Lucene search

K
symantecSymantec Security ResponseSMNTC-17570
HistoryMar 09, 2021 - 7:16 p.m.

OpenSSL Vulnerabilities Sep 2020 - Feb 2021

2021-03-0919:16:55
Symantec Security Response
99
symantec
openssl
vulnerabilities
remote attacker
encryption
ssl/tls
sslv2
denial of service
asg
bcaa
ca
isg
mc
ps
pc
proxysg
reporter
sa
sslv
smg
ua
wi
wss agent

EPSS

0.008

Percentile

82.5%

Summary

Symantec Network and Information Security (NIS) products using affected versions of OpenSSL may be susceptible to multiple vulnerabilities. A remote attacker may be able to decrypt encrypted communication from an SSL/TLS connection, downgrade a newly established SSL/TLS connection to SSLv2, or cause denial of service through application crashes.

Affected Product(s)

The following products and product versions are vulnerable to the CVEs listed. If a CVE is not listed, the product or version is not known to be vulnerable to it.

Advanced Secure Gateway (ASG)

CVE |Supported Version(s)|Remediation
CVE-2020-1971 | 6.7 | Upgrade to 6.7.5.9.
7.2 | Upgrade to 7.2.5.1.
7.3 | Upgrade to 7.3.2.1.
CVE-2021-23840, CVE-2021-23841 | 6.7, 7.2, 7.3 | Remediation is not available at this time.

BCAAA

CVE |Supported Version(s)|Remediation
All CVEs | 6.1 (only when Novell SSO realm is used) | A fix will not be provided. The vulnerable OpenSSL library is in the Novell SSO SDK and an updated Novell SSO SDK is no longer available. Please contact Novell for more information.

Content Analysis (CA)

CVE |Supported Version(s)|Remediation
CVE-2021-23840, CVE-2021-23841 | 2.4, 3.0, 3.1 | Remediation is not available at this time.

Integrated Security Gateway (ISG)

CVE |Supported Version(s)|Remediation
CVE-2021-23840, CVE-2021-23841 | 2.1, 2.2, 2.3 | Remediation is not available at this time.

Management Center (MC)

CVE |Supported Version(s)|Remediation
CVE-2020-1971, CVE-2021-23840, CVE-2021-23841 | 3.0 | Upgrade to later release with fixes.
3.1, 3.2 | Remediation is not available at this time.

PacketShaper (PS) S-Series

CVE |Supported Version(s)|Remediation
CVE-2020-1968, CVE-2021-23841 | 11.10 | Remediation is not available at this time.

PolicyCenter (PC) S-Series

CVE |Supported Version(s)|Remediation
CVE-2020-1968, CVE-2021-23841 | 1.1 | Remediation is not available at this time.

ProxySG

CVE |Supported Version(s)|Remediation
CVE-2020-1971 | 6.7 | Upgrade to 6.7.5.9.
7.2 | Upgrade to 7.2.5.1.
7.3 | Upgrade to 7.3.2.1.
CVE-2021-23840 | 6.7 | Upgrade to 6.7.5.14.
7.2 | Remediation is not available at this time.
7.3 | Upgrade to 7.3.4.1.

Reporter

CVE |Supported Version(s)|Remediation
CVE-2021-23840, CVE-2021-23841 | 10.5, 10.6 | Remediation is not available at this time.

Security Analytics (SA)

CVE |Supported Version(s)|Remediation
CVE-2020-1968, CVE-2020-1971, CVE-2021-23840, CVE-2021-23841 | 7.2 | Upgrade to later release with fixes.
8.1 | Remediation is not available at this time.
8.2 | Upgrade to 8.2.4.

SSL Visibility (SSLV)

CVE |Supported Version(s)|Remediation
CVE-2020-1971, CVE-2021-23840, CVE-2021-23841 | 4.5 | Upgrade to 4.5.6.1.
5.2 | Not vulnerable, fixed in 5.2.1.1.

Symantec Messaging Gateway (SMG)

CVE |Supported Version(s)|Remediation
CVE-2020-1968, CVE-2021-23840, CVE-2021-23841 | 10.7 | Remediation is not available at this time.

Unified Agent (UA)

CVE |Supported Version(s)|Remediation
CVE-2021-23840, CVE-2021-23841 | 4.10 | Upgrade to a version of WSS Agent with fixes.

Web Isolation (WI)

CVE |Supported Version(s)|Remediation
CVE-2021-23840, CVE-2021-23841 | 1.14, 1.15 | Remediation is not available at this time.

WSS Agent

CVE |Supported Version(s)|Remediation
CVE-2021-23840, CVE-2021-23841 | 7.2 | Upgrade to later release with fixes.
7.3 | Not vulnerable, fixed in 7.3.1

WSS Mobile Agent

CVE |Supported Version(s)|Remediation
CVE-2021-23840, CVE-2021-23841 | 2.0 | A fix will not be provided. Please switch to a version of SEP Mobile with fixes.

Additional Product Information

The following products are not vulnerable:
**AuthConnector
General Auth Connector Login Application
HSM Agent **

Issue Details

CVE-2020-1968

Severity / CVSS v3.1: | Low / 3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) References:| NVD: CVE-2020-1968 Impact:| Information disclosure Description: | A flaw in Diffie-Hellman (DH) cipher suite handling allows a remote attacker to compute a pre-master secret for a TLS connection and decrypt all encrypted communication sent over that TLS connection.

CVE-2020-1971

Severity / CVSS v3.1: | Medium / 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) References:| NVD: CVE-2020-1971 Impact:| Denial of service Description: | A flaw in X.509 name comparison allows a remote attacker to trigger a NULL pointer dereference and cause denial of service through an application crash.

CVE-2021-23839

Severity / CVSS v3.1: | High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) References:| NVD: CVE-2021-23839 Impact:| Protocol downgrade Description: | A version rollback vulnerability in SSL version handling allows a remote man-in-the-middle attacker to downgrade a newly established SSL/TLS connection to SSLv2.

CVE-2021-23840

Severity / CVSS v3.1: | High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) References:| NVD: CVE-2021-23840 Impact:| Denial of service Description: | An overflow flaw in symmetric encryption allows an attacker to cause incorrect program behavior or denial of service through an application crash.

CVE-2021-23841

Severity / CVSS v3.1: | High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) References:| NVD: CVE-2021-23841 Impact:| Denial of service Description: | An input validation flaw in X.509 certificate handling allows an attacker to cause denial of service through an application crash.

Mitigations

CVE-2020-1968 is exploitable in CA, Security Analytics, and SMG only when customers enable cipher suites using static DH key exchange for SSL/TLS server connections. Cipher suites using ephemeral DH key exchange are not impacted by this CVE, offer better security otherwise, and should be used instead. Static DH cipher suites have names that start with “DH-” or “TLS_DH_”, but not “TLS_DH_anon_”. Ephemeral DH cipher suites have names that start with “DHE-” or “TLS_DHE_”.

CVE-2020-1971 is exploitable in ASG, MC, ProxySG, Security Analytics, and SSLV only when an authenticated administrator user installs a malicious certificate revocation list (CRL) and configures the product to communicate with a malicious SSL/TLS server. Symantec recommends using trusted SSL/TLS servers and CRLs from trusted certificate authorities.

References

Revisions

2021-09-28 A fix for CVE-2021-23840 in ProxySG 6.7 is available in 6.7.5.14.
2021-09-20 A fix for Security Analytics 8.2 is available in 8.2.4.
2021-08-27 A fix for CVE-2021-23840 in ProxySG 7.3 is available in 7.3.4.1.
2021-08-12 MC 3.2 is vulnerable to CVE-2020-1971, CVE-2021-23840, and CVE-2021-23841.
2021-07-26 WI 1.14 and 1.15 are vulnerable to CVE-2021-23840 and CVE-2021-23841.
2021-07-19 A fix for WSS Mobile Agent 2.0 will not be provided. Please switch to a version of SEP Mobile with the vulnerability fixes.
2021-07-15 A fix for Security Analytics 7.2 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2021-07-02 A fix for SSLV 4.5 is available in 4.5.6.1.
2021-06-07 SSLV 5.2 is not vulnerable because a fix is available in 5.2.1.1.
2021-06-01 A fix for MC 3.0 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2021-05-11 PacketShaper (PS) S-Series 11.10 and PolicyCenter (PC) S-Series 1.1 are vulnerable to CVE-2020-1968 and CVE-2021-23841.
2021-05-03 ISG 2.1, 2.2, and 2.3 are vulnerable to CVE-2021-23840 and CVE-2021-23841.
2021-04-01 WSSA 7.3 is not vulnerable because a fix is available in 7.3.1. A fix for WSSA 7.2 will not be provided. Please upgrade to a later version with the vulnerability fixes. A fix for Unified Agent 4.10 will not be provided. Please upgrade to a version of WSS Agent with the vulnerability fixes.
2021-03-09 initial public release