SA135 : OpenSSL Vulnerabilities 10-Nov-2016

Click to Subscribe
Security Advisory ID: 
SA135
Published Date: 
Nov 30, 2016
Advisory Status: 
Interim
Advisory Severity: 
High
CVSS v2 base score: TBD
CVE Number: 
CVE-2016-7053 - TBD
CVE-2016-7054 - TBD
CVE-2016-7055 - TBD

Blue Coat products using affected versions of OpenSSL are susceptible to multiple vulnerabilities.  A remote attacker can exploit these vulnerabilities to cause denial of service and obtain SSL/TLS session key information.

CVSS v2 base scores will be provided when the National Vulnerability Database (NVD) scoring is complete.  The advisory severity may be adjusted once the CVSS v2 base scores become available.

Affected Products:

The following products are vulnerable:

Director
Director 6.1 prior to 6.1.23.1 is vulnerable to CVE-2016-7055.

Malware Analysis Appliance
MAA 4.2 is vulnerable to CVE-2016-7055.

Norman Shark Industrial Control System Protection
ICSP 5.3 is vulnerable to CVE-2016-7055.

Norman Shark Network Protection
NNP 5.3 is vulnerable to CVE-2016-7055.

Norman Shark SCADA Protection
NSP 5.3 is vulnerable to CVE-2016-7055.

SSL Visibility
SSLV 3.8.4FC, 3.9, 3.10, 3.11 prior to 3.11.3.1, and 4.0 prior to 4.0.2.1 are vulnerable to CVE-2016-7055.  SSLV 4.1 is not vulnerable.

Unified Agent
UA 4.6 and 4.7 are vulnerable to CVE-2016-7055. UA 4.8 is not vulnerable.

The following products are not vulnerable:
Advanced Secure Gateway
Android Mobile Agent
AuthConnector
BCAAA
Blue Coat HSM Agent for the Luna SP
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
Content Analysis System
General Auth Connector Login Application
IntelligenceCenter
IntelligenceCenter Data Collector
K9
Mail Threat Defense
Management Center
PacketShaper
PacketShaper S-Series
PolicyCenter
PolicyCenter S-Series
ProxyClient
ProxyAV
ProxyAV ConLog and ConLogXP
ProxySG
Reporter
Security Analytics
X-Series XOS

Blue Coat no longer provides vulnerability information for the following products:

DLP
Please, contact Digital Guardian technical support regarding vulnerability information for DLP.

Advisory Details: 

This Security Advisory addresses multiple vulnerabilities announced in OpenSSL Security Advisory [10 Nov 2016].  Blue Coat products that include a vulnerable version of OpenSSL and make use of the affected functionality are vulnerable.

  • CVE-2016-7053 is a flaw in CMS parsing that allows a remote attacker to send invalid CMS data and cause denial of service through application crashes.
  • CVE-2016-7054 is a flaw in the SSL/TLS client and server modules that allows a remote attacker to send large amount of encrypted data and cause denial of service through application crashes.
  • CVE-2016-7055 is a flaw in Montgomery multiplication that allows a remote attacker to compromise ECDH key negotiation in SSL/TLS connections that use Brainpool P-512 curves. The attacker may be able to obtain information about session keys computed during ECDH key negotiation.

Blue Coat products that use a native installation of OpenSSL but do not install or maintain that implementation are not vulnerable to any of these CVEs.  However, the underlying platform or application that installs and maintains OpenSSL may be vulnerable.  Blue Coat urges our customers to update the versions of OpenSSL that are natively installed for Client Connector for OS X, Proxy Client for OS X, and Reporter 9.x for Linux.

Blue Coat products may act as both client and server in SSL/TLS connections.  Blue Coat products act as a client when connecting to Blue Coat services such as WebPulse, DRTR, and licensing and subscription services.  Products that are vulnerable to CVE-2016-7055 should be considered vulnerable in all interfaces that provide SSL/TLS client and server connections.

Workarounds: 

There are no known workarounds.

Patches: 

Director
Director 6.1 - a fix is available in 6.1.23.1.

Malware Analysis Appliance
MAA 4.2 - a fix is not available at this time.

Norman Shark Industrial Control System Protection
ICSP 5.3 - a fix is not available at this time.

Norman Shark Network Protection
NNP 5.3 - a fix is not available at this time.

Norman Shark SCADA Protection
NSP 5.3 - a fix is not available at this time.

SSL Visibility
SSLV 4.0 - a fix is available in 4.0.2.1.
SSLV 3.11 - a fix is available in 3.11.3.1.
SSLV 3.10 - a fix is not available at this time.
SSLV 3.9 - a fix is not available at this time.
SSLV 3.8.4FC - a fix is not available at this time.

Unified Agent
UA 4.8 - a fix is available in 4.8.0.
UA 4.7 - a fix is not available at this time.
UA 4.6 - a fix will not be provided.  Please upgrade to the latest release with the vulnerability fix.
UA 4.1 - a fix will not be provided.  Please upgrade to the latest release with the vulnerability fix.

Advisory History: 

2017-08-02 SSLV 4.1 is not vulnerable.
2017-05-22 UA 4.8 is not vulnerable because a fix is available in 4.8.0.
2017-04-30 A fix for Director 6.1 is available in 6.1.23.1.
2017-04-12 A fix for SSLV 3.11 is available in 3.11.3.1.
2017-03-30 A fix for SSLV 4.0 is available in 4.0.2.1.
2017-03-08 SSLV 4.0 is vulnerable to CVE-2016-7055.
2016-11-30 initial public release