpenSSL Security Advisory [16-Apr-2018] - <https://www.openssl.org/news/secadv/20180416.txt>
OpenSSL Security Advisory [12-Jun-2018] - <https://www.openssl.org/news/secadv/20180612.txt>
REVISION
2021-08-27 Unified Agent is not vulnerable.
2021-08-18 WSS Agent is not vulnerable.
2021-07-19 A fix for WSS Mobile Agent 2.0 will not be provided. Please switch to a version of SEP Mobile with the vulnerability fixes.
2021-07-15 A fix for Security Analytics 7.2 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2021-04-01 A fix for Unified Agent 4.10 will not be provided. Please upgrade to a version of WSS Agent with the vulnerability fixes.
2021-02-18 A fix for CA 2.3 and MC 2.4 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2021-01-12 A fix for SSLV 3.10 and SSLV 3.12 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2020-12-09 A fix for ASG 7.1 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2020-11-19 A fix for MTD 1.1 will not be provided. Please upgrade to a version of CAS and SMG with the vulnerability fixes. A fix for SA 7.3 and 8.0 will not be provided. Please upgrade to a later version with the vulnerability fixes. A fix for XOS 9.7, 10.0, and 11.0 will not be provided. A fix for Director 6.1 will not be provided. Please upgrade to a version of MC with the vulnerability fixes. A fix for Reporter 10.4 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2020-11-12 Content Analysis 3.1 is not vulnerable because a fix is available in 3.1.0.0.
2020-08-19 MC 3.0 is not vulnerable because a fix is available in 3.0.1.1. A fix for MC 2.3 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2020-06-01 A fix will not be provided for CacheFlow. Please switch to a version of ProxySG MACH5 Edition with the vulnerability fixes.
2020-04-30 A fix will not be provided for ProxySG 6.5. Please upgrade to a later version with the vulnerability fixes. ProxySG 7.1 and later versions are not vulnerable because a fix is available in 7.1.1.1. Advanced Secure Gateway (ASG) 7.1 and 7.2 are vulnerable to CVE-2018-0732.
2020-04-08 Content Analysis 2.4 and 3.0 are vulnerable to CVE-2018-0732. Security Analytics 8.1 is vulnerable to CVE-2018-0732 and CVE-2018-0737. Reporter 10.5 is not vulnerable because a fix is available in 10.5.1.1. Fixes will not be provided for Management Center 2.2 and Reporter 10.3. Please upgrade to later versions with the vulnerability fixes.
2020-04-04 A fix for PacketShaper S-Series will not be provided. Allot Secure Services Gateway (SSG) is a replacement product for PacketShaper S-Series. Switch to a version of SSG with the vulnerability fixes. A fix for PolicyCenter S-Series will not be provided. Allot NetXplorer is a replacement product for PolicyCenter S-Series. Switch to a version of NetXplorer with the vulnerability fixes.
2020-01-19 A fix for Malware Analysis will not be provided. Please upgrade to a version of Content Analysis with the vulnerability fixes.
2020-01-15 A fix for ProxyAV will not be provided. Please upgrade to a version of Content Analysis with the vulnerability fixes.
2019-10-10 A fix for PacketShaper 9.2 will not be provided. Please upgrade to a version of PacketShaper S-Series with the vulnerability fixes. A fix for PolicyCenter 9.2 will not be provided. Please upgrade to a version of PolicyCenter S-Series with the vulnerability fixes.
2019-10-02 Web Isolation is not vulnerable.
2019-09-05 A fix for MC 2.1 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-08-30 Reporter 10.4 is vulnerable to CVE-2018-0732.
2019-08-22 A fix for IntelligenceCenter (IC) 3.3 and IntelligenceCenter Data Collector (DC) 3.3 will not be provided. NetDialog NetX is a replacement product for IntelligenceCenter. Please switch to a version of NetX with the vulnerability fixes.
2019-08-12 MC 2.2 and MC 2.3 are vulnerable to CVE-2018-0732. A fix for MC 2.0 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-08-07 A fix for ASG 6.6 and ProxySG 6.6 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-08-06 A fix for Reporter 10.1 and 10.2 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-08-05 A fix for Reporter 9.5 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-08-05 A fix for SSLV 4.3 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-06-25 ASG 6.7 is vulnerable to CVE-2018-0732.
2019-02-27 Added mitigation for CVE-2018-0732 in ProxySG.
2019-02-04 A fix for CA 2.2 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-01-21 Security Analytics 8.0 is vulnerable to all CVEs.
2019-01-14 MC 2.1 and Reporter 10.3 are vulnerable to CVE-2018-0732. A fix for MC 1.11 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-01-12 A fix for Security Analytics 7.1 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-01-11 A fix for CA 2.1 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-10-10 initial public release
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P