SA136 : OpenSSH Vulnerabilities

Click to Subscribe
Security Advisory ID: 
SA136
Published Date: 
Dec 13, 2016
Advisory Status: 
Interim
Advisory Severity: 
High
CVSS v2 base score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CVE Number: 
CVE-2016-6210 - 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVE-2016-6515 - 7.8 (HIGH) (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CVE-2016-8858 - 7.8 (HIGH) (AV:N/AC:L/Au:N/C:N/I:N/A:C)

Blue Coat products using affected versions of OpenSSH are susceptible to several vulnerabilities.  A remote attacker, with access to the management interface, can exploit these vulnerabilities to enumerate existing user accounts and cause denial of service through excessive CPU consumption and memory exhaustion.

Affected Products:

The following products are vulnerable:

ASG
ASG 6.6 prior to 6.6.5.4 is vulnerable to CVE-2016-8858.

CacheFlow
CacheFlow 3.4 prior to 3.4.2.8 is vulnerable to CVE-2016-8858.

Director
Director 6.1 prior to 6.1.23.1 is vulnerable to CVE-2016-6515.  Director 6.1.22.1 only is also vulnerable to CVE-2016-6210 and CVE-2016-8858.

Malware Analysis Appliance
MAA 4.2 prior to 4.2.10 is vulnerable to CVE-2016-6210 and CVE-2016-6515.  MAA 4.2 is also vulnerable to CVE-2016-8858.

Norman Shark Industrial Control System Protection
ICSP 5.3 is vulnerable to all CVEs.

Norman Shark Network Protection
NNP 5.3 is vulnerable to all CVEs.

Norman Shark SCADA Protection
NSP 5.3 is vulnerable to all CVEs.

PacketShaper
PS 9.2 is vulnerable to CVE-2016-8858.  The denial of service attack only affects other SSH management connections.

ProxySG
ProxySG 6.5 prior to 6.5.10.1 and 6.6 prior to 6.6.5.4 are vulnerable to CVE-2016-8858.  ProxySG 6.7 is not vulnerable.

SSL Visibility
SSLV 3.8.4FC, 3.9, 3.10 prior to 3.10.3.1, and 3.11 prior to 3.11.2.1 are vulnerable to CVE-2016-8858.  SSLV 3.8.4FC and 3.9 prior to 3.9.6.1 are vulnerable to CVE-2016-6210 and CVE-2016-6515.  SSLV 4.0 and 4.1 are not vulnerable.

X-Series XOS
XOS 9.7, 10.0, and 11.0 are vulnerable to CVE-2016-6210 and CVE-2016-6515.  Only the APM software in XOS 11.0 is vulnerable.

The following products are not vulnerable:
Android Mobile Agent
AuthConnector
BCAAA
Blue Coat HSM Agent for the Luna SP
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
Content Analysis System
General Auth Connector Login Application
IntelligenceCenter
IntelligenceCenter Data Collector
K9
Mail Threat Defense
Management Center
PacketShaper S-Series
PolicyCenter
PolicyCenter S-Series
ProxyAV
ProxyAV ConLog and ConLogXP
ProxyClient
Reporter
Security Analytics
Unified Agent

Blue Coat no longer provides vulnerability information for the following products:

DLP
Please, contact Digital Guardian technical support regarding vulnerability information for DLP.

Advisory Details: 

This Security Advisory addresses several OpenSSH vulnerabilities announced in July, August, and October 2016.  Blue Coat products that include a vulnerable version of OpenSSH and make use of the affected functionality are vulnerable.

  • CVE-2016-6210 exploits a timing difference between password authentication of existing and non-existing user accounts.  A remote attacker can make authentication attempts with large passwords to enumerate the existing user accounts on the target system.
  • CVE-2016-6515 is an insufficient input validation flaw in password authentication.  A remote attacker can send a long password string and cause excessive CPU consumption, resulting in denial of service.
  • CVE-2016-8858 is a flaw in message handling.  A remote attacker can repeatedly send the KEXINIT SSH message to cause memory exhaustion, resulting in denial of service.

Blue Coat products do not enable or use all functionality within OpenSSH.  The products listed below do not utilize the functionality described in the CVEs below and are thus not known to be vulnerable to them.  However, fixes for these CVEs will be included in the patches that are provided.

  • PacketShaper: CVE-2016-6210 and CVE-2016-6515
Workarounds: 

These vulnerabilities can be exploited only through the management interfaces for all vulnerable products.  Allowing only machines, IP addresses and subnets from a trusted network to access the management interface reduces the threat of exploiting the vulnerabilities.

Patches: 

ASG
ASG 6.6 - a fix is available in 6.6.5.4.

CacheFlow
CacheFlow 3.4 - a fix is available in 3.4.2.8.

Director
Director 6.1 - a fix is available in 6.1.23.1.

Malware Analysis Appliance
MAA 4.2 - a fix for CVE-2016-6210 and CVE-2016-6515 is available in 4.2.10.  A fix for CVE-2016-8858 is not available at this time.

Norman Shark Industrial Control System Protection
ICSP 5.3 - a fix is not available at this time.

Norman Shark Network Protection
NNP 5.3 - a fix is not available at this time.

Norman Shark SCADA Protection
NSP 5.3 - a fix is not available at this time.

PacketShaper
PS 9.2 - a fix is not available at this time.

ProxySG
ProxySG 6.7 - a fix is available in 6.7.1.1.
ProxySG 6.6 - a fix is available in 6.6.5.4.
ProxySG 6.5 - a fix is available in 6.5.10.1.

SSL Visibility
SSLV 3.11 - a fix for CVE-2016-6210 and CVE-2016-6515 is available in 3.11.1.1.  SSLV 3.11.2.1 remediates CVE-2016-8858 by restricting the concurrent unauthenticated incoming SSH connections.
SSLV 3.10 - a fix for CVE-2016-6210 and CVE-2016-6515 is available in 3.10.1.1.  A fix for CVE-2016-8858 is available in 3.10.3.1.
SSLV 3.9 - a fix for CVE-2016-6210 and CVE-2016-6515 is available in 3.9.6.1.  A fix for CVE-2016-8858 is not available at this time.
SSLV 3.8.4FC - a fix is not available at this time.

X-Series XOS
XOS 11.0 - a fix is not available at this time.
XOS 10.0 - a fix is not available at this time.
XOS 9.7 - a fix is not available at this time.

Advisory History: 

2017-08-15 A fix for CVE-2016-8858 in SSLV 3.10 is available in 3.10.3.1.
2017-08-02 SSLV 4.1 is not vulnerable.
2017-04-30 A fix for Director 6.1 is available in 6.1.23.1.
2017-04-29 A fix for CacheFlow 3.4 is available in 3.4.2.8.
2017-04-26 Added CVSS v2 score for CVE-2016-6210 and base score for Security Advisory.
2017-03-29 It was previously reported that ASG 6.6 is not vulnerable to CVE-2016-8858. Further investigation has shown that ASG 6.6 is vulnerable to CVE-2016-8858. A fix is available in 6.6.5.4.
2017-03-29 A fix for ProxySG 6.6 is available in 6.6.5.4.
2017-03-08 A fix for ProxySG 6.5 is available in 6.5.10.1.
2017-03-08 ProxySG 6.7 is not vulnerable because a fix is available in 6.7.1.1.  SSLV 4.0 is not vulnerable.
2016-01-25 SSLV 3.11.2.1 remediates CVE-2016-8858 by restricting the number of concurrent unauthenticated incoming SSH connections.
2016-12-13 initial public release
2016-01-20 It was previously reported that ASG, CAS, MTD, MC, PacketShaper S-Series, PolicyCenter S-Series, Reporter 10.1, Security Analytics, and XOS are vulnerable to CVE-2016-8858.  Further investigation has shows that these products are not vulnerable.