SA119 : Multiple NSS Vulnerabilities

Click to Subscribe
Security Advisory ID: 
SA119
Published Date: 
Mar 22, 2016
Advisory Status: 
Interim
Advisory Severity: 
High
CVSS v2 base score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVE Number: 
CVE-2015-7181 - 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVE-2015-7182 - 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVE-2015-7183 - 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVE-2016-1950 - 6.8 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:P)

Blue Coat products that include affected versions of NSS are susceptible to multiple vulnerabilities.  A remote attacker can exploit these vulnerabilities to trigger arbitrary code execution.  The attacker can also cause denial of service through application crashes and memory corruption.

Affected Products:

The following products are vulnerable:

Advanced Secure Gateway
ASG 6.6 prior to 6.6.4.1 is vulnerable to CVE-2015-7181, CVE-2015-7182, and CVE-2015-7183.  ASG 6.6 prior to 6.6.5.1 is also vulnerable to CVE-2016-1950.  ASG 6.7 is not vulnerable.

Content Analysis System
CAS 1.2 is vulnerable to CVE-2015-7181, CVE-2015-7182, CVE-2015-7183, and CVE-2016-1950.  CAS 1.3 prior to 1.3.6.1 is vulnerable to CVE-2015-7181, CVE-2015-7182, and CVE-2015-7183.  CAS 1.3 prior to 1.3.7.1 is vulnerable to CVE-2016-1950.  CAS 2.1 and later releases are not vulnerable.

Director
Director 6.1 prior to 6.1.22.1 is vulnerable to CVE-2016-1950.

Mail Threat Defense
MTD 1.1 is vulnerable to CVE-2016-1950.

PacketShaper S-Series
PS S-Series 11.5 prior to 11.5.3.1 is vulnerable to CVE-2015-7181, CVE-2015-7182, CVE-2015-7183, and CVE-2016-1950.  PS S-Series 11.6, 11.7, 1.8 and 11.9 are not vulnerable.  PS S-Series 11.2, 11.3, and 11.4 have a vulnerable version of NSS, but are not vulnerable to known vectors of attack.

PolicyCenter S-Series
PC S-Series 1.1 prior to 1.1.2.1 is vulnerable to CVE-2015-7181, CVE-2015-7182, CVE-2015-7183, and CVE-2016-1950.

Reporter
Reporter 9.4 and 9.5 are not vulnerable any of the CVEs.  Reporter 10.1 is under investigation.

Security Analytics
SA 6.6 prior to 6.6.12, 7.0, and 7.1 prior to 7.1.11 are vulnerable to CVE-2015-7181 and CVE-2015-7182.  SA 6.6, 7.0, and 7.1 are also vulnerable to CVE-2015-7183, and CVE-2016-1950.  SA 7.2 is not vulnerable.

X-Series XOS
XOS 9.7, 10.0 prior to 10.0.6, and 11.0 prior to 11.0.2 are vulnerable to CVE-2015-7181, CVE-2015-7182, CVE-2015-7183, and CVE-2016-1950.

The following products contain a vulnerable version of NSS, but are not vulnerable to known vectors or attack:

Management Center
MC 1.5 has a vulnerable version of NSS.  MC 1.6 and later releases are not vulnerable.

The following products are not vulnerable:
Android Mobile Agent
AuthConnector
BCAAA
Blue Coat HSM Agent for the Luna SP
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
IntelligenceCenter
IntelligenceCenter Data Collector
K9
Malware Analysis Appliance
Norman Shark Industrial Control System Protection
Norman Shark Network Protection
Norman Shark SCADA Protection
PacketShaper
PolicyCenter
ProxyAV
ProxyAV ConLog and ConLogXP
ProxyClient
ProxySG
SSL Visibility
Unified Agent

Blue Coat no longer provides vulnerability information for the following products:

DLP

Please, contact Digital Guardian technical support regarding vulnerability information for DLP.

Advisory Details: 

This Security Advisory addresses multiple NSS vulnerabilities announced in November 2015 and March 2016.  Blue Coat products that include a vulnerable version of NSS and make use of the vulnerable functionality are vulnerable.

  • CVE-2015-7181 is a use-after-poison flaw in the ASN.1 decoder that allows a remote attacker to send crafted OCTET STRING data and cause arbitrary code execution or denial of service through application crashes.
  • CVE-2015-7182 is a heap-based buffer overflow in the ASN.1 decoder that allows a remote attacker to send crafted OCTET STRING data and cause arbitrary code execution or denial of service through application crashes.
  • CVE-2015-7183 is an integer overflow in the NSPR component of NSS that allows a remote attacker to cause arbitrary code execution or denial of service through memory corruption or application crashes.
  • CVE-2016-1950 is heap-based buffer overflow in the ASN.1 decoder that allows a remote attacker to send crafted X.509 certificates and cause arbitrary code execution or denial of service through application crashes.

Blue Coat products may act as both client and server in SSL/TLS connections, and may use application functionality for cryptographic operations.  Blue Coat products act as a client when connecting to Blue Coat services such as WebPulse, DRTR, and licensing and subscription services.  Products should be considered vulnerable in all interfaces that provide SSL/TLS connections for data and management interfaces unless the CVE is specific to SSL/TLS client or server functionality (as noted in the descriptions above) or unless otherwise stated below:

  • PacketShaper S-Series 11.5: all CVEs affect connections to PolicyCenter S-Series appliances.
  • PolicyCenter S-Series: all CVEs affect management connections.
  • Security Analytics: all CVEs affect connections to Blue Coat, connections between a Central Manager and Sensors, and downloads of favorites (commonly used filters).

Some Blue Coat products do not enable or use all functionality within NSS.  The products listed below do not utilize the functionality described in the CVEs below and are thus not known to be vulnerable to them.  However, fixes for these CVEs will be included in the patches that are provided.

  • MC: CVE-2016-1950
  • PS S-Series 11.2, 11.3, and 11.4: CVE-2015-7181, CVE-2015-7182, CVE-2015-7183, and CVE-2016-1950
Workarounds: 

There are no known workarounds.

Patches: 

Advanced Secure Gateway
ASG 6.7 - a fix is available in 6.7.2.1.
ASG 6.6 - a fix for CVE-2015-7181, CVE-2015-7182, and CVE-2015-7183 is available in 6.6.4.1.  A fix for CVE-2016-1950 is available in 6.6.5.1.

Content Analysis System
CAS 1.3 - a fix for CVE-2015-7181, CVE-2015-7182, and CVE-2015-7183 is available in 1.3.6.1.  A fix for CVE-2016-1950 is available in 1.3.7.1.
CAS 1.2 - a fix will not be provided.  Please upgrade to a later version with the vulnerability fixes.

Director
Director 6.1 - a fix is available in 6.1.22.1.

Mail Threat Defense
MTD 1.1 - a fix is not available at this time.

Management Center
MC 1.6 - a fix is available in 1.6.1.1.
MC 1.5 - a fix will not be provided.  Please upgrade to a later version with the vulnerability fixes.

PacketShaper S-Series
PS S-Series 11.5 - a fix is available in 11.5.3.1.
PS S-Series 11.4 - a fix will not be provided.  Please upgrade to a later version with the vulnerability fixes.
PS S-Series 11.3 - a fix will not be provided.  Please upgrade to a later version with the vulnerability fixes.
PS S-Series 11.2 - a fix will not be provided.  Please upgrade to a later version with the vulnerability fixes.

PolicyCenter S-Series
PC S-Series 1.1 - a fix is available in 1.1.2.1.

Security Analytics
SA 7.2 - a fix is available in 7.2.1.
SA 7.1 - a fix for CVE-2015-7181 and CVE-2015-7182 is available in 7.1.11.  Fixes for CVE-2015-7183 and CVE-2016-1950 are available through patch RPMs from customer support.
SA 7.0 - a fix will not be provided.  Please upgrade to a later version with the vulnerability fixes.
SA 6.6 - a fix for CVE-2015-7181 and CVE-2015-7182 is available in 6.6.12.  Fixes for CVE-2015-7183 and CVE-2016-1950 are available through patch RPMs from customer support.

X-Series XOS
XOS 11.0 - a fix is available in 11.0.2.
XOS 10.0 - a fix is available in 10.0.6.
XOS 9.7 - a fix is not available at this time.

Advisory History: 

2017-11-06 ASG 6.7 is not vulnerable because a fix is available in 6.7.2.1.
2017-07-24 PacketShaper S-Series 11.9 is not vulnerable.
2017-07-20 MC 1.10 is not vulnerable.
2017-06-05 PacketShaper S-Series 11.8 is not vulnerable.
2017-05-18 CAS 2.1 is not vulnerable.
2017-03-30 MC 1.9 is not vulnerable.
2017-03-06 MC 1.8 is not vulnerable.  Intelligence Center and Intelligence Center Data Collector are not vulnerable.
2016-11-29 A fix for Director is available in 6.1.22.1.  PacketShaper S-Series 11.7 is not vulnerable.  Customers should contact Digital Guardian regarding vulnerability information for DLP.
2016-11-17 Cloud Data Protection for Oracle Field Service Cloud is not vulnerable.
2016-10-26 A fix for ASG is available in 6.6.5.1.  A fix for MC is available in 1.6.1.1.  MC 1.7 is not vulnerable.  A fix will not be provided for MC 1.5.
2016-08-12 A fix for CAS 1.3 is available in 1.3.7.1.  Security Analytics 7.2 is not vulnerable.
2016-07-16 A fix for XOS 10.0 is available in 10.0.6.  A fix for XOS 11.0 is available in 11.0.2.
2016-06-30 PacketShaper S-Series 11.6 is not vulnerable.
2016-06-27 Fixes will not be provided for PacketShaper S-Series 11.2, 11.3, and 11.4.  Please upgrade to a later version with the vulnerability fixes.
2016-06-23 A fix for CVE-2015-7181, CVE-2015-7182, and CVE-2015-7183 in ASG is available in 6.6.4.1.
2016-06-13 A fix for SA 7.0 will not be provided.  Please upgrade to a later version with the vulnerability fixes.
2016-05-11 No Cloud Data Protection products are vulnerable.
2016-05-09 Fixes for CVE-2015-7181 and CVE-2015-7182 are available in SA 6.6.12 and 7.1.11. Fixes for CVE-2015-7183 and CVE-2016-1950 are available for SA 6.6 and 7.1 through patch RPMs from customer support.
2016-04-28 Fixes are available in PS S-Series 11.5.3.1 and PC S-Series 1.1.2.1.
2016-04-25 MTD 1.1 is vulnerable to CVE-2016-1950.
2016-04-15 A fix will not be provided for CAS 1.2.  Please upgrade to a later version with the vulnerability fixes.
2016-03-22 initial public release