SA148: Linux Kernel Vulnerabilities Feb-Apr 2017

Click to Subscribe
Security Advisory ID: 
SA148
Published Date: 
May 09, 2017
Advisory Status: 
Interim
Advisory Severity: 
High
CVSS v2 base score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVE Number: 
CVE-2016-10229 - 10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVE-2017-5897 - 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVE-2017-5970 - 5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-2017-5972 - 7.8 (HIGH) (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CVE-2017-6214 - 5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-2017-7645 - 7.8 (HIGH) (AV:N/AC:L/Au:N/C:N/I:N/A:C)

Symantec Network Protection products that include a vulnerable version of the Linux kernel are susceptible to multiple vulnerabilities.  A remote attacker, with access to the management interface, can exploit these vulnerabilities to execute arbitrary code.  The attacker can also cause denial of service through system crashes and excessive CPU consumption.

Affected Products:

The following products are vulnerable:

Advanced Secure Gateway
ASG 6.6 is vulnerable to CVE-2016-10229, CVE-2017-5970, and CVE-2017-6214.

Content Analysis
CA 1.3 and 2.1 are vulnerable to CVE-2016-10229, CVE-2017-5970, CVE-2017-5972, and CVE-2017-6214.  CA 2.1 is also vulnerable to CVE-2017-5897.

Director
Director 6.1 is vulnerable to CVE-2017-7645.

Mail Threat Defense
MTD 1.1 is vulnerable to CVE-2016-10229, CVE-2017-5970, CVE-2017-5972, and CVE-2017-6214.

Malware Analysis
MA 4.2 is vulnerable to all CVEs.

Management Center
MC 1.9 is vulnerable to CVE-2016-10229, CVE-2017-5970, CVE-2017-5972, and CVE-2017-6214.

Norman Shark Industrial Control System Protection
ICSP 5.3 is vulnerable to CVE-2017-5897, CVE-2017-5970, CVE-2017-5972, CVE-2017-6214, and CVE-2017-6745.

PacketShaper S-Series
PS S-Series 11.5, 11.6, and 11.7 are vulnerable to CVE-2017-5972 and CVE-2017-6214.

PolicyCenter S-Series
PC S-Series 1.1 is vulnerable to CVE-2017-5972 and CVE-2017-6214.

Reporter
Reporter 10.1 is vulnerable to CVE-2017-5970, CVE-2017-5972, and CVE-2017-6214.  Reporter 9.4 and 9.5 are not vulnerable.

Security Analytics
Security Analytics 7.1 and 7.2 are vulnerable to CVE-2016-10229, CVE-2017-5897, CVE-2017-5970, CVE-2017-5972, and CVE-2017-6214.

SSL Visibility
SSLV 3.8.4FC, 3.9, 3.10, and 3.11 are vulnerable to CVE-2016-10229, CVE-2017-5897, CVE-2017-5970, CVE-2017-5972, and CVE-2017-6214.  SSLV 4.0 is vulnerable to CVE-2016-10229, CVE-2017-5970, CVE-2017-5972, and CVE-2017-6214.

X-Series XOS
XOS 9.7, 10.0, and 11.0 are vulnerable to CVE-2017-5972, CVE-2017-6214, and CVE-2017-7645.

The following products are not vulnerable:
Android Mobile Agent
AuthConnector
BCAAA
Blue Coat HSM Agent for the Luna SP
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
IntelligenceCenter
IntelligenceCenter Data Collector
K9
PacketShaper
PolicyCenter
ProxyClient
ProxyAV
ProxyAV ConLog and ConLogXP
ProxySG
Unified Agent

Advisory Details: 

This Security Advisory addresses multiple vulnerabilities in the Linux kernel.  Symantec Network Protection products, which include vulnerable versions of the Linux kernel and use the affected functionality, are vulnerable.

  • CVE-2016-10229 is a flaw in UDP packet handling during execution of a recv system call with the MSG_PEEK flag.  A remote attacker can send crafted UDP packets and cause memory corruption and execute arbitrary code.  The attacker can also cause a system crash, resulting in denial of service.
  • CVE-2017-5897 is a flaw in the IPv6 GRE implementation that allows a remote attacker to have unspecified impact via vectors related to GRE flags.
  • CVE-2017-5970 is a flaw in IP option handling that allows a remote attacker to send crafted IP packets and cause a system crash, resulting in denial of service.
  • CVE-2017-5972 is a flaw in the TCP implementation that allows remote attackers to send TCP SYN packets and cause excessive CPU consumption, resulting in denial of service.
  • CVE-2017-6214 is a flaw in TCP packet handling that allows a remote attacker to send crafted TCP packets and cause an infinite loop in the Linux kernel thread, resulting in denial of service.
  • CVE-2017-7645 is a flaw in the NFSv2/NFSv3 implementation that allows a remote attacker to send crafted RPC responses and cause a system crash, resulting in denial of service.

Symantec Network Protection products that use a native installation of the Linux kernel but do not install or maintain the kernel are not vulnerable to the attacks using the CVEs in this Security Advisory.  However, the underlying platform that installs and maintains the Linux kernel may be vulnerable.  Symantec urges our customers to update the versions of the Linux kernel that are natively installed for Client Connector, Cloud Data Protection, ProxyClient, and Reporter 9.x for Linux.

Some Symantec Network Protection products do not support UDP, IPv6, and NFS.  The products listed below do not utilize the functionality described in the CVEs below and are thus not known to be vulnerable to them.  However, fixes for these CVEs will be included in the patches that are provided.

  • ASG: CVE-2017-5897, CVE-2017-5972 and CVE-2017-7645
  • CA: CVE-2017-5897 (1.3 only) and CVE-2017-7645
  • MTD: CVE-2017-5897 and CVE-2017-7645
  • MC: CVE-2017-5897 and CVE-2017-7645
  • PacketShaper S-Series: CVE-2017-7645
  • PolicyCenter S-Series: CVE-2017-7645
  • Reporter 10.1: CVE-2016-10229, CVE-2017-5897, and CVE-2017-7645
  • Security Analytics: CVE-2017-7645
  • SSLV 4.0: CVE-2017-5897 and CVE-2017-7645
Workarounds: 

These vulnerabilities can be exploited only through the management interfaces for Director, MA, MC, ICSP, PS S-Series, PC S-Series, Reporter, Security Analytics, and SSLV.  Allowing only machines, IP addresses and subnets from a trusted network to access the management interface reduces the threat of exploiting the vulnerabilities.

By default, ICSP does not use NFS.  Customers who leave this default behavior unchanged prevent attacks against these products using CVE-2017-7645.

Patches: 

Advanced Secure Gateway
ASG 6.6 - a fix is not available at this time.

Content Analysis
CA 2.1 - a fix is not available at this time.
CA 1.3 - a fix is not available at this time.

Director
Director 6.1 - a fix is not available at this time.

Mail Threat Defense
MTD 1.1 - a fix is not available at this time.

Malware Analysis
MA 4.2 - a fix is not available at this time.

Management Center
MC 1.9 - a fix is not available at this time.

Norman Shark Industrial Control System Protection
ICSP 5.3 - a fix is not available at this time.

PacketShaper S-Series
PS S-Series 11.7 - a fix is not available at this time.
PS S-Series 11.6 - a fix is not available at this time.
PS S-Series 11.5 - a fix is not available at this time.

PolicyCenter S-Series
PC S-Series 1.1 - a fix is not available at this time.

Reporter
Reporter 10.1 - a fix is not available at this time.

Security Analytics
Security Analytics 7.2 - a fix is not available at this time.
Security Analytics 7.1 - a fix is not available at this time.

SSL Visibility
SSLV 4.0 - a fix is not available at this time.
SSLV 3.11 - a fix is not available at this time.
SSLV 3.10 - a fix is not available at this time.
SSLV 3.9 - a fix is not available at this time.
SSLV 3.8.4FC - a fix is not available at this time.

X-Series XOS
XOS 11.0 - a fix is not available at this time.
XOS 10.0 - a fix is not available at this time.
XOS 9.7 - a fix is not available at this time.

Advisory History: 

2017-05-19 CA 2.1 is vulnerable to CVE-2016-10229, CVE-2017-5897, CVE-2017-5970, CVE-2017-5972, and CVE-2017-6214.
2017-05-09 initial public release