SA144 : OpenSSH Vulnerabilities January 2017

Click to Subscribe
Security Advisory ID: 
SA144
Published Date: 
Mar 02, 2017
Advisory Status: 
Interim
Advisory Severity: 
High
CVSS v2 base score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVE Number: 
CVE-2016-10009 - 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVE-2016-10010 - 6.9 (MEDIUM) (AV:L/AC:M/Au:N/C:C/I:C/A:C)
CVE-2016-10011 - 2.1 (LOW) (AV:L/AC:L/Au:N/C:P/I:N/A:N)
CVE-2016-10012 - 7.2 (HIGH) (AV:L/AC:L/Au:N/C:C/I:C/A:C)

Blue Coat products using affected versions of OpenSSH are susceptible to several vulnerabilities.  A remote attacker with access to an SSH server can exploit these vulnerabilities to execute arbitrary code on an SSH client.  A local attacker can also exploit these vulnerabilities to obtain private key information and escalate their privileges on the system.

Affected Products:

The following products are vulnerable:

Director
Director 6.1 is vulnerable to all CVEs.

Malware Analysis Appliance
MAA 4.2 is vulnerable to CVE-2016-10009 and CVE-2016-10012.  CVE-2016-10011 is under investigation.

Norman Shark Industrial Control System Protection
ICSP 5.3 is vulnerable to CVE-2016-10009 and CVE-2016-10012.  CVE-2016-10011 is under investigation.

Norman Shark Network Protection
NNP 5.3 is vulnerable to CVE-2016-10009 and CVE-2016-10012.  CVE-2016-10011 is under investigation.

Norman Shark SCADA Protection
NSP 5.3 is vulnerable to CVE-2016-10009 and CVE-2016-10012.  CVE-2016-10011 is under investigation.

Security Analytics
Security Analytics 6.6, 7.1, and 7.2 prior to 7.2.3 are vulnerable to CVE-2016-10009, CVE-2016-10011, and CVE-2016-10012.

X-Series XOS
XOS 9.7, 10.0, and 11.0 are vulnerable to CVE-2016-10009, CVE-2016-10011, and CVE-2016-10012.

The following products have a vulnerable version of OpenSSH, but are not vulnerable to known vectors of attack:

Advanced Secure Gateway
ASG 6.6 has a vulnerable version of OpenSSH.

Content Analysis System
CAS 1.3 and 2.1 have a vulnerable version of OpenSSH.

Mail Threat Defense
MTD 1.1 has a vulnerable version of OpenSSH.

Management Center
MC 1.8 and 1.9 have a vulnerable version of OpenSSH.

PacketShaper S-Series
PS S-Series 11.5, 11.6, and 11.7 have a vulnerable version of OpenSSH.

PolicyCenter S-Series
PC S-Series 1.1 has a vulnerable version of OpenSSH.

SSL Visibility
SSLV 3.8.4FC, 3.9, 3.10, 3.11, and 4.0 have a vulnerable version of OpenSSH.

The following products are not vulnerable:
Android Mobile Agent
AuthConnector
BCAAA
Blue Coat HSM Agent for the Luna SP
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
IntelligenceCenter
IntelligenceCenter Data Collector
K9
PacketShaper
PolicyCenter
ProxyAV
ProxyAV ConLog and ConLogXP
ProxyClient
ProxySG
Unified Agent


The following products are under investigation:
Reporter

Blue Coat no longer provides vulnerability information for the following products:

DLP
Please, contact Digital Guardian technical support regarding vulnerability information for DLP.

Advisory Details: 

This Security Advisory addresses several OpenSSH vulnerabilities announced in January 2017.  Blue Coat products that include a vulnerable version of OpenSSH and make use of the affected functionality are vulnerable.

  • CVE-2016-10009 is a flaw in ssh-agent.  A remote attacker with local access to an SSH server can execute arbitrary code on an SSH client host that enables agent forwarding.
  • CVE-2016-10010 is a flaw in the SSH daemon when privilege separation is disabled.  A local attacker can exploit this vulnerability using unspecified vectors to escalate their privileges on the system.
  • CVE-2016-10011 is a flaw in the SSH daemon when privilege separation is enabled.  A local attacker with access to a privilege-separated child process can exploit this vulnerability and obtain private key information.
  • CVE-2016-10012 is a flaw in the SSH daemon pre-authentication compression implementation.  A local attacker with access to a sandboxed privelege-separated child process can exploit this vulnerability to escalate their privileges on the system.

Blue Coat products do not enable or use all functionality within OpenSSH.  The products listed below do not utilize the functionality described in the CVEs below and are thus not known to be vulnerable to them.  However, fixes for these CVEs will be included in the patches that are provided.

  • ASG: CVE-2016-10009, CVE-2016-10011, and CVE-2016-10012
  • CAS: CVE-2016-10009, CVE-2016-10011, and CVE-2016-10012
  • MTD: CVE-2016-10009, CVE-2016-10011, and CVE-2016-10012
  • MC: CVE-2016-10009, CVE-2016-10011, and CVE-2016-10012
  • PacketShaper S-Series: CVE-2016-10009, CVE-2016-10011, and CVE-2016-10012
  • PolicyCenter S-Series: CVE-2016-10009, CVE-2016-10011, and CVE-2016-10012
  • SSLV: all CVEs
  • XOS 9.7: CVE-2016-10010
Workarounds: 

By default, Director does not enable privilege separation and pre-authentication compression.  Customers who leave this default behavior unchanged prevent attacks against these products using CVE-2016-10010, CVE-2016-10011, and CVE-2016-10012.

By default, MAA, ICSP, NNP, and NSP do not use ssh-agent and do not enable SSH agent forwarding and pre-authentication compression.  Customers who leave this default behavior unchanged prevent attacks against these products using CVE-2016-10009 and CVE-2016-10011.

By default, Security Analytics does not use ssh-agent and does not enable SSH agent forwarding and pre-authentication compression.  Customers who leave this default behavior unchanged prevent attacks against these products using CVE-2016-10009 and CVE-2016-10012.

Patches: 

Advanced Secure Gateway
ASG 6.6 - a fix is not available at this time.

Content Analysis System
CAS 2.1 - a fix is not available at this time.
CAS 1.3 - a fix is not available at this time.

Director
Director 6.1 - a fix is not available at this time.

Mail Threat Defense
MTD 1.1 - a fix is not available at this time.

Malware Analysis Appliance
MAA 4.2 - a fix is not available at this time.

Management Center
MC 1.9 - a fix is not available at this time.
MC 1.8 - a fix will not be provided.  Please upgrade to a later version with the vulnerability fixes.

Norman Shark Industrial Control System Protection
ICSP 5.3 - a fix is not available at this time.

Norman Shark Network Protection
NNP 5.3 - a fix is not available at this time.

Norman Shark SCADA Protection
NSP 5.3 - a fix is not available at this time.

PacketShaper S-Series
PS S-Series 11.7 - a fix is not available at this time.
PS S-Series 11.6 - a fix is not available at this time.
PS S-Series 11.5 - a fix is not available at this time.

PolicyCenter S-Series
PC S-Series 1.1 - a fix is not available at this time.

Security Analytics
Security Analytics 7.2 - a fix is available in 7.2.3.
Security Analytics 7.1 - a fix is not available at this time.
Security Analytics 6.6 - a fix is not available at this time.

SSL Visibility
SSLV 4.0 - a fix is not available at this time.
SSLV 3.11 - a fix is not available at this time.
SSLV 3.10 - a fix is not available at this time.
SSLV 3.9 - a fix is not available at this time.
SSLV 3.8.4FC - a fix is not available at this time.

X-Series XOS
XOS 11.0 - a fix is not available at this time.
XOS 10.0 - a fix is not available at this time.
XOS 9.7 - a fix is not available at this time.

Advisory History: 

2017-05-19 CAS 2.1 has a vulnerable version of OpenSSH, but is not vulnerable to known vectors of attack.
2017-05-03 Director 6.1 is vulnerable to all CVEs.
2017-03-30 MC 1.9 has a vulnerable version of OpenSSH, but is not vulnerable to known vectors of attack.
2017-03-02 initial public release