SA109 : Multiple OpenSSH Vulnerabilities (January 2016) Back to all Security Advisories

Click to Subscribe
Security Advisory ID: 
SA109
Published Date: 
Jan 27, 2016
Advisory Status: 
Final
Advisory Severity: 
Medium
CVSS v2 base score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CVE Number: 
CVE-2016-0777 - 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CVE-2016-0778 - 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CVE-2016-1907 - 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Blue Coat products using affected 5.x and 6.x versions of OpenSSH are susceptible to multiple vulnerabilities.  An attacker, with access to the management interface, may exploit these vulnerabilities to execute arbitrary code and obtain information from the target's process memory.  The attacker can also cause denial of service due to buffer overflows and illegal memory accesses.

Affected Products:

The following products are vulnerable:

Director
Director 6.1 prior to 6.1.22.1 is vulnerable to CVE-2016-0777 and CVE-2016-0778.

Malware Analysis Appliance
MAA 4.2 prior to 4.2.8 is vulnerable to CVE-2016-0777 and CVE-2016-0778.

Norman Shark Industrial Control System Protection
ICSP 5.3 prior to 5.3.6 is vulnerable to CVE-2016-0777 and CVE-2016-0778.

Norman Shark Network Protection
NNP 5.3 prior to 5.3.6 is vulnerable to CVE-2016-0777 and CVE-2016-0778.

Norman Shark SCADA Protection
NSP 5.3 prior to 5.3.6 is vulnerable to CVE-2016-0777 and CVE-2016-0778.

Security Analytics
SA 6.6 prior to 6.6.12, 7.0, and 7.1 prior to 7.1.11 are vulnerable to CVE-2016-0777 and CVE-2016-0778.  SA 7.2 is not vulnerable.

The following products contain a vulnerable version of OpenSSH, but are not vulnerable to known vectors of attack:

SSL Visibility
SSLV 3.8, 3.8.4FC prior to 3.8.4FC-55, and 3.9 prior to 3.9.3.1 have a vulnerable version of OpenSSH.  SSLV 3.10 and 3.11 are not vulnerable.

The following products are not vulnerable:
Advanced Secure Gateway
Android Mobile Agent
AuthConnector
BCAAA
Blue Coat HSM Agent for the Luna SP
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
Content Analysis System
General Auth Connector Login Application
IntelligenceCenter
IntelligenceCenter Data Collector
K9
Mail Threat Defense
Management Center
PacketShaper
PacketShaper S-Series
PolicyCenter
PolicyCenter S-Series
ProxyAV
ProxyAV ConLog and ConLogXP
ProxyClient
ProxySG
Reporter
Unified Agent
X-Series XOS

Blue Coat no longer provides vulnerability information for the following products:

DLP
Please, contact Digital Guardian technical support regarding vulnerability information for DLP.

Advisory Details: 

This Security Advisory addresses multiple vulnerabilities in OpenSSH:

  • CVE-2016-0777 is a flaw that allows a remote attacker to perform buffer over-reads and obtain information stored in the target process memory.
  • CVE-2016-0778 is a flaw that allows a remote attacker to cause a buffer overflow on an authenticated SSH client, causing it to execute arbitrary code or resulting in denial of service.
  • CVE-2016-1907 is a flaw that allows a remote attacker to cause out-of-bounds reads using crafted network traffic. This can cause an application crash and result in denial of service.

Blue Coat products do not enable or use all functionality within OpenSSH.  Products that do not utilize or enable the functionality described in a CVE are not vulnerable to that CVE.  However, fixes for those CVEs will be included in the patches that are provided.  The following products include vulnerable versions of OpenSSH, but do not use the functionality described in the CVEs and are not known to be vulnerable.

  • SSLV: CVE-2016-0777 and CVE-2016-0778
Workarounds: 

These vulnerabilities can be exploited only through the management interfaces for all vulnerable products.  Allowing only machines, IP addresses and subnets from a trusted network to access the management interface reduces the threat of exploiting the vulnerabilities.

Patches: 

Director
Director 6.1 - a fix is available in 6.1.22.1.

Malware Analysis Appliance
MAA 4.2 - a fix is available in 4.2.8.

Norman Shark Industrial Control System Protection
ICSP 5.3 - a fix is available in 5.3.6.

Norman Shark Network Protection
NNP 5.3 - a fix is available in 5.3.6.

Norman Shark SCADA Protection
NSP 5.3 - a fix is available in 5.3.6.

Security Analytics
SA 7.1 - a fix is available in 7.1.11.
SA 7.0 - a fix will not be provided.  Please upgrade to a later version with the vulnerability fixes.
SA 6.6 - a fix is available in 6.6.12.

SSL Visibility
SSLV 3.8 - a fix is available in 3.9.3.1.
SSLV 3.8.4FC - a fix is available in 3.8.4FC-55.
SSLV 3.8 - a fix is available in 3.8.6-14.

Advisory History: 

2017-02-16 Previously, it was reported that Security Analytics by default is not vulnerable to CVE-2016-0777 and CVE-2016-0778 because it does not act as an SSH client.  Further investigation has shown that Security Analytics acts as an SSH client and is vulnerable to both CVEs by default.
2016-11-29 A fix for Director is available in 6.1.22.1.  SSLV 3.11 is not vulnerable.  Customers should contact Digital Guardian regarding vulnerability information for DLP.  SA status moved to Final.
2016-11-17 Cloud Data Protection for Oracle Field Service Cloud is not vulnerable.
2016-11-11 SSLV 3.10 is not vulnerable.
2016-09-01 A fix for SSLV 3.8.4FC is available in 3.8.4FC-55.
2016-08-12 Security Analytics 7.2 is not vulnerable.
2016-06-16 PS S-Series, PC S-Series, and Reporter are not vulnerable.
2016-06-13 Fixes for ICSP, NNP, and NSP are available in 5.3.6.
2016-05-18 Fixes are available in Security Analytics 6.6.12 and 7.1.11.
2016-05-11 No Cloud Data Protection products are vulnerable.
2016-04-24 Mail Threat Defense is not vulnerable.
2016-03-17 A fix for SSLV 3.8 is available in 3.8.6-14.  Clarified that SSLV 3.9 prior to 3.9.3.1 has a vulnerable version of OpenSSH.
2016-03-10 A fix for MAA 4.2 is available in 4.2.8.
2016-01-27 initial public release