Summary
Symantec Network and Information Security (NIS) products using affected versions of OpenSSL may be susceptible to multiple vulnerabilities. A remote attacker may be able to decrypt encrypted communication from an SSL/TLS connection, downgrade a newly established SSL/TLS connection to SSLv2, or cause denial of service through application crashes.
Affected Product(s)
The following products and product versions are vulnerable to the CVEs listed. If a CVE is not listed, the product or version is not known to be vulnerable to it.
CVE |Supported Version(s)|Remediation
CVE-2020-1971 | 6.7 | Upgrade to 6.7.5.9.
7.2 | Upgrade to 7.2.5.1.
7.3 | Upgrade to 7.3.2.1.
CVE-2021-23840, CVE-2021-23841 | 6.7, 7.2, 7.3 | Remediation is not available at this time.
CVE |Supported Version(s)|Remediation
All CVEs | 6.1 (only when Novell SSO realm is used) | A fix will not be provided. The vulnerable OpenSSL library is in the Novell SSO SDK and an updated Novell SSO SDK is no longer available. Please contact Novell for more information.
CVE |Supported Version(s)|Remediation
CVE-2021-23840, CVE-2021-23841 | 2.4, 3.0, 3.1 | Remediation is not available at this time.
CVE |Supported Version(s)|Remediation
CVE-2021-23840, CVE-2021-23841 | 2.1, 2.2, 2.3 | Remediation is not available at this time.
CVE |Supported Version(s)|Remediation
CVE-2020-1971, CVE-2021-23840, CVE-2021-23841 | 3.0 | Upgrade to later release with fixes.
3.1, 3.2 | Remediation is not available at this time.
CVE |Supported Version(s)|Remediation
CVE-2020-1968, CVE-2021-23841 | 11.10 | Remediation is not available at this time.
CVE |Supported Version(s)|Remediation
CVE-2020-1968, CVE-2021-23841 | 1.1 | Remediation is not available at this time.
CVE |Supported Version(s)|Remediation
CVE-2020-1971 | 6.7 | Upgrade to 6.7.5.9.
7.2 | Upgrade to 7.2.5.1.
7.3 | Upgrade to 7.3.2.1.
CVE-2021-23840 | 6.7 | Upgrade to 6.7.5.14.
7.2 | Remediation is not available at this time.
7.3 | Upgrade to 7.3.4.1.
CVE |Supported Version(s)|Remediation
CVE-2021-23840, CVE-2021-23841 | 10.5, 10.6 | Remediation is not available at this time.
CVE |Supported Version(s)|Remediation
CVE-2020-1968, CVE-2020-1971, CVE-2021-23840, CVE-2021-23841 | 7.2 | Upgrade to later release with fixes.
8.1 | Remediation is not available at this time.
8.2 | Upgrade to 8.2.4.
CVE |Supported Version(s)|Remediation
CVE-2020-1971, CVE-2021-23840, CVE-2021-23841 | 4.5 | Upgrade to 4.5.6.1.
5.2 | Not vulnerable, fixed in 5.2.1.1.
CVE |Supported Version(s)|Remediation
CVE-2020-1968, CVE-2021-23840, CVE-2021-23841 | 10.7 | Remediation is not available at this time.
CVE |Supported Version(s)|Remediation
CVE-2021-23840, CVE-2021-23841 | 4.10 | Upgrade to a version of WSS Agent with fixes.
CVE |Supported Version(s)|Remediation
CVE-2021-23840, CVE-2021-23841 | 1.14, 1.15 | Remediation is not available at this time.
CVE |Supported Version(s)|Remediation
CVE-2021-23840, CVE-2021-23841 | 7.2 | Upgrade to later release with fixes.
7.3 | Not vulnerable, fixed in 7.3.1
CVE |Supported Version(s)|Remediation
CVE-2021-23840, CVE-2021-23841 | 2.0 | A fix will not be provided. Please switch to a version of SEP Mobile with fixes.
Additional Product Information
The following products are not vulnerable:
**AuthConnector
General Auth Connector Login Application
HSM Agent **
Issue Details
Severity / CVSS v3.1: | Low / 3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) References:| NVD: CVE-2020-1968 Impact:| Information disclosure Description: | A flaw in Diffie-Hellman (DH) cipher suite handling allows a remote attacker to compute a pre-master secret for a TLS connection and decrypt all encrypted communication sent over that TLS connection.
Severity / CVSS v3.1: | Medium / 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) References:| NVD: CVE-2020-1971 Impact:| Denial of service Description: | A flaw in X.509 name comparison allows a remote attacker to trigger a NULL pointer dereference and cause denial of service through an application crash.
Severity / CVSS v3.1: | High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) References:| NVD: CVE-2021-23839 Impact:| Protocol downgrade Description: | A version rollback vulnerability in SSL version handling allows a remote man-in-the-middle attacker to downgrade a newly established SSL/TLS connection to SSLv2.
Severity / CVSS v3.1: | High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) References:| NVD: CVE-2021-23840 Impact:| Denial of service Description: | An overflow flaw in symmetric encryption allows an attacker to cause incorrect program behavior or denial of service through an application crash.
Severity / CVSS v3.1: | High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) References:| NVD: CVE-2021-23841 Impact:| Denial of service Description: | An input validation flaw in X.509 certificate handling allows an attacker to cause denial of service through an application crash.
Mitigations
CVE-2020-1968 is exploitable in CA, Security Analytics, and SMG only when customers enable cipher suites using static DH key exchange for SSL/TLS server connections. Cipher suites using ephemeral DH key exchange are not impacted by this CVE, offer better security otherwise, and should be used instead. Static DH cipher suites have names that start with “DH-” or “TLS_DH_”, but not “TLS_DH_anon_”. Ephemeral DH cipher suites have names that start with “DHE-” or “TLS_DHE_”.
CVE-2020-1971 is exploitable in ASG, MC, ProxySG, Security Analytics, and SSLV only when an authenticated administrator user installs a malicious certificate revocation list (CRL) and configures the product to communicate with a malicious SSL/TLS server. Symantec recommends using trusted SSL/TLS servers and CRLs from trusted certificate authorities.
References
Revisions
2021-09-28 A fix for CVE-2021-23840 in ProxySG 6.7 is available in 6.7.5.14.
2021-09-20 A fix for Security Analytics 8.2 is available in 8.2.4.
2021-08-27 A fix for CVE-2021-23840 in ProxySG 7.3 is available in 7.3.4.1.
2021-08-12 MC 3.2 is vulnerable to CVE-2020-1971, CVE-2021-23840, and CVE-2021-23841.
2021-07-26 WI 1.14 and 1.15 are vulnerable to CVE-2021-23840 and CVE-2021-23841.
2021-07-19 A fix for WSS Mobile Agent 2.0 will not be provided. Please switch to a version of SEP Mobile with the vulnerability fixes.
2021-07-15 A fix for Security Analytics 7.2 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2021-07-02 A fix for SSLV 4.5 is available in 4.5.6.1.
2021-06-07 SSLV 5.2 is not vulnerable because a fix is available in 5.2.1.1.
2021-06-01 A fix for MC 3.0 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2021-05-11 PacketShaper (PS) S-Series 11.10 and PolicyCenter (PC) S-Series 1.1 are vulnerable to CVE-2020-1968 and CVE-2021-23841.
2021-05-03 ISG 2.1, 2.2, and 2.3 are vulnerable to CVE-2021-23840 and CVE-2021-23841.
2021-04-01 WSSA 7.3 is not vulnerable because a fix is available in 7.3.1. A fix for WSSA 7.2 will not be provided. Please upgrade to a later version with the vulnerability fixes. A fix for Unified Agent 4.10 will not be provided. Please upgrade to a version of WSS Agent with the vulnerability fixes.
2021-03-09 initial public release