SA154: Apache httpd Vulnerabilities June 2017

Click to Subscribe
Security Advisory ID: 
SA154
Published Date: 
Jul 20, 2017
Advisory Status: 
Interim
Advisory Severity: 
High
CVSS v2 base score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVE Number: 
CVE-2017-3167 - 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVE-2017-3169 - 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVE-2017-7659 - 5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-2017-7668 - 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVE-2017-7679 - 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Symantec Network Protection products using affected versions of Apache httpd are susceptible to multiple security vulnerabilities.  A remote attacker, with access to the management interface, can cause denial of service through application crashes or bypass required authentication.

Affected Products:

The following products are vulnerable:

Director
Director 6.1 is vulnerable to CVE-2017-3167, CVE-2017-3169, and CVE-2017-7679.

Malware Analysis
MA 4.2 is vulnerable to CVE-2017-3167, CVE-2017-3169, CVE-2017-7668, and CVE-2017-7679.

Security Analytics
Security Analytics 7.1, 7.2, and 7.3 are vulnerable to CVE-2017-3167, CVE-2017-3169, and CVE-2017-7679.

The following products are not vulnerable:
Advanced Secure Gateway
Android Mobile Agent
AuthConnector
BCAAA

Blue Coat HSM Agent for the Luna SP
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
Content Analysis
General Auth Connector Login Application
K9
Mail Threat Defense
Management Center
Norman Shark Industrial Control System Protection
PacketShaper
PacketShaper S-Series
PolicyCenter
PolicyCenter S-Series

ProxyAV
ProxyAV ConLog and ConLogXP

ProxyClient
ProxySG
Reporter
SSL Visibility

Unified Agent
X-Series XOS

The following products are under investigation:
IntelligenceCenter
IntelligenceCenter Data Collector

Advisory Details: 

This Security Advisory addresses multiple Apache httpd security vulnerabilities announced in June 2017.  Symantec Network Protection products that include a vulnerable version of Apache httpd and make use of the affected functionality are vulnerable.

  • CVE-2017-3167 is a flaw in third-party Apache httpd modules that allows a remote attacker to bypass required authentication.
  • CVE-2017-3169 is a flaw in third-party Apache httpd modules that allows a remote attacker to send HTTP requests to an HTTPS port and cause denial of service through application crashes.
  • CVE-2017-7659 is a flaw in HTTP/2 request parsing that allows a remote attacker to send crafted HTTP/2 requests and cause denial of service through application crashes.
  • CVE-2017-7668 is a buffer overread flaw in HTTP request parsing that allows a remote attacker to send crafted HTTP requests and cause denial of service through application crashes or have unspecified other impact.
  • CVE-2017-7679 is a buffer overread flaw in HTTP response generation that allows a remote attacker to send crafted HTTP requests and cause denial of service through application crashes.
Workarounds: 

These vulnerabilities can be exploited only through the management interfaces for all vulnerable products.  Allowing only machines, IP addresses and subnets from a trusted network to access the management interface reduces the threat of exploiting the vulnerabilities.

By default, Director and MA do not use HTTP Basic Access Authentication in Apache httpd.  Customers who leave this behavior unchanged prevent attacks against these products using CVE-2017-3167.

Patches: 

Director
Director 6.1 - a fix is not available at this time.

Malware Analysis
MA 4.2 - a fix is not available at this time.

Security Analytics
Security Analytics 7.3 - a fix is not available at this time.
Security Analytics 7.2 - a fix is not available at this time.
Security Analytics 7.1 - a fix is not available at this time.

Advisory History: 

2017-08-30 Added remaining CVSS v2 scores.
2017-07-20 initial public release