SA128 : Multiple PCRE Vulnerabilities

Click to Subscribe
Security Advisory ID: 
SA128
Published Date: 
Jul 07, 2016
Advisory Status: 
Interim
Advisory Severity: 
High
CVSS v2 base score: 9.0 (AV:N/AC:L/Au:N/C:P/I:P/A:C)
CVE Number: 
CVE-2015-8380 - 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVE-2015-8381 - 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVE-2015-8382 - 6.4 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:N/A:P)
CVE-2015-8383 - 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVE-2015-8384 - 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVE-2015-8385 - 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVE-2015-8386 - 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVE-2015-8387 - 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVE-2015-8388 - 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVE-2015-8389 - 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVE-2015-8390 - 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVE-2015-8391 - 9.0 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:C)
CVE-2015-8392 - 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVE-2015-8393 - 5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVE-2015-8394 - 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVE-2015-8395 - 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVE-2016-1283 - 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVE-2016-3191 - 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Blue Coat products that include vulnerable versions of the PCRE and GLib2 libraries are susceptible to multiple vulnerabilities.  A remote attacker can exploit these vulnerabilities to execute arbitrary code and obtain sensitive information.  The attacker can also cause denial of service through application crashes, buffer overflows, integer overflows, and excessive CPU consumption.

Affected Products:

The following products are vulnerable:

Advanced Secure Gateway
ASG 6.6 prior to 6.6.5.1 is vulnerable to all CVEs.  The vulnerabilities are only exploitable when a malicious authenticated administrator with write access adds crafted regular expressions to policy.  ASG 6.6 starting with 6.6.5.1 and ASG 6.7 have a vulnerable version of PCRE and GLib2, but are not vulnerable to known vectors of attack.

CacheFlow
CacheFlow 3.4 is vulnerable to CVE-2015-8382, CVE-2015-8387, and CVE-2015-8394.

Director
Director 6.1 is vulnerable to CVE-2015-8382 and CVE-2015-8386.  The vulnerabilities are only exploitable when a malicious authenticated administrator passes crafted regular expressions as arguments to CLI commands.

Norman Shark Network Protection
NNP 5.3 prior to 5.3.6 is vulnerable to CVE-2015-8382, CVE-2015-8385, CVE-2015-8387, CVE-2015-8388, CVE-2015-8390, CVE-2015-8393, and CVE-2015-8394.

ProxySG
ProxySG 6.5 prior to 6.5.9.11 is vulnerable to CVE-2015-8382, CVE-2015-8385, CVE-2015-8386, CVE-2015-8387, CVE-2015-8388, CVE-2015-8390, CVE-2015-8394, and CVE-2016-3191.  ProxySG 6.6 prior to 6.6.5.1 is vulnerable to all CVEs.  The vulnerabilities are only exploitable when a malicious authenticated administrator with write access adds crafted regular expressions to policy.  ProxySG 6.7 is not vulnerable.

Security Analytics
Security Analytics 6.6, 7.0, 7.1, and 7.2 prior to 7.2.2 is vulnerable to CVE-2015-8382, CVE-2015-8386, CVE-2015-8387, CVE-2015-8390, and CVE-2015-8394. Security Analytics 7.3 is not vulnerable.

X-Series XOS
XOS 9.7, 10.0, and 11.0 are vulnerable to CVE-2015-8382, CVE-2015-8385, CVE-2015-8386, CVE-2015-8388, and CVE-2016-3191.

The following products contain vulnerable versions of the PCRE or GLib2 libraries, but are not vulnerable to known vectors of attack:

Content Analysis System
CAS 1.3, 2.1, and 2.2 have vulnerable versions of PCRE and GLib2.

Mail Threat Defense
MTD 1.1 has vulnerable versions of PCRE and GLib2.

Malware Analysis Appliance
MAA 4.2 prior to 4.2.10 has a vulnerable version of PCRE.

Management Center
MC 1.5, 1.6, 1.7, 1.8, 1.9, 1.10, and 1.11 have vulnerable versions of PCRE and GLib2.

Norman Shark Industrial Control System Protection
ICSP 5.3 prior to 5.3.6 has a vulnerable version of PCRE.

Norman Shark SCADA Protection
NSP 5.3 prior to 5.3.6 has a vulnerable version of PCRE.

PacketShaper
PS 9.2 has a vulnerable version of PCRE.

PacketShaper S-Series
PS S-Series 11.2, 11.3, 11.4, 11.5, 11.6, 11.7, 11.8 and 11.9 have vulnerable versions of PCRE and GLib2.

PolicyCenter
PC 9.2 has a vulnerable version of PCRE.

PolicyCenter S-Series
PC S-Series 1.1 has vulnerable versions of PCRE and GLib2.

Reporter
Reporter 10.1 has vulnerable versions of PCRE and GLib2.  Reporter 9.4 and 9.5 are not vulnerable.

SSL Visibility
SSLV 3.8.4FC, 3.9 prior to 3.9.4.1, 4.0, 4.1, and 4.2 have a vulnerable version of PCRE.  SSLV 3.10 and later 3.x releases are not vulnerable.

The following products are not vulnerable:
Android Mobile Agent
AuthConnector
BCAAA
Blue Coat HSM Agent for the Luna SP
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
K9
ProxyClient
ProxyAV
ProxyAV ConLog and ConLogXP
Unified Agent

The following products are under investigation:
IntelligenceCenter
IntelligenceCenter Data Collector

Blue Coat no longer provides vulnerability information for the following products:

DLP

Please, contact Digital Guardian technical support regarding vulnerability information for DLP.

Advisory Details: 

This Security Advisory addresses multiple PCRE vulnerabilities.  Blue Coat products, which include vulnerable versions of the PCRE library or GLib2 libraries that include PCRE functionality, and use the affected functionality, are vulnerable.

  • CVE-2015-8380 is a flaw in regular expression execution that allows a remote attacker to cause a heap-based buffer overflow via a crafted regular expression, resulting in denial of service or unspecified other impact.
  • CVE-2015-8381 is a flaw in group reference handling that allows a remote attacker to cause a heap-based buffer overflow via a crafted regular expression, resulting in denial of service or unspecified other impact.
  • CVE-2015-8382 is a flaw in regular expression execution that allows a remote attacker to obtain sensitive information from the target's memory or cause denial of service through application crashes.
  • CVE-2015-8383 is a flaw in repeated conditional group handling that allows a remote attacker to cause a buffer overflow via a crafted regular expression, resulting in denial of service or unspecified other impact.
  • CVE-2015-8384 is a flaw in recursive back reference handling that allows a remote attacker to cause a buffer overflow via a crafted regular expression, resulting in denial of service or unspecified other impact.
  • CVE-2015-8385 is a flaw in forward reference handling that allows a remote attacker to cause a buffer overflow via a crafted regular expression, resulting in denial of service or unspecified other impact.
  • CVE-2015-8386 is a flaw in lookbehind assertion and mutually recursive subpattern handling that allows a remote attacker to cause a buffer overflow via a crafted regular expression, resulting in denial of service or unspecified other impact.
  • CVE-2015-8387 is a flaw in subroutine call handling that allows a remote attacker to cause an integer overflow via a crafted regular expression, resulting in denial of service or unspecified other impact.
  • CVE-2015-8388 ia a flaw in unmatched closing parenthesis handling that allows a remote attacker to cause a buffer overflow via a crafted regular expression, resulting in denial of service or unspecified other impact.
  • CVE-2015-8389 is a flaw in pattern handling that allows a remote attacker to cause infinite recursion via a crafted regular expression, resulting in denial of service or unspecified other impact.
  • CVE-2015-8390 is a flaw in character class handling that allows a remote attacker to cause uninitialized memory reads via a crafted regular expression, resulting in denial of service or unspecified other impact.
  • CVE-2015-8391 is a flaw in nesting handling that allows a remote attacker to cause excessive CPU consumption via a crafted regular expression, resulting in denial of service or unspecified other impact.
  • CVE-2015-8392 is a flaw in substring handling that allows a remote attacker to cause a buffer overflow and unintended recursion via a crafted regular expression, resulting in denial of service or unspecified other impact.
  • CVE-2015-8393 is a flaw in the pcregrep utility that allows a remote attacker to obtain sensitive information via a crafted binary file.
  • CVE-2015-8394 is a flaw in condition handling that allows a remote attacker to cause an integer overflow via a crafted regular expression, resulting in denial of service or unspecified other impact.
  • CVE-2015-8395 is a flaw in reference handling that allows a remote attacker to cause denial of service or unspecified other impact via a crafted regular expression.
  • CVE-2016-1283 is a flaw in named subgroup handling that allows a remote attacker to cause heap-based buffer overflow via a crafted regular expression, resulting in denial of service or unspecified other impact.
  • CVE-2016-3191 is a flaw in substring and nested parenthesis handling that allows a remote attacker to cause stack-based buffer overflow via a crafted regular expression, resulting in arbitrary code execution or denial of service.

Some Blue Coat products do not accept regular expression patterns from untrusted sources and do not use the pcregrep utility.  The products listed below include vulnerable versions of the PCRE or GLib2 libraries, but are not known to be vulnerable to the CVEs below.  However, fixes for these CVEs will be included in the patches that are provided.

  • ASG: CVE-2015-8382, CVE-2015-8385, CVE-2015-8386, CVE-2015-8388, and CVE-2016-3191
  • CAS: CVE-2015-8382, CVE-2015-8385, CVE-2015-8386, CVE-2015-8388, and CVE-2016-3191
  • MTD: CVE-2015-8382, CVE-2015-8385, CVE-2015-8386, CVE-2015-8388, and CVE-2016-3191
  • MAA: CVE-2015-8382, CVE-2015-8385, CVE-2015-8387, CVE-2015-8388, CVE-2015-8390, CVE-2015-8393, and CVE-2015-8394
  • MC: CVE-2015-8382, CVE-2015-8385, CVE-2015-8386, CVE-2015-8388, and CVE-2016-3191
  • ICSP: CVE-2015-8382, CVE-2015-8385, CVE-2015-8387, CVE-2015-8388, CVE-2015-8390, CVE-2015-8393, and CVE-2015-8394
  • NSP: CVE-2015-8382, CVE-2015-8385, CVE-2015-8387, CVE-2015-8388, CVE-2015-8390, CVE-2015-8393, and CVE-2015-8394
  • PS: CVE-2015-8382, CVE-2015-8386, CVE-2015-8387, CVE-2015-8390, and CVE-2015-8394
  • PC: CVE-2015-8382, CVE-2015-8386, CVE-2015-8387, CVE-2015-8390, and CVE-2015-8394
  • SSLV 3.x: CVE-2015-8382, CVE-2015-8385, CVE-2015-8387, CVE-2015-8390, CVE-2015-8393 and CVE-2015-8394
  • SSLV 4.0: CVE-2015-8382, CVE-2015-8385, CVE-2015-8386, CVE-2015-8388, CVE-2016-3191
  • XOS 9.7: CVE-2015-8380, CVE-2015-8381, CVE-2015-8383, CVE-2015-8384, CVE-2015-8387, CVE-2015-8389, CVE-2015-8390, CVE-2015-8391, CVE-2015-8392, CVE-2015-8393, CVE-2015-8394, CVE-2015-8395, and CVE-2016-1283
Workarounds: 

These CVEs can be exploited in ASG and ProxySG 6.6 only by authenticated administrator users with write access.  Restricting the administrator users that have write access reduces the threat of exploiting the vulnerabilities.

These CVEs can be exploited in ASG, Director, and ProxySG only through their management interfaces.  Allowing only machines, IP addresses and subnets from a trusted network to access the management interface reduces the threat of exploiting the vulnerabilities.

Patches: 

Advanced Secure Gateway
ASG 6.7 - a fix for CVE-2015-8382, CVE-2015-8385, CVE-2015-8386, CVE-2015-8388, and CVE-2016-3191 is not available at this time.
ASG 6.6 - a fix for all CVEs except CVE-2015-8382, CVE-2015-8385, CVE-2015-8386, CVE-2015-8388, and CVE-2016-3191 is available in 6.6.5.1.  A fix for the remaining CVEs is not available at this time.

CacheFlow
CacheFlow 3.4 - a fix is not available at this time.

Content Analysis System
CAS 2.2 - a fix is not available at this time.
CAS 2.1 - a fix is not available at this time.
CAS 1.3 - a fix is not available at this time.

Director
Director 6.1 - a fix is not available at this time.

Mail Threat Defense
MTD 1.1 - a fix is not available at this time.

Malware Analysis Appliance
MAA 4.2 - a fix is available in 4.2.10.

Management Center
MC 1.11 - a fix is not available at this time.
MC 1.10 - a fix will not be provided. Please upgrade to a later version with the vulnerability fixes.
MC 1.9 - a fix will not be provided. Please upgrade to a later version with the vulnerability fixes.
MC 1.8 - a fix will not be provided. Please upgrade to a later version with the vulnerability fixes.
MC 1.7 - a fix will not be provided. Please upgrade to a later version with the vulnerability fixes.
MC 1.6 - a fix will not be provided. Please upgrade to a later version with the vulnerability fixes.
MC 1.5 - a fix will not be provided. Please upgrade to a later version with the vulnerability fixes.

Norman Shark Industrial Control System Protection
ICSP 5.3 - a fix is available in 5.3.6.

Norman Shark Network Protection
NNP 5.3 - a fix is available in 5.3.6.

Norman Shark SCADA Protection
NSP 5.3 - a fix is available in 5.3.6.

PacketShaper
PS 9.2 - a fix is not available at this time.

PacketShaper S-Series
PS S-Series 11.9 - a fix is not available at this time.
PS S-Series 11.8 - a fix will not be provided. Please upgrade to the latest version with the vulnerability fixes.
PS S-Series 11.7 - a fix will not be provided. Please upgrade to the latest version with the vulnerability fixes.
PS S-Series 11.6 - a fix is not available at this time.
PS S-Series 11.5 - a fix will not be provided. Please upgrade to the latest version with the vulnerability fixes.
PS S-Series 11.4 - a fix will not be provided. Please upgrade to a later version with the vulnerability fixes.
PS S-Series 11.3 - a fix will not be provided. Please upgrade to a later version with the vulnerability fixes.
PS S-Series 11.2 - a fix will not be provided. Please upgrade to a later version with the vulnerability fixes.

PolicyCenter
PC 9.2 - a fix is not available at this time.

PolicyCenter S-Series
PC S-Series 1.1 - a fix is not available at this time.

ProxySG
ProxySG 6.6 - a fix is available in 6.6.5.1.
ProxySG 6.5 - a fix is available in 6.5.9.11.

Reporter
Reporter 10.1 - a fix is not available at this time.

Security Analytics
Security Analytics 7.2 - a fix is available in 7.2.2.
Security Analytics 7.1 - a fix is not available at this time.
Security Analytics 7.0 - a fix will not be provided. Please upgrade to a later version with the vulnerability fixes.
Security Analytics 6.6 - a fix will not be provided. Please upgrade to a later version with the vulnerability fixes.

SSL Visibility
SSLV 4.2 - a fix is not available at this time.
SSLV 4.1 - a fix is not available at this time.
SSLV 4.0 - a fix is not available at this time.
SSLV 3.9 - a fix is available in 3.9.4.1.
SSLV 3.8.4FC - a fix is not available at this time.

X-Series XOS
XOS 11.0 - a fix is not available at this time.
XOS 10.0 - a fix is not available at this time.
XOS 9.7 - a fix is not available at this time.

Advisory History: 

2017-11-16 A fix for PS S-Series 11.5, 11.7, and 11.8 will not be provided.  Please upgrade to a later version with the vulnerability fixes.
2017-11-15 SSLV 4.2 has vulnerable version of PCRE, but is not vulnerable to known vectors of attack.  A fix is not available at this time.
2017-11-08 CAS 2.2 has vulnerable versions of PCRE and GLib2, but is not vulnerable to known vectors of attack.
2017-11-07 MC 1.11 has vulnerable versions of PCRE and GLib2, but is not vulnerable to known vectors of attack.  A fix for MC 1.10 will not be provided.  Please upgrade to a later version with the vulnerability fixes.
2017-11-06 ASG 6.6 prior to 6.6.5.1 is vulnerable to all CVEs.  ASG 6.6 starting with 6.6.5.1 and 6.7 have vulnerable versions of PCRE and GLib2, but are not vulnerable to known vectors of attacks.
2017-10-26 It was previously reported that CacheFlow 3.4 is vulnerable to CVE-2015-8386 and CVE-2015-8390.  Further investigation has shown that CacheFlow 3.4 is not vulnerable to these CVEs.
2017-08-03 SSLV 4.1 has vulnerable version of PCRE, but is not vulnerable to known vectors of attack.  A fix is not available at this time.
2017-07-25 PS S-Series 11.9 has vulnerable versions of PCRE and GLib2, but is not vulnerable to known vectors of attack.  A fix is not available at this time.
2017-07-21 MC 1.10 has vulnerable versions of PCRE and GLib2, but is not vulnerable to known vectors of attack. A fix for MC 1.9 will not be provided.  Please upgrade to a later version with the vulnerability fixes.
2017-06-22 Security Analytics 7.3 is not vulnerable.
2017-06-05 PS S-Series 11.8 has vulnerable versions of PCRE and GLib2, but is not vulnerable to known vectors of attack.  A fix is not available at this time.
2017-05-29 A fix for Security Analytics 6.6 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2017-05-18 CAS 2.1 has vulnerable versions of PCRE and GLib2, but is not vulnerable to known vectors of attack.
2017-03-30 MC 1.9 has vulnerable versions of PCRE and GLib2, but is not vulnerable to known vectors of attack.
2017-03-08 MC 1.6, MC 1.7, MC 1.8, and SSLV 4.0 have vulnerable versions of PCRE and GLib2, but are not vulnerable to known vectors of attack.  ProxySG 6.7 is not vulnerable.  Vulnerability inquiries for DLP should be addressed to Digital Guardian technical support.
2017-01-25 A fix for Security Analytics 7.2 is available in 7.2.2.
2016-12-03 PS S-Series 11.7 has vulnerable versions of PCRE and GLib2, but is not vulnerable to known vectors of attack.  A fix is not available at this time.
2016-12-03 SSLV 3.11 is not vulnerable.
2016-11-17 Cloud Data Protection for Oracle Field Service Cloud is not vulnerable.
2016-11-11 SSLV 3.10 is not vulnerable.
2016-11-03 A fix for MAA is available in 4.2.10.  A fix for ProxySG 6.6 is avaialble in 6.6.5.1.
2016-09-09 A fix for ProxySG 6.5 is available in 6.5.9.11.
2016-08-12 Security Analytics 7.2 is vulnerable to CVE-2015-8382, CVE-2015-8386, CVE-2015-8387, CVE-2015-8390, and CVE-2015-8394.
2016-08-10 A fix for SSLV 3.9 is available in 3.9.4.1.
2016-07-12 Reporter 9.4 and 9.5 are not vulnerable.
2016-07-11 MAA 4.2 has a vulnerable version of PCRE, but is not vulnerable to known vectors of attack.
2016-07-07 initial public release