Symantec Network Protection products using affected versions of Apache httpd are susceptible to multiple security vulnerabilities. A remote attacker, with access to the management interface, can cause denial of service through application crashes or bypass required authentication.
The following products are vulnerable:
Director 6.1 is vulnerable to CVE-2017-3167, CVE-2017-3169, and CVE-2017-7679.
MA 4.2 is vulnerable to CVE-2017-3167, CVE-2017-3169, CVE-2017-7668, and CVE-2017-7679.
Security Analytics 7.1, 7.2, and 7.3 are vulnerable to CVE-2017-3167, CVE-2017-3169, and CVE-2017-7679.
The following products are not vulnerable:
Advanced Secure Gateway
Android Mobile Agent
Blue Coat HSM Agent for the Luna SP
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
Mail Threat Defense
Norman Shark Industrial Control System Protection
ProxyAV ConLog and ConLogXP
The following products are under investigation:
IntelligenceCenter Data Collector
This Security Advisory addresses multiple Apache httpd security vulnerabilities announced in June 2017. Symantec Network Protection products that include a vulnerable version of Apache httpd and make use of the affected functionality are vulnerable.
- CVE-2017-3167 is a flaw in third-party Apache httpd modules that allows a remote attacker to bypass required authentication.
- CVE-2017-3169 is a flaw in third-party Apache httpd modules that allows a remote attacker to send HTTP requests to an HTTPS port and cause denial of service through application crashes.
- CVE-2017-7659 is a flaw in HTTP/2 request parsing that allows a remote attacker to send crafted HTTP/2 requests and cause denial of service through application crashes.
- CVE-2017-7668 is a buffer overread flaw in HTTP request parsing that allows a remote attacker to send crafted HTTP requests and cause denial of service through application crashes or have unspecified other impact.
- CVE-2017-7679 is a buffer overread flaw in HTTP response generation that allows a remote attacker to send crafted HTTP requests and cause denial of service through application crashes.
These vulnerabilities can be exploited only through the management interfaces for all vulnerable products. Allowing only machines, IP addresses and subnets from a trusted network to access the management interface reduces the threat of exploiting the vulnerabilities.
By default, Director and MA do not use HTTP Basic Access Authentication in Apache httpd. Customers who leave this behavior unchanged prevent attacks against these products using CVE-2017-3167.
Director 6.1 - a fix is not available at this time.
MA 4.2 - a fix is not available at this time.
Security Analytics 7.3 - a fix is not available at this time.
Security Analytics 7.2 - a fix is not available at this time.
Security Analytics 7.1 - a fix is not available at this time.
Apache httpd 2.2 vulnerabilities - https://httpd.apache.org/security/vulnerabilities_22.html
Apache httpd 2.4 vulnerabilities - https://httpd.apache.org/security/vulnerabilities_24.html
CVE-2017-3167 - https://nvd.nist.gov/vuln/detail/CVE-2017-3167
CVE-2017-3169 - https://nvd.nist.gov/vuln/detail/CVE-2017-3169
CVE-2017-7659 - https://access.redhat.com/security/cve/cve-2017-7659
CVE-2017-7668 - https://nvd.nist.gov/vuln/detail/CVE-2017-7668
CVE-2017-7679 - https://nvd.nist.gov/vuln/detail/CVE-2017-7679
2017-08-30 Added remaining CVSS v2 scores.
2017-07-20 initial public release