Lucene search

K
symantecSymantec Security ResponseSMNTC-1768
HistoryMay 19, 2020 - 8:35 p.m.

OpenSSL Vulnerabilities Sep 2019 – Apr 2020

2020-05-1920:35:38
Symantec Security Response
21

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

Summary

Symantec Web Security Group (WSG) products using affected versions of OpenSSL may be susceptible to multiple vulnerabilities. A local or remote attacker can obtain private key or other secret key information. A remote attacker can also cause denial of service.

Affected Product(s)

The following products and product versions are vulnerable to the CVEs listed. If a CVE is not listed, the product or version is not known to be vulnerable to it.

Advanced Secure Gateway (ASG)

CVE |Supported Version(s)|Remediation
CVE-2019-1551 | 6.7 | Upgrade to 6.7.5.13.
7.1 | Remediation will not be provided.
7.2 | Upgrade to 7.2.8.1.
7.3 | Upgrade to 7.3.4.1.

BCAAA

CVE |Supported Version(s)|Remediation
CVE-2019-1563 | 6.1 (only when Novell SSO realm is used) | A fix will not be provided. The vulnerable OpenSSL library is in the Novell SSO SDK and an updated Novell SSO SDK is no longer available. Please contact Novell for more information.

Content Analysis (CA)

CVE |Supported Version(s)|Remediation
CVE-2019-1551 | 2.3, 2.4 | Not vulnerable
3.0, 3.1 | Remediation is not available at this time.

Management Center (MC)

CVE |Supported Version(s)|Remediation
CVE-2019-1551 | 3.0 | Upgrade to later release with fixes.
3.1, 3.2 | Remediation is not available at this time.

ProxySG

CVE |Supported Version(s)|Remediation
CVE-2019-1551 | 6.7 | Upgrade to 6.7.5.13.
7.1 | Remediation will not be provided.
7.2 | Upgrade to 7.2.8.1.
7.3 | Upgrade to 7.3.4.1.

Reporter

CVE |Supported Version(s)|Remediation
CVE-2019-1551 | 10.4 | Remediation will not be provided.
10.5, 10.6 | Remediation is not available at this time.

SSL Visibility (SSLV)

CVE |Supported Version(s)|Remediation
CVE-2019-1551 | 4.5 | Remediation is not available at this time.
5.0 | Upgrade to later release with fixes.

**
Additional Product Information**

CVE-2019-1551 is exploitable in ASG, CA, ProxySG, Reporter, and SSLV only when customers configure the products' SSL/TLS interfaces with 1024-bit RSA keys. The default key/certificate pairs shipped with the products have 2048-bit or larger RSA keys. Symantec recommends configuring all SSL/TLS interfaces with 2048-bit or larger RSA keys for protection against multiple attacks, including attacks using CVE-2019-1551.

The following products are not vulnerable:
**AuthConnector
General Auth Connector Login Application
HSM Agent for the Luna SP
**PacketShaper (PS) S-Series
PolicyCenter (PC) S-Series
Security Analytics (SA)
Symantec Messaging Gateway (SMG)
Unified Agent
WSS Agent
WSS Mobile Agent

The following products are under investigation:**
Web Isolation (WI)

**

Issue Details

CVE-2019-1547

Severity / CVSS v3.1: | Medium / 4.7 (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N) References:| NVD: CVE-2019-1547 Impact:| Information disclosure Description: | A side channel flaw in ECDSA signature generation allows a local attacker to recover ECDSA private key information.

CVE-2019-1549

Severity / CVSS v3.1: | Medium / 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) References:| NVD: CVE-2019-1549 Impact:| Information disclosure Description: | An RNG state management flaw in random number generation may cause an application to generate insufficiently random data. An attacker with access to the memory of a process on the target host may be able to guess private/secret encryption keys and other random secrets in the memory of a parent or child process.

CVE-2019-1551

Severity / CVSS v3.1: | Medium / 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) References:| NVD: CVE-2019-1551 Impact:| Information disclosure Description: | An overflow flaw in the 64-bit Montgomery squaring arithmetic operation implementation allows an attacker to obtain private key information.

CVE-2019-1563

Severity / CVSS v3.1: | Low / 3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) References:| NVD: CVE-2019-1563 Impact:| Information disclosure Description: | A padding oracle flaw in CMS/PKCS7 decryption allows a remote attacker to recover a CMS/PKCS7 transported encryption key or decrypt an RSA encrypted message.

CVE-2020-1967

Severity / CVSS v3.1: | High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) References:| NVD: CVE-2020-1967 Impact:| Denial of service Description: | A memory handling flaw in the TLS 1.3 handshake implementation allows a remote attacker to send a crafted handshake message and cause denial of service through application crashes.

**
References**

Revisions

2021-10-14 A fix for ASG 6.7 and ProxySG 6.7 is available in 6.7.5.13. A fix for ASG 7.2 and ProxySG 7.2 is available in 7.2.8.1.
2021-09-10 A fix for ASG 7.3 and ProxySG 7.3 is available in 7.3.4.1.
2021-08-12 MC 3.2 is vulnerable to CVE-2019-1551.
2021-07-02 MC 3.0 and 3.1 are vulnerable to CVE-2019-1551.
2021-06-07 A fix for SSLV 5.0 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2021-04-26 PacketShaper (PS) S-Series and PolicyCenter (PC) S-Series are not vulnerable.
2021-04-19 BCAAA 6.1 is vulnerable to CVE-2019-1563.
2020-11-19 A fix for Reporter 10.4 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2020-11-12 Content Analysis 3.1 is vulnerable to CVE-2019-1551.
2020-05-19 initial public release

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N