SA137 : NSS Vulnerabilities

Click to Subscribe
Security Advisory ID: 
SA137
Published Date: 
Dec 20, 2016
Advisory Status: 
Interim
Advisory Severity: 
High
CVSS v2 base score: TBD
CVE Number: 
CVE-2016-2834 - 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVE-2016-5285 - TBD
CVE-2016-8635 - TBD

Blue Coat products using affected versions of NSS are susceptible to several vulnerabilities.  A remote attacker can exploit these vulnerabilities to obtain private Diffie-Hellman (DH) keys, cause denial of service through application crashes, or possibly execute arbitrary code.

CVSS v2 base scores will be provided when the National Vulnerability Database (NVD) scoring is complete.

Affected Products:

The following products are vulnerable:

Director
Director 6.1 is vulnerable to CVE-2016-2834.

PacketShaper S-Series
PS S-Series 11.5, 11.6 prior to 11.6.3.1, and 11.7 prior to 11.7.2.1 are vulnerable to CVE-2016-2834. PS S-Series 11.8 and 11.9 are not vulnerable.

PolicyCenter S-Series
PC S-Series 1.1 prior to 1.1.3.1 is vulnerable to CVE-2016-2834.

Security Analytics
Security Analytics 6.6 and 7.1 are vulnerable to all CVEs.  Security Analytics 7.2 and 7.3 have a vulnerable version of NSS, but are not vulnerable to known vectors of attack.

X-Series XOS
XOS 9.7, 10.0, and 11.0 are vulnerable to all CVEs.

The following products contain a vulnerable version of NSS, but are not vulnerable to known vectors of attack:

Advanced Secure Gateway
ASG 6.6 prior to 6.6.5.8 has a vulnerable version of NSS.

Content Analysis System
CAS 1.3 prior to 1.3.7.5 has a vulnerable version of NSS.  CAS 2.1 is not vulnerable.

Mail Threat Defense
MTD 1.1 has a vulnerable version of NSS.

Management Center
MC 1.7 and 1.8 have a vulnerable version of NSS.  MC 1.9 is not vulnerable.

Reporter
Reporter 10.1 prior to 10.1.5.4 has a vulnerable version of NSS.  Reporter 9.4 and 9.5 are not vulnerable.

SSL Visibility
SSLV 4.0 prior to 4.0.2.1 has a vulnerable version of NSS.  SSLV 3.8.4FC, 3.9, 3.10, 3.11, and 4.1 are not vulnerable.

The following products are not vulnerable:
Android Mobile Agent
AuthConnector
BCAAA
Blue Coat HSM Agent for the Luna SP
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
IntelligenceCenter
IntelligenceCenter Data Collector
K9
Malware Analysis Appliance
Norman Shark Industrial Control System Protection
Norman Shark Network Protection
Norman Shark SCADA Protection
PacketShaper
PolicyCenter
ProxyAV
ProxyAV ConLog and ConLogXP
ProxyClient
ProxySG
Unified Agent

Blue Coat no longer provides vulnerability information for the following products:

DLP
Please, contact Digital Guardian technical support regarding vulnerability information for DLP.

Advisory Details: 

This Security Advisory addresses several NSS vulnerabilities announced in June and November 2016.  Blue Coat products that include a vulnerable version of NSS and make use of the affected functionality are vulnerable.

  • CVE-2016-2834 identifies multiple buffer handling flaws that allow a remote attacker to send crafted cryptographic data and cause denial of service through memory corruption and application crashes.  The attacker may also cause the target system to execute arbitrary code.
  • CVE-2016-5285 is a NULL pointer dereference flaw in SSL message handling that allows a remote attacker to send an invalid Diffie-Hellman (DH) key and cause denial of service through application crashes.
  • CVE-2016-8635 is a flaw in SSL DH key exchange message handling that enables a small subgroup confinement attack.  A remote attacker can manipulate the client public DH key in an SSL handshake and recover the server private DH key.

Some Blue Coat products do not enable or use all functionality within NSS.  The products listed below do not utilize the functionality described in the CVEs below and are thus not known to be vulnerable to them.  However, fixes for these CVEs will be included in the patches that are provided.

  • ASG: all CVEs
  • CAS: all CVEs
  • Director: CVE-2016-5285 and CVE-2016-8635
  • MTD: all CVEs
  • MC: all CVEs
  • PacketShaper S-Series: CVE-2016-5285 and CVE-2016-8635
  • PolicyCenter S-Series: CVE-2016-5285 and CVE-2016-8635
  • Reporter (10.1 only): all CVEs
  • Security Analytics (7.2 and 7.3 only): all CVEs
  • SSLV (4.0 only): all CVEs
Patches: 

Advanced Secure Gateway
ASG 6.6 - a fix is available in 6.6.5.8.

Content Analysis System
CAS 1.3 - a fix is available in 1.3.7.5.

Director
Director 6.1 - a fix is not available at this time.

Mail Threat Defense
MTD 1.1 - a fix is not available at this time.

Management Center
MC 1.9 - a fix is available in 1.9.1.1.
MC 1.8 - a fix will not be provided.  Please upgrade to a later version with the vulnerability fixes.
MC 1.7 - a fix will not be provided.  Please upgrade to a later version with the vulnerability fixes.

PacketShaper S-Series
PS S-Series 11.7 - a fix is available in 11.7.2.1.
PS S-Series 11.6 - a fix is available in 11.6.3.1.
PS S-Series 11.5 - a fix is not available at this time.

PolicyCenter S-Series
PC S-Series 1.1 - a fix is available in 1.1.3.1.

Reporter
Reporter 10.1 - a fix for all CVEs is available in 10.1.5.4

Security Analytics
Security Analytics 7.3 - a fix is not available at this time.
Security Analytics 7.2 - a fix is not available at this time.
Security Analytics 7.1 - a fix is not available at this time.
Security Analytics 6.6 - a fix will not be provided.  Please upgrade to a later version with the vulnerability fixes.

SSL Visibility
SSLV 4.0 - a fix is available in 4.0.2.1.

X-Series XOS
XOS 11.0 - a fix is not available at this time.
XOS 10.0 - a fix is not available at this time.
XOS 9.7 - a fix is not available at this time.

Advisory History: 

2017-08-02 SSLV 4.1 is not vulnerable.
2017-07-24 PacketShaper S-Series 11.9 is not vulnerable.
2017-06-22 Security Ananlytics 7.3 has a vulnerable version of NSS, but is not vulnerable to known vectors of attack.
2017-06-22 A fix for all CVEs in Reporter 10.1 is available in 10.1.5.4.
2017-06-05 PS S-Series 11.8 is not vulenrable.
2017-05-29 A fix for Security Analytics 6.6 will not be provided.  Please upgrade to a later version with the vulnerability fixes.
2017-05-26 A fix for CAS 1.3 is available in 1.3.7.5.
2017-05-19 A fix for ASG 6.6 is available in 6.6.5.8.
2017-05-18 CAS 2.1 is not vulnerable.
2017-05-10 A fix for PacketShaper S-Series 11.7 is available in 11.7.2.1.
2017-03-30 A fix for SSLV 4.0 is available in 4.0.2.1.  MC 1.9 is not vulnerable because a fix is available in 1.9.1.1.
2017-03-08 MC 1.8 has a vulnerable version of NSS, but is not vulnerable to known vectors of attack.  A fix will not be provided for MC 1.7.  Please, upgrade to a later version with the vulnerability fixes.  A fix for PacketShaper S-Series 11.6 is available in 11.6.3.1.  A fix for PolicyCenter S-Series is available in 1.1.3.1.
2016-12-20 initial public release