7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
Summary
Symantec Web Security Group (WSG) products using affected versions of OpenSSL may be susceptible to multiple vulnerabilities. A local or remote attacker can obtain private key or other secret key information. A remote attacker can also cause denial of service.
Affected Product(s)
The following products and product versions are vulnerable to the CVEs listed. If a CVE is not listed, the product or version is not known to be vulnerable to it.
CVE |Supported Version(s)|Remediation
CVE-2019-1551 | 6.7 | Upgrade to 6.7.5.13.
7.1 | Remediation will not be provided.
7.2 | Upgrade to 7.2.8.1.
7.3 | Upgrade to 7.3.4.1.
CVE |Supported Version(s)|Remediation
CVE-2019-1563 | 6.1 (only when Novell SSO realm is used) | A fix will not be provided. The vulnerable OpenSSL library is in the Novell SSO SDK and an updated Novell SSO SDK is no longer available. Please contact Novell for more information.
CVE |Supported Version(s)|Remediation
CVE-2019-1551 | 2.3, 2.4 | Not vulnerable
3.0, 3.1 | Remediation is not available at this time.
CVE |Supported Version(s)|Remediation
CVE-2019-1551 | 3.0 | Upgrade to later release with fixes.
3.1, 3.2 | Remediation is not available at this time.
CVE |Supported Version(s)|Remediation
CVE-2019-1551 | 6.7 | Upgrade to 6.7.5.13.
7.1 | Remediation will not be provided.
7.2 | Upgrade to 7.2.8.1.
7.3 | Upgrade to 7.3.4.1.
CVE |Supported Version(s)|Remediation
CVE-2019-1551 | 10.4 | Remediation will not be provided.
10.5, 10.6 | Remediation is not available at this time.
CVE |Supported Version(s)|Remediation
CVE-2019-1551 | 4.5 | Remediation is not available at this time.
5.0 | Upgrade to later release with fixes.
**
Additional Product Information**
CVE-2019-1551 is exploitable in ASG, CA, ProxySG, Reporter, and SSLV only when customers configure the products' SSL/TLS interfaces with 1024-bit RSA keys. The default key/certificate pairs shipped with the products have 2048-bit or larger RSA keys. Symantec recommends configuring all SSL/TLS interfaces with 2048-bit or larger RSA keys for protection against multiple attacks, including attacks using CVE-2019-1551.
The following products are not vulnerable:
**AuthConnector
General Auth Connector Login Application
HSM Agent for the Luna SP
**PacketShaper (PS) S-Series
PolicyCenter (PC) S-Series
Security Analytics (SA)
Symantec Messaging Gateway (SMG)
Unified Agent
WSS Agent
WSS Mobile Agent
The following products are under investigation:**
Web Isolation (WI)
**
Issue Details
Severity / CVSS v3.1: | Medium / 4.7 (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N) References:| NVD: CVE-2019-1547 Impact:| Information disclosure Description: | A side channel flaw in ECDSA signature generation allows a local attacker to recover ECDSA private key information.
Severity / CVSS v3.1: | Medium / 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) References:| NVD: CVE-2019-1549 Impact:| Information disclosure Description: | An RNG state management flaw in random number generation may cause an application to generate insufficiently random data. An attacker with access to the memory of a process on the target host may be able to guess private/secret encryption keys and other random secrets in the memory of a parent or child process.
Severity / CVSS v3.1: | Medium / 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) References:| NVD: CVE-2019-1551 Impact:| Information disclosure Description: | An overflow flaw in the 64-bit Montgomery squaring arithmetic operation implementation allows an attacker to obtain private key information.
Severity / CVSS v3.1: | Low / 3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) References:| NVD: CVE-2019-1563 Impact:| Information disclosure Description: | A padding oracle flaw in CMS/PKCS7 decryption allows a remote attacker to recover a CMS/PKCS7 transported encryption key or decrypt an RSA encrypted message.
Severity / CVSS v3.1: | High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) References:| NVD: CVE-2020-1967 Impact:| Denial of service Description: | A memory handling flaw in the TLS 1.3 handshake implementation allows a remote attacker to send a crafted handshake message and cause denial of service through application crashes.
**
References**
Revisions
2021-10-14 A fix for ASG 6.7 and ProxySG 6.7 is available in 6.7.5.13. A fix for ASG 7.2 and ProxySG 7.2 is available in 7.2.8.1.
2021-09-10 A fix for ASG 7.3 and ProxySG 7.3 is available in 7.3.4.1.
2021-08-12 MC 3.2 is vulnerable to CVE-2019-1551.
2021-07-02 MC 3.0 and 3.1 are vulnerable to CVE-2019-1551.
2021-06-07 A fix for SSLV 5.0 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2021-04-26 PacketShaper (PS) S-Series and PolicyCenter (PC) S-Series are not vulnerable.
2021-04-19 BCAAA 6.1 is vulnerable to CVE-2019-1563.
2020-11-19 A fix for Reporter 10.4 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2020-11-12 Content Analysis 3.1 is vulnerable to CVE-2019-1551.
2020-05-19 initial public release
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N