SA123 : OpenSSL Vulnerabilities 3-May-2016

Click to Subscribe
Security Advisory ID: 
SA123
Published Date: 
May 09, 2016
Advisory Status: 
Interim
Advisory Severity: 
High
CVSS v2 base score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVE Number: 
CVE-2016-2105 - 5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-2016-2106 - 5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-2016-2107 - 2.6 (LOW) (AV:N/AC:H/Au:N/C:P/I:N/A:N)
CVE-2016-2108 - 10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVE-2016-2109 - 7.8 (HIGH) (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CVE-2016-2176 - 6.4 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:N/A:P)

Blue Coat products using affected versions of OpenSSL are susceptible to multiple vulnerabilities.  A remote attacker can exploit these vulnerabilities to intercept and decrypt TLS sessions, obtain arbitrary data from the target's memory stack, or execute arbitrary code through buffer underflow and overflow.  The attacker can also cause denial of service through memory corruption and depletion.

Affected Products:

The following products are vulnerable:

Advanced Secure Gateway
ASG 6.6 prior to 6.6.5.1 is vulnerable to CVE-2016-2105, CVE-2016-2106, CVE-2016-2107 (all supported hardware platforms), CVE-2016-2108, and CVE-2016-2109.  ASG 6.7 is not vulnerable.

Android Mobile Agent
Android Mobile Agent 1.3 prior to 1.3.8 is vulnerable to CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2108, and CVE-2016-2109.

BCAAA
BCAAA 6.1 is vulnerable to CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2108, CVE-2016-2109, and CVE-2016-2176 when a Novell SSO realm is used.

CacheFlow
CacheFlow 3.4 prior to 3.4.2.7 is vulnerable to CVE-2016-2108 and CVE-2016-2109.

Client Connector
Client Connector 1.6 for Windows is vulnerable to CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2108, and CVE-2016-2109.

Content Analysis System
CAS 1.2 and 1.3 prior to 1.3.7.1 are vulnerable to CVE-2016-2105, CVE-2016-2106, CVE-2016-2107 (all supported hardware platforms), CVE-2016-2108, and CVE-2016-2109.  CAS 2.1 and later releases are not vulnerable.

Director
Director 6.1 is vulnerable to CVE-2016-2105, CVE-2016-2106, CVE-2016-2108, CVE-2016-2109, and CVE-2016-2176.

Mail Threat Defense
MTD 1.1 is vulnerable to CVE-2016-2105, CVE-2016-2106, CVE-2016-2107 (all supported hardware platforms), CVE-2016-2108, and CVE-2016-2109.

Malware Analysis Appliance
MAA 4.2 prior to 4.2.11 is vulnerable to CVE-2016-2105, CVE-2016-2107 (all supported hardware platforms) and CVE-2016-2108.

Management Center
MC 1.5 is vulnerable to CVE-2016-2105, CVE-2016-2106, CVE-2016-2108, and CVE-2016-2109.  MC 1.6 and later releases are not vulnerable.

Norman Shark Industrial Control System Protection
ICSP 5.3 prior to 5.3.6 is vulnerable to CVE-2016-2105, CVE-2016-2106, CVE-2016-2108, and CVE-2016-2109.  They are also vulnerable to CVE-2016-2107 when running on an AESNI-capable hardware platform.  See the Advisory Details section for more details.

Norman Shark Network Protection
NNP 5.3 prior to 5.3.6 is vulnerable to CVE-2016-2105, CVE-2016-2106, CVE-2016-2108, and CVE-2016-2109.  They are also vulnerable to CVE-2016-2107 when running on an AESNI-capable hardware platform.  See the Advisory Details section for more details.

Norman Shark SCADA Protection
NSP 5.3 prior to 5.3.6 is vulnerable to CVE-2016-2105, CVE-2016-2106, CVE-2016-2108, and CVE-2016-2109.  They are also vulnerable to CVE-2016-2107 when running on an AESNI-capable hardware platform.  See the Advisory Details section for more details.

PacketShaper
PS 9.2 prior to 9.2.13p2 is vulnerable to CVE-2016-2106 and CVE-2016-2109.  PS 9.2 prior to 9.2.13p1 is also vulnerable to CVE-2016-2108.

PacketShaper S-Series
PS S-Series 11.2, 11.3, 11.4, and 11.5 prior to 11.5.3.2 are vulnerable to CVE-2016-2106, CVE-2016-2107 (all supported hardware platforms), and CVE-2016-2108. PS S-Series 11.6 and later releases are not vulnerable.

PolicyCenter
PC 9.2 prior to 9.2.13p2 is vulnerable to CVE-2016-2106 and CVE-2016-2109.  PC 9.2 prior to 9.2.13p1 is also vulnerable to CVE-2016-2108.

PolicyCenter S-Series
PC S-Series 1.1 prior to 1.1.2.2 is vulnerable to CVE-2016-2106, CVE-2016-2107 (all supported hardware platforms), and CVE-2016-2108.

ProxyAV
ProxyAV 3.5 prior to 3.5.4.2 is vulnerable to CVE-2016-2105, CVE-2016-2106, CVE-2016-2108, CVE-2016-2109, and CVE-2016-2176.

ProxyClient
ProxyClient 3.4 for Windows is vulnerable to CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2108, and CVE-2016-2109.

ProxySG
ProxySG 6.5 prior to 6.5.9.8 and 6.6 prior to 6.6.4.1 are vulnerable to CVE-2016-2108 and CVE-2016-2109.  They are also vulnerable to CVE-2016-2107 when running on an AESNI-capable hardware platform.  See the Advisory Details section for more details.  ProxySG 6.7 is not vulnerable.

Reporter
Reporter 9.4, 9.5 prior to 9.5.4.1, and 10.1 prior to 10.1.4.2 are vulnerable to CVE-2016-2105, CVE-2016-2106, CVE-2016-2108, and CVE-2016-2109.  Reporter 9.5 prior to 9.5.4.1 and 10.1 prior to 10.1.4.2 are also vulnerable to CVE-2016-2107.

Security Analytics
Security Analytics 6.6, 7.0, and 7.1 are vulnerable to CVE-2016-2105, CVE-2016-2106, CVE-2016-2108, and CVE-2016-2109.  Security Analytics 6.6 and 7.1 are also vulnerable to CVE-2016-2107 when running on an AESNI-capable hardware platform.  See the Advisory Details section for more details.  Security Analytics 7.2 and 7.3 are not vulnerable.

SSL Visibility
SSLV 3.8, 3.8.4FC prior to 3.8.4FC-55, and 3.9 prior to 3.9.3.6 are vulnerable to CVE-2016-2105, CVE-2016-2106, CVE-2016-2108, and CVE-2016-2109.  They are also vulnerable to CVE-2016-2107 when running on an AESNI-capable hardware platform.  See the Advisory Details section for more details.  SSLV 3.10 and later versions are not vulnerable.

Unified Agent
UA 4.1 and 4.6 are vulnerable to CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, and CVE-2016-2109.  UA 4.1 is also vulnerable to CVE-2016-2108.  UA 4.7 is not vulnerable.

X-Series XOS
XOS 9.7, 10.0, and 11.0 are vulnerable to CVE-2016-2105, CVE-2016-2106, CVE-2016-2108, and CVE-2016-2109.  They are also vulnerable to CVE-2016-2107 when running on an AESNI-capable hardware platform.  See the Advisory Details section for more details.

The following products are not vulnerable:
AuthConnector
Blue Coat HSM Agent for the Luna SP
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
K9
ProxyAV ConLog and ConLogXP


The following products are under investigation:
IntelligenceCenter
IntelligenceCenter Data Collector

Blue Coat no longer provides vulnerability information for the following products:

DLP
Please, contact Digital Guardian technical support regarding vulnerability information for DLP.

Advisory Details: 

This Security Advisory addresses multiple vulnerabilities announced in OpenSSL Security Advisory 3rd May 2016.  Blue Coat products that include a vulnerable version of OpenSSL and make use of the affected functionality are vulnerable.

  • CVE-2016-2105 is a flaw in the Base64 encoding module that allows a remote attacker to supply large input data and trigger a heap overflow, resulting in denial of service and possible arbitrary code execution.
  • CVE-2016-2106 is a flaw in the generic symmetric encryption/decryption module that allows a remote attacker to supply large input data and trigger a heap overflow, resulting in denial of service and possible arbitrary code execution.
  • CVE-2016-2107 is a flaw introduced as part of the fix for CVE-2013-0169 (Lucky13).  A remote man-in-the-middle (MITM) attacker can exploit this vulnerability to perform a padding oracle attack and decrypt intercepted TLS traffic when the TLS sessions use AES CBC cipher suites and the server supports AESNI.  The CVSS v2 score for CVE-2016-2107 listed in this Security Advisory is published by the National Vulnerability Database (NVD).  The effective CVSS v2 score my be higher for Blue Coat products if the decrypted plaintext contains cookie or password information.
  • CVE-2016-2108 is a flaw in the ASN.1 encoder that allows a remote attacker to send a crafted X.509 certificate and trigger a buffer underflow on the target if it parses and re-encodes the certificate.  Parsing and re-encoding occurs only if the target successfully verifies that certificate signature.  Exploiting this vulnerability can result in denial of service through memory corruption and possible arbitrary code execution.
  • CVE-2016-2109 is a flaw in the ASN.1 decoder that allows a remote attacker to send crafted ASN.1 data and trigger excessive memory allocation on the target.  This can result in denial of service through memory depletion.
  • CVE-2016-2176 is an overread flaw in X.509 certificate ASN.1 string parsing on EBCDIC systems.  A remote attacker can exploit this vulnerability using crafted X.509 certificates to obtain arbitrary data from the target's memory stack.

Blue Coat products may act as both client and server in SSL/TLS connections, and may use application functionality for cryptographic operations.  Blue Coat products act as a client when connecting to Blue Coat services such as WebPulse, DRTR, and licensing and subscription services.  Products should be considered vulnerable in all interfaces that provide SSL/TLS connections for data and management interfaces unless the CVE is specific to SSL/TLS client or server functionality (as noted in the descriptions above) or unless otherwise stated below:

  • CacheFlow: All CVEs affect only management connections.
  • ProxySG: CVE-2016-2109 affects only management connections.

Blue Coat products that use a native installation of OpenSSL but do not install or maintain that implementation are not vulnerable to any of these CVEs.  However, the underlying platform or application that installs and maintains OpenSSL may be vulnerable.  Blue Coat urges our customers to update the versions of OpenSSL that are natively installed for Client Connector for OS X, Proxy Client for OS X, and Reporter 9.x for Linux.

Some Blue Coat products do not enable or use all functionality within OpenSSL.  The products listed below do not utilize the functionality described in the CVEs below and are thus not known to be vulnerable to them.  However, fixes for these CVEs will be included in the patches that are provided.

  • CacheFlow: CVE-2016-2105, CVE-2016-2106, and CVE-2016-2107
  • MAA: CVE-2016-2106 and CVE-2016-2109
  • MC: CVE-2016-2107
  • PacketShaper: CVE-2016-2105
  • PacketShaper S-Series: CVE-2016-2105 and CVE-2016-2109
  • PolicyCenter: CVE-2016-2105
  • PolicyCenter S-Series: CVE-2016-2105 and CVE-2016-2109
  • ProxyAV: CVE-2016-2107
  • ProxySG: CVE-2016-2105 and CVE-2016-2106

Some Blue Coat hardware platforms do not support the AESNI instruction set in their CPU architectures.  The products and hardware platforms listed below do not support AESNI, do not use the AESNI-based AES implementation in OpenSSL, and are thus not vulnerable to CVE-2016-2107.  However, a fix for this CVE will be included in the software patches that are provided.

  • ICSP: AFL2-12A-D525, customer-provided hardware platforms that do not support AESNI
  • NNP: customer-provided hardware platforms that do not support AESNI
  • NSP: customer-provided hardware platforms that do not support AESNI
  • ProxySG: SG300, SG600, SG900, SG9000
  • Security Analytics: customer-provided hardware platforms that do not support AESNI
  • SSLV: SV1800
  • XOS: APM-8650, CPM-8600, CPM-9600
Workarounds: 

These vulnerabilities can be exploited in CacheFlow only through the management interface.  Allowing only machines, IP addresses and subnets from a trusted network to access the CacheFlow management interface reduces the threat of exploiting the vulnerabilities.

Patches: 

Advanced Secure Gateway
ASG 6.7 - a fix is available in 6.7.2.1.
ASG 6.6 - a fix is available in 6.6.5.1.

Android Mobile Agent
Android Mobile Agent 1.3 - a fix is available in 1.3.8.

BCAAA
BCAAA 6.1 - a fix will not be provided.  An updated Novell SSO SDK is no longer available.  Please, contact Novell for more information.

CacheFlow
CacheFlow 3.4 - a fix is available in 3.4.2.7.

Client Connector
Client Connector 1.6 for Windows - a fix will not be provided.  Please upgrade to the latest version of Unified Agent with the vulnerability fixes.

Content Analysis System
CAS 1.3 - a fix is available in 1.3.7.1.
CAS 1.2 - a fix will not be provided.  Please upgrade to a later version with the vulnerability fixes.

Director
Director 6.1 - a fix is not available at this time.

Mail Threat Defense
MTD 1.1 - a fix is not available at this time.

Malware Analysis Appliance
MAA 4.2 - a fix is available in 4.2.11.

Management Center
MC 1.6 - a fix is available in 1.6.1.1.
MC 1.5 - a fix will not be provided.  Please upgrade to a later version with the vulnerability fixes.

Norman Shark Industrial Control System Protection
ICSP 5.3 - a fix is available in 5.3.6.

Norman Shark Network Protection
NNP 5.3 - a fix is available in 5.3.6.

Norman Shark SCADA Protection
NSP 5.3 - a fix is available in 5.3.6.

PacketShaper
PS 9.2 - a fix for CVE-2016-2108 is available in 9.2.13p1.  A fix for the remaining CVEs is available in 9.2.13p2.

PacketShaper S-Series
PS S-Series 11.5 - a fix is available in 11.5.3.2.
PS S-Series 11.4 - a fix will not be provided.  Please upgrade to a later version with the vulnerability fixes.
PS S-Series 11.3 - a fix will not be provided.  Please upgrade to a later version with the vulnerability fixes.
PS S-Series 11.2 - a fix will not be provided.  Please upgrade to a later version with the vulnerability fixes.

PolicyCenter
PC 9.2 - a fix for CVE-2016-2108 is available in 9.2.13p1.  A fix for the remaining CVEs is available in 9.2.13p2.

PolicyCenter S-Series
PC S-Series 1.1 - a fix is available in 1.1.2.2.

ProxyAV
ProxyAV 3.5 - a fix is available in 3.5.4.2.

ProxyClient
ProxyClient 3.4 for Windows - a fix will not be provided.  Please upgrade to the latest version of Unified Agent with the vulnerability fixes.

ProxySG
ProxySG 6.6 - a fix is available in 6.6.4.1.
ProxySG 6.5 - a fix is available in 6.5.9.8.

Reporter
Reporter 10.1 - a fix is available in 10.1.4.2
Reporter 9.5 - a fix is available in 9.5.4.1.
Reporter 9.4 - a fix will not be provided.  Please upgrade to the latest version with the vulnerability fixes.

Security Analytics
Security Analytics 7.2 - a fix is available in 7.2.1.
Security Analytics 7.1 - a fix is available through a patch RPM from Blue Coat Support.
Security Analytics 7.0 - a fix will not be provided.  Please upgrade to the latest version with the vulnerability fixes.
Security Analytics 6.6 - a fix is available through a patch RPM from Blue Coat Support.

SSL Visibility
SSLV 3.9 - a fix is available in 3.9.3.6.
SSLV 3.8.4FC - a fix is available in 3.8.4FC-55.
SSLV 3.8 - a fix will not be provided.  Please upgrade to a later version with the vulnerability fixes.

Unified Agent
UA 4.7 - a fix is available in 4.7.1.
UA 4.6 - a fix will not be provided.  Please upgrade to a later version with the vulnerability fixes.
UA 4.1 - a fix will not be provided.  Please upgrade to a later version with the vulnerability fixes.

X-Series XOS
XOS 11.0 - a fix is not available at this time.
XOS 10.0 - a fix is not available at this time.
XOS 9.7 - a fix is not available at this time.

Advisory History: 

2018-04-22 PacketShaper S-Series 11.10 is not vulnerable.
2018-04-06 A fix for Reporter 9.5 is available in 9.5.4.1.
2017-11-06 ASG 6.7 is not vulnerable because a fix is available in 6.7.2.1.
2017-08-02 SSLV 4.1 is not vulnerable.
2017-07-24 PacketShaper S-Series 11.9 is not vulnerable.
2017-07-21 Reporter 9.4, 9.5, and 10.1 are vulnerable to CVE-2016-2105, CVE-2016-2106, CVE-2016-2108, and CVE-2016-2109.  Reporter 9.5 and 10.1 are also vulnerable to CVE-2016-2107.  A fix for Reporter 10.1 is available in 10.1.4.2.
2017-07-20 MC 1.10 is not vulnerable.
2016-06-30 A fix for ProxyAV 3.5 is available in 3.5.4.2.
2017-06-22 Security Analytics 7.3 is not vulnerable.
2017-06-05 PacketShaper S-Series 11.8 is not vulnerable.
2017-05-18 CAS 2.1 is not vulnerable.
2017-03-30 MC 1.9 is not vulnerable.
2017-03-06 MC 1.8 is not vulnerable.  ProxySG 6.7 is not vulnerable.  SSLV 4.0 is not vulnerable.
2017-02-07 A fix for Android Mobile Agent is available in 1.3.8.  Vulnerability inquiries for DLP should be addressed to Digital Guardian technical support.
2016-12-19 A fix for MAA is available in 4.2.11.
2016-12-04 PacketShaper S-Series 11.7 is not vulnerable.
2016-12-04 SSLV 3.11 is not vulnerable.
2016-11-17 Cloud Data Protection for Oracle Field Service Cloud is not vulnerable.
2016-11-11 SSLV 3.10 is not vulnerable.
2016-11-03 A fix for all CVEs in PacketShaper 9.2 is available in 9.2.13p2.  A fix for all CVEs in PolicyCenter 9.2 is available in 9.2.13p2.
2016-11-02 Further investigation in the MAA fixes has shown that all MAA 4.2 releases are vulnerable.  A fix is not available at this time.
2016-10-26 A fix for ASG is available in 6.6.5.1.  A fix for MC 1.6 is available in 1.6.1.1.  MC 1.7 is not vulnerable.  A fix for MC 1.5 will not be provided.  MAA 4.2.10 accidentally re-introduced the vulnerabilities and is vulnerable to CVE-2016-2105, CVE-2016-2107 (all supported hardware platforms) and CVE-2016-2108.
2016-09-01 A fix for SSLV 3.8.4FC is available in 3.8.4FC-55.
2016-08-19 A fix for CacheFlow is available in 3.4.2.7.
2016-08-12 A fix for CAS 1.3 is availabe in 1.3.7.1.  Security Analytics 7.2 is not vulnerable.
2016-08-10 A fix for Unified Agent is available in 4.7.1.
2016-07-19 ProxySG is not vulnerable to CVE-2016-2107 when running on the SG300 and SG600 hardware platforms. CVE-2016-2109 on ProxySG only affects management connections. CVE-2016-2108 can be exploited through a crafted X.509 certificate only if the target successfully verifies the certificate signature.
2016-06-30 PacketShaper S-Series 11.6 is not vulnerable.
2016-06-27 Fixes will not be provided for PacketShaper S-Series 11.2, 11.3, and 11.4.  Please upgrade to a later version with the vulnerability fixes.
2016-06-25 Security Analytics 7.0 is vulnerable to CVE-2016-2105, CVE-2016-2106, CVE-2016-2108, and CVE-2016-2109.  A fix will not be provided.  Please upgrade to the latest version with the vulnerability fixes.
2016-06-24 A fix for PacketShaper S-Series 11.5 is available in 11.5.3.2.  A fix for PolicyCenter S-Series is available in 1.1.2.2.
2016-06-21 A fix for ProxySG 6.6 is available in 6.6.4.1.
2016-06-13 Fixes for ICSP, NNP, and NSP are available in 5.3.6.
2016-06-11 A fix for ProxySG 6.5 is available in 6.5.9.8.
2016-06-07 A fix for SSLV 3.9 is available in 3.9.3.6.
2016-06-03 A fix for MAA is available in 4.2.9.
2016-05-26 Added hardware platform information.  Clarified that Android Mobile Agent, Client Connector for Windows, ProxyClient for Windows, and Unified Agent are vulnerable to CVE-2016-2107.
2016-05-25 Security Analytics 6.6 and 7.1 are vulnerable to CVE-2016-2107 on all hardware platforms.  Security Analytics 7.0 is under investigation.  Fixes are available for Security Analytics 6.6 and 7.1 through RPM patches available from customer support.
2016-05-12 A fix for SSLV 3.8 will not be provided.  Please upgrade to a later version with the vulnerability fixes.
2016-05-11 Fixes for CVE-2016-2108 are available in PacketShaper 9.2.13p1 and PolicyCenter 9.2.13p1.
2016-05-09 initial public release