SA134 : Linux Kernel Vulnerabilities Oct/Nov 2016

Click to Subscribe
Security Advisory ID: 
SA134
Published Date: 
Dec 08, 2016
Advisory Status: 
Interim
Advisory Severity: 
High
CVSS v2 base score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVE Number: 
CVE-2016-5195 - 7.2 (HIGH) (AV:L/AC:L/Au:N/C:C/I:C/A:C)
CVE-2016-7039 - 7.8 (HIGH) (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CVE-2016-8666 - 7.8 (HIGH) (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CVE-2016-9555 - 10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C)

Blue Coat products that include a vulnerable version of the Linux kernel are susceptible to several vulnerabilities.  A remote attacker, with access to the management interface, can exploit these vulnerabilities to cause denial of service through system crashes or have unspecified other impact.  A local attacker can also escalate their privileges on the system (aka Dirty COW).

Affected Products:

The following products are vulnerable:

Content Analysis System
CAS 1.3 prior to 1.3.7.5 and 2.1 are vulnerable to CVE-2016-7039.  CAS 2.2 is not vulnerable.

Director
Director 6.1 is vulnerable to CVE-2016-5195 (Dirty COW) and CVE-2016-9555.

Malware Analysis Appliance
MAA 4.2 prior to 4.2.11 is vulnerable to CVE-2016-5195 (Dirty COW).  MAA 4.2 is also vulnerable to CVE-2016-7039, CVE-2016-8666, and CVE-2016-9555.

Mail Threat Defense
MTD 1.1 is vulnerable to CVE-2016-7039.

Management Center
MC 1.7 and 1.8 are vulnerable to CVE-2016-7039.  MC 1.9 and later releases are not vulnerable.

Norman Shark Industrial Control System Protection
ICSP 5.3 is vulnerable to CVE-2016-5195 (Dirty COW), CVE-2016-8666, and CVE-2016-9555.

Norman Shark Network Protection
NNP 5.3 is vulnerable to CVE-2016-5195 (Dirty COW), CVE-2016-8666, and CVE-2016-9555.

Norman Shark SCADA Protection
NSP 5.3 is vulnerable to CVE-2016-5195 (Dirty COW), CVE-2016-8666, and CVE-2016-9555.

Reporter
Reporter 10.1 prior to 10.1.5.4 is vulnerable to CVE-2016-7039.  Reporter 9.4 and 9.5 are not vulnerable.

Security Analytics
Security Analytics 6.6, 7.1, and 7.2 prior to 7.2.2 are vulnerable to CVE-2016-5195 (Dirty COW).  Security Analytics 6.6, 7.1, and 7.2 prior to 7.2.3 are also vulnerable to CVE-2016-9555.  Security Analytics 7.3 is not vulnerable.

SSL Visibility
SSLV 4.0 is vulnerable to CVE-2016-7039.  SSLV 3.8.4FC, 3.9, 3.10, and 3.11 prior to 3.11.3.1 have a vulnerable version of the Linux kernel.  SSLV 3.12 is not vulnerable. SSLV 4.1 and later versions are not vulnerable.

X-Series XOS
XOS 9.7, 10.0, and 11.0 are vulnerable to CVE-2016-5195 (Dirty COW).

The following products have a vulnerable version of the Linux kernel, but are not vulnerable to known vectors of attack:

Advanced Secure Gateway
ASG 6.6 prior to 6.6.5.8 has a vulnerable version of the Linux kernel.  ASG 6.7 is not vulnerable.

PacketShaper S-Series
PS S-Series 11.5, 11.6, 11.7, and 11.8 have a vulnerable version of the Linux kernel.  PS S-Series 11.9 is not vulnerable.

PolicyCenter S-Series
PC S-Series 1.1 has a vulnerable version of the Linux kernel.

The following products are not vulnerable:
Android Mobile Agent
AuthConnector
BCAAA
Blue Coat HSM Agent for the Luna SP
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
IntelligenceCenter
IntelligenceCenter Data Collector
K9
PacketShaper
PolicyCenter
ProxyClient
ProxyAV
ProxyAV ConLog and ConLogXP
ProxySG
Unified Agent

Blue Coat no longer provides vulnerability information for the following products:

DLP
Please, contact Digital Guardian technical support regarding vulnerability information for DLP.

Advisory Details: 

This Security Advisory addresses several vulnerabilities in the Linux kernel.  Blue Coat products, which include vulnerable versions of the Linux kernel and use the affected functionality, are vulnerable.

  • CVE-2016-5195 (Dirty COW) is a race condition in the memory manager copy-on-write (COW) functionality that allows a local attacker to write to read-only memory mappings and escalate their privileges on the system.
  • CVE-2016-7039 is an unbound recursion flaw in VLAN and Transparent Ethernet Bridging (TEB) Generic Receive Offload (GRO) handling that allows a remote attacker to send large crafted packets and cause a system crash, resulting in denial of service.
  • CVE-2016-8666 is an unbound recursion flaw in Generic Receive Offload (GRO) handling that allows a remote attacker to send crafted packets with tunnel stacking and cause a system crash, resulting in denial of service.
  • CVE-2016-9555 is a buffer overread flaw in SCTP packet handling that allows a remote attacker to send crafted SCTP packets and cause denial or service or have unspecified other impact.

Blue Coat products that use a native installation of the Linux kernel but do not install or maintain the kernel are not vulnerable to the attacks using the CVEs in this Security Advisory.  However, the underlying platform that installs and maintains the Linux kernel may be vulnerable.  Blue Coat urges our customers to update the versions of the Linux kernel that are natively installed for Client Connector, Cloud Data Protection, ProxyClient, and Reporter 9.x for Linux.

Some Blue Coat products do not provide Linux shell access, do not execute arbitrary code from external sources, or do not act as an SCTP server.  The products listed below do not utilize the functionality described in the CVEs below and are thus not known to be vulnerable to them.  However, fixes for these CVEs will be included in the patches that are provided.

  • ASG: CVE-2016-5195 (Dirty COW) and CVE-2016-9555
  • CAS: CVE-2016-5195 (Dirty COW) (1.3 only) and CVE-2016-9555
  • MTD: CVE-2016-5195 (Dirty COW) and CVE-2016-9555
  • MC: CVE-2016-5195 (Dirty COW) and CVE-2016-9555
  • PacketShaper S-Series: CVE-2016-5195 (Dirty COW) and CVE-2016-9555
  • PolicyCenter S-Series: CVE-2016-5195 (Dirty COW) and CVE-2016-9555
  • Reporter: CVE-2016-5195 (Dirty COW)
  • SSL Visibility: CVE-2016-5195 (Dirty COW) (3.x only) and CVE-2016-9555
  • XOS: CVE-2016-9555
Workarounds: 

CVE-2016-7039, CVE-2016-8666, and CVE-2016-9555 can be exploited only through the management interfaces for all vulnerable products.  Allowing only machines, IP addresses and subnets from a trusted network to access the management interface reduces the threat of exploiting the vulnerabilities.

By default, Director and Security Analytics do not act as an SCTP server.  Customers who leave this behavior unchanged prevent attacks using CVE-2016-9555 against these products.

Patches: 

Advanced Secure Gateway
ASG 6.7 - a fix is available in 6.7.2.1.
ASG 6.6 - a fix is available in 6.6.5.8.

Content Analysis System
CAS 2.2 - a fix is available in 2.2.1.1.
CAS 2.1 - a fix is not available at this time.
CAS 1.3 - a fix is available in 1.3.7.5.

Director
Director 6.1 - a fix is not available at this time.

Malware Analysis Appliance
MAA 4.2 - a fix for CVE-2016-5195 (Dirty COW) is available in 4.2.11.  A fix for the remaining CVEs is not available at this time.

Mail Threat Defense
MTD 1.1 - a fix is not available at this time.

Management Center
MC 1.9 - a fix is available in 1.9.1.1.
MC 1.8 - a fix will not be provided.  Please, upgrade to a later version with the vulnerability fixes.
MC 1.7 - a fix will not be provided.  Please, upgrade to a later version with the vulnerability fixes.

Norman Shark Industrial Control System Protection
ICSP 5.3 - a fix is not available at this time.

Norman Shark Network Protection
NNP 5.3 - a fix is not available at this time.

Norman Shark SCADA Protection
NSP 5.3 - a fix is not available at this time.

PacketShaper S-Series
PS S-Series 11.9 - a fix is available in 11.9.1.1.
PS S-Series 11.8 - a fix will not be provided. Please upgrade to the latest version with the vulnerability fixes.
PS S-Series 11.7 - a fix will not be provided. Please upgrade to the latest version with the vulnerability fixes.
PS S-Series 11.6 - a fix is not available at this time.
PS S-Series 11.5 - a fix will not be provided. Please upgrade to the latest version with the vulnerability fixes.

PolicyCenter S-Series
PC S-Series 1.1 - a fix is not available at this time.

Reporter
Reporter 10.1 - a fix for all CVEs is available in 10.1.5.4.

Security Analytics
Security Analytics 7.2 - a fix for CVE-2016-5195 (Dirty COW) is available in 7.2.2.  A fix for all CVEs is available in 7.2.3.
Security Analytics 7.1 - a fix is not available at this time.
Security Analytics 6.6 - a fix will not be provided.  Please, upgrade to a later version with the vulnerability fixes.

SSL Visibility
SSLV 4.1 - a fix is available in 4.1.1.1.
SSLV 4.0 - a fix is not available at this time.
SSLV 3.12 - a fix is available in 3.12.1.1.
SSLV 3.11 - a fix for CVE-2016-5195 (Dirty COW) is available in 3.11.1.1. A fix for CVE-2016-9555 is available in 3.11.3.1.
SSLV 3.10 - a fix for CVE-2016-5195 is available in 3.10.2.1. A fix for CVE-2016-9555 is not available at this time.
SSLV 3.9 - a fix for CVE-2016-5195 is available in 3.9.7.1.
SSLV 3.8.4FC - a fix is not available at this time.

X-Series XOS
XOS 11.0 - a fix is not available at this time.
XOS 10.0 - a fix is not available at this time.
XOS 9.7 - a fix is not available at this time.

Advisory History: 

2017-11-16 A fix for PS S-Series 11.5, 11.7, and 11.8  will not be provided.  Please upgrade to a later version with the vulnerability fixes.
2017-11-15 SSLV 3.12 is not vulnerable because a fix is available in 3.12.1.1.
2017-11-08 CAS 2.2 is not vulnerable because a fix is available in 2.2.1.1.
2017-11-06 ASG 6.7 is not vulnerable because a fix is available in 6.7.2.1.
2017-08-03 SSLV 4.1 is not vulnerable because a fix is available in 4.1.1.1.
2017-07-25 PS S-Series 11.9 is not vulnerable because a fix is available in 11.9.1.1.
2017-07-20 MC 1.10 is not vulnerable.
2017-06-22 Security Analytics 7.3 is not vulnerable.
2017-06-22 A fix for all CVEs in Reporter 10.1 is available in 10.1.5.4.
2017-06-05 PS S-Series 11.8 has a vulnerable version of the Linux kernel. A fix is not available at this time.
2017-05-29 A fix for Security Analytics 6.6 will not be provided.  Please, upgrade to a later version with the vulnerability fixes.
2017-05-26 A fix for CAS 1.3 is available in 1.3.7.5.
2017-05-19 A fix for ASG 6.6 is available in 6.6.5.8.
2017-05-18 CAS 2.1 is vulnerable to CVE-2016-7039.  It also has a vulnerable version of the Linux kernel for CVE-2016-9555, but is not vulnerable to known vectors of attack.
2017-04-12 A fix for CVE-2016-9555 in SSLV 3.11 is available in 3.11.3.1.
2017-03-30 It was previously reported that CAS, MTD, MC, Reporter 10.1, and SSLV 4.0 are vulnerable to CVE-2016-8666.  Further investigation indicates that these products are not vulnerable to CVE-2016-8666.  MC 1.9 is not vulnerable because a fix for all CVEs is available in 1.9.1.1.
2017-03-16 A fix for CVE-2016-5195 in SSLV 3.10 is available in 3.10.2.1.
2017-03-09 A fix for all CVEs in Security Analytics 7.2 is available in 7.2.3.
2017-03-08 MC 1.8 and SSLV 4.0 are vulnerable to CVE-2016-7039 and CVE-2016-8666.
2017-01-25 It was previously reported that Security Analytics 6.6, 7.1, and 7.2 are vulnerable to CVE-2016-7039 and CVE-2016-8666.  Further investigation indicates that Security Analytics is not vulnerable.  Fixes for CVE-2016-5195 (Dirty COW) in SA 6.6 and 7.1 are not available at this time.
2017-01-13 A fix for CVE-2016-5195 in SSLV 3.9 is available in 3.9.7.1.
2016-12-19 A fix for CVE-2016-5195 (Dirty COW) in MAA 4.2 is available in 4.2.11.
2016-12-08 initial public release