SA50 : Multiple SSL/TLS vulnerabilities in Reporter

1214

03 March 2020

21 December 2010

CLOSED

HIGH

CVSS v2: 8.3

SUMMARY

Reporter uses a version of OpenSSL that has several publicly documented vulnerabilities. The most severe vulnerability allows an attacker to gain complete control over a Reporter installation.

AFFECTED PRODUCTS

All versions of Reporter prior to 9.2.4.1 are vulnerable.

Reporter 9.2 - a fix is available in 9.2.4.1.
Reporter 9.1 - please upgrade to a later version.
Reporter 8.3 - please upgrade to a later version.

ISSUES

Reporter 9.2.3.1 and 9.1.5.1 use OpenSSL version 0.9.8j.  Reporter 8.3.7.1 uses OpenSSL version 0.9.8e.  Each version of OpenSSL has several publicly documented vulnerabilities.

The most severe vulnerability allows an attacker to gain complete control over a Reporter installation.  The attacker can view and modify configuration data as well as data sent to and from Reporter.  An attacker can also render Reporter completely unresponsive for administrative control as well as data transmission.

When Reporter is deployed behind a firewall, as is recommended, an attacker must gain access from the internal network in order to mount an attack.  The CVSS base scores included in this advisory are based on this deployment scenario.

CVE-2010-0742 - CVSS base score: 5.8 (AV:A/AC:L/Au:N/C:P/I:P/A:P)
CVE-2010-0740 - CVSS base score: 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
CVE-2010-0433 - CVSS base score: 2.9 (AV:A/AC:M/Au:N/C:N/I:N/A:P)
CVE-2009-3245 - CVSS base score: 8.3 (AV:A/AC:L/Au:N/C:C/I:C/A:C)
CVE-2009-4355 - CVSS base score: 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
CVE-2009-1378 - CVSS base score: 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
CVE-2009-1377 - CVSS base score: 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
CVE-2009-1379 - CVSS base score: 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
CVE-2009-3555 - CVSS base score: 4.3 (AV:A/AC:M/Au:N/C:N/I:P/A:P)
CVE-2009-0789 - CVSS base score: 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
CVE-2009-0591 - CVSS base score: 1.8 (AV:A/AC:H/Au:N/C:N/I:P/A:N)
CVE-2009-0590 - CVSS base score: 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
CVE-2008-1678 - CVSS base score: 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P)

If Reporter is deployed outside of the firewall. the CVSS base score for all CVEs listed would be higher.  The CVSS base score for this security advisory would be a 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C).

Reporter 9.2.4.1 contains an upgrade to OpenSSL 0.9.8o fixing the CVEs documented in this security advisory.

MITIGATION

Blue Coat recommends that Reporter be deployed behind a firewall. Additional constraints on what IP addresses can be used to connect to Reporter will greatly limit the ability to attack a Reporter installation.

REFERENCES

CVE-2010-0742 - https://nvd.nist.gov/vuln/detail/CVE-2010-0742
CVE-2010-0740 - https://nvd.nist.gov/vuln/detail/CVE-2010-0740
CVE-2010-0433 - https://nvd.nist.gov/vuln/detail/CVE-2010-0433
CVE-2009-3245 - https://nvd.nist.gov/vuln/detail/CVE-2009-3245
CVE-2009-4355 - https://nvd.nist.gov/vuln/detail/CVE-2009-4355
CVE-2009-1378 - https://nvd.nist.gov/vuln/detail/CVE-2009-1378
CVE-2009-1377 - https://nvd.nist.gov/vuln/detail/CVE-2009-1377
CVE-2009-1379 - https://nvd.nist.gov/vuln/detail/CVE-2009-1379
CVE-2009-3555 - https://nvd.nist.gov/vuln/detail/CVE-2009-3555
CVE-2009-0789 - https://nvd.nist.gov/vuln/detail/CVE-2009-0789
CVE-2009-0591 - https://nvd.nist.gov/vuln/detail/CVE-2009-0591
CVE-2009-0590 - https://nvd.nist.gov/vuln/detail/CVE-2009-0590
CVE-2008-1678 - https://nvd.nist.gov/vuln/detail/CVE-2008-1678

REVISION

2012-02-01 Indicated that only versions prior to 9.2.4.1 are vulnerable.
2011-09-06 Version 8.3 will not be fixed.  Marked status as final.
2010-12-21: Initial public release.