SA141 : OpenSSL Vulnerabilities 26-Jan-2017

Click to Subscribe
Security Advisory ID: 
SA141
Published Date: 
Feb 09, 2017
Advisory Status: 
Interim
Advisory Severity: 
Medium
CVSS v2 base score: TBD
CVE Number: 
CVE-2017-3730
CVE-2017-3731
CVE-2017-3732

Symantec Network Protection products using affected versions of OpenSSL are susceptible to several vulnerabilities.  A remote attacker can exploit these vulnerabilities to cause denial of service and obtain private key information.

CVSS v2 base scores will be provided when the National Vulnerability Database (NVD) scoring is complete.  The advisory severity may be adjusted once the CVSS v2 base scores become available.

Affected Products:

The following products are vulnerable:

CacheFlow
CacheFlow 3.4 prior to 3.4.2.8 is vulnerable to CVE-2017-3731.  All SSL interfaces are affected.

Director
Director 6.1.22.1 is vulnerable to CVE-2017-3731.  All SSL interfaces are affected.  Director 6.1 releases prior to 6.1.22.1 are not vulnerable.

IntelligenceCenter
IntelligenceCenter 3.3 is vulnerable to CVE-2017-3731.  All SSL interfaces are affected.

Malware Analysis
MA 4.2 is vulnerable to CVE-2017-3732.  All SSL interfaces are affected.

PacketShaper
PacketShaper 9.2 is vulnerable to CVE-2017-3731.  All SSL interfaces are affected.

PolicyCenter
PolicyCenter 9.2 is vulnerable to CVE-2017-3731.  All SSL interfaces are affected.

ProxyAV
ProxyAV 3.5 is vulnerable to CVE-2017-3731.  All SSL interfaces are affected.

ProxySG
ProxySG 6.5, 6.6 prior to 6.6.5.8, and 6.7 prior to 6.7.1.2 are vulnerable to CVE-2017-3731.  All SSL interfaces are affected.

SSL Visibility
SSLV 3.9, 3.10, and 3.11 prior to 3.11.3.1 are vulnerable to CVE-2017-3732.  All SSL interfaces are affected.  SSL 3.8.4FC is not vulnerable.  SSLV 4.0 prior to 4.0.2.1 has a vulnerable version of OpenSSL, but is not affected by known vectors of attack.

Unified Agent
UA 4.6 and 4.7 are vulnerable to CVE-2017-3732.  All SSL interfaces are affected.  UA 4.1 and 4.8 are not vulnerable.

The following products contain a vulnerable version of OpenSSL, but are not vulnerable to known vectors of attack:

Advanced Secure Gateway
ASG 6.6 has a vulnerable version of OpenSSL.

Android Mobile Agent
Android Mobile Agent 1.3 prior to 1.3.8 has a vulnerable version of OpenSSL.

Content Analysis
CA 1.3 and 2.1 have a vulnerable version of OpenSSL.

Mail Threat Defense
MTD 1.1 has a vulnerable version of OpenSSL.

Management Center
MC 1.8 and 1.9 have a vulnerable version of OpenSSL.

Norman Shark Industrial Control System Protection
ICSP 5.3 has a vulnerable version of OpenSSL.

Norman Shark Network Protection
NNP 5.3 has a vulnerable version of OpenSSL.

Norman Shark SCADA Protection
NSP 5.3 has a vulnerable version of OpenSSL.

PacketShaper S-Series
PS S-Series 11.5, 11.6, and 11.7 have a vulnerable version of OpenSSL.

PolicyCenter S-Series
PC S-Series 1.1 has a vulnerable version of OpenSSL.

Reporter
Reporter 9.5 and 10.1 have a vulnerable version of OpenSSL.  Reporter 9.4 is not vulnerable.

Security Analytics
Security Analytics 6.6, 7.1, and 7.2 have a vulnerable version of OpenSSL.

X-Series XOS
XOS 9.7, 10.0, and 11.0 have a vulnerable version of OpenSSL.

The following products are not vulnerable:
AuthConnector
BCAAA
Symantec HSM Agent for the Luna SP
Client Connector

Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
IntelligenceCenter Data Collector
K9
ProxyClient
ProxyAV ConLog and ConLogXP

Symantec no longer provides vulnerability information for the following products:

DLP
Please, contact Digital Guardian technical support regarding vulnerability information for DLP.

Advisory Details: 

This Security Advisory addresses multiple vulnerabilities announced in OpenSSL Security Advisory [26 Jan 2017].  Symantec Network Protection products that include a vulnerable version of OpenSSL and make use of the affected functionality are vulnerable.

  • CVE-2017-3730 is a NULL pointer dereference flaw in the SSL client implementation.  A remote attacker can send crafted DHE or ECDHE key exchange parameters to an SSL client and cause an application crash, resulting in denial of service.
  • CVE-2017-3731 is an out-of-bounds read flaw in the SSL client and server implementations on 32-bit platforms.  A remote attacker can send crafted packets and cause an application crash, resulting in denial of service.
  • CVE-2017-3732 is a flaw in the 64-bit Montgomery squaring implementation used in the RSA, DSA, and DHE algorithms. A remote attacker can exploit the vulnerability to obtain private key information.

Symantec Network Protection products that use a native installation of OpenSSL but do not install or maintain that implementation are not vulnerable to any of these CVEs.  However, the underlying platform or application that installs and maintains OpenSSL may be vulnerable. Symantec urges our customers to update the versions of OpenSSL that are natively installed for Client Connector for OS X, Proxy Client for OS X, and Reporter 9.x for Linux.

Some Symantec Network Protection products do not enable or use all functionality within OpenSSL. The products listed below do not utilize the functionality described in the CVEs below and are thus not known to be vulnerable to them.  However, fixes for these CVEs will be included in the patches that are provided.

  • Android Mobile Agent: CVE-2017-3731
  • ASG: CVE-2017-3731
  • CA: CVE-2017-3731
  • Director 6.1.22.1: CVE-2017-3732
  • MTD: CVE-2017-3731
  • MA: CVE-2017-3731
  • MC: CVE-2017-3731
  • ICSP: CVE-2017-3731
  • NNP: CVE-2017-3731
  • NSP: CVE-2017-3731
  • PacketShaper S-Series: CVE-2017-3731
  • PolicyCenter S-Series: CVE-2017-3731
  • Reporter 9.5 and 10.1: CVE-2017-3731
  • Security Analytics: CVE-2017-3731
  • SSLV: CVE-2017-3731
  • Unified Agent: CVE-2017-3731
Patches: 

Advanced Secure Gateway
ASG 6.6 - a fix is not available at this time.

Android Mobile Agent
Android Mobile Agent 1.3 - a fix is available in 1.3.8.

CacheFlow
CacheFlow 3.4 - a fix is available in 3.4.2.8.

Content Analysis
CA 2.1 - a fix is not available at this time.
CA 1.3 - a fix is not available at this time.

Director
Director 6.1 - a fix is available in 6.1.23.1.

IntelligenceCenter
IntelligenceCenter 3.3 - a fix is not available at this time.

Mail Threat Defense
MTD 1.1 - a fix is not available at this time.

Malware Analysis
MA 4.2 - a fix is not available at this time.

Management Center
MC 1.9 - a fix is not available at this time.
MC 1.8 - a fix will not be provided. Please upgrade to the latest version with the vulnerability fixes.

Norman Shark Industrial Control System Protection
ICSP 5.3 - a fix is not available at this time.

Norman Shark Network Protection
NNP 5.3 - a fix is not available at this time.

Norman Shark SCADA Protection
NSP 5.3 - a fix is not available at this time.

PacketShaper
PacketShaper 9.2 - a fix is not available at this time.

PacketShaper S-Series
PS S-Series 11.7 - a fix is not available at this time.
PS S-Series 11.6 - a fix will not be provided. Please upgrade to the latest version with the vulnerability fixes.
PS S-Series 11.5 - a fix will not be provided. Please upgrade to the latest version with the vulnerability fixes.

PolicyCenter
PolicyCenter 9.2 - a fix is not available at this time.

PolicyCenter S-Series
PC S-Series 1.1 - a fix is not available at this time.

ProxyAV
ProxyAV 3.5 - a fix is not available at this time.

ProxySG
ProxySG 6.6 - a fix is available in 6.6.5.8.
ProxySG 6.5 - a fix is not available at this time.

Reporter
Reporter 10.1 - a fix is not available at this time.
Reporter 9.5 - a fix will not be provided. Please upgrade to the latest version with the vulnerability fixes.

Security Analytics
Security Analytics 7.2 - a fix is not available at this time.
Security Analytics 7.1 - a fix will not be provided. Please upgrade to the latest version with the vulnerability fixes.
Security Analytics 6.6 - a fix will not be provided. Please upgrade to the latest version with the vulnerability fixes.

SSL Visibility
SSLV 4.0 - a fix is available in 4.0.2.1.
SSLV 3.11 - a fix is available in 3.11.3.1.
SSLV 3.10 - a fix is not available at this time.
SSLV 3.9 - a fix will not be provided. Please upgrade to the latest version with the vulnerability fixes.

Unified Agent
UA 4.8 - a fix iavailable in 4.8.0.
UA 4.7 - a fix is not available at this time.
UA 4.6 - a fix will not be provided. Please upgrade to the latest version with the vulnerability fixes.

X-Series XOS
XOS 11.0 - a fix is not available at this time.
XOS 10.0 - a fix will not be provided. Please upgrade to the latest version with the vulnerability fixes.
XOS 9.7 - a fix will not be provided. Please upgrade to the latest version with the vulnerability fixes.

Advisory History: 

2017-05-22 UA 4.8 is not vulnerable because a fix is available in 4.8.0.
2017-05-19 A fix for ProxySG 6.6 is available in 6.6.5.8.
2017-05-18 CAS 2.1 has a vulnerable version of OpenSSL, but is not vulnerable to known vectors of attack.2017-04-30 A fix for Director 6.1 is available in 6.1.23.1.
2017-04-29 A fix for CacheFlow 3.4 is available in 3.4.2.8.
2017-04-19 A fix for ProxySG 6.7 is available in 6.7.1.2.
2017-04-11 A fix for SSLV 3.11 is available in 3.11.3.1.
2017-03-30 A fix for SSLV 4.0 is available in 4.0.2.1.  MC 1.9 has a vulnerable version of OpenSSL, but is not vulnerable to known vectors of attack.
2017-03-08 ProxySG 6.7 is vulnerable to CVE-2017-3731.  SSLV 4.0 has a vulnerable version of OpenSSL, but is not vulnerable to known vectors of attack.
2017-02-09 initial public release