SA85 : OpenSSL Security Advisory 06-Aug-2014

IntelligenceCenter

4 more products

1309

04 May 2021

13 January 2015

CLOSED

HIGH

CVSS v2: 7.5

SUMMARY

Blue Coat products using affected versions of OpenSSL 0.9.8, 1.0.0, and 1.0.1 are vulnerable to one or more vulnerabilities. A remote attacker may exploit these vulnerabilities to downgrade to TLS v1.0, leak information, write arbitrary data to memory, cause a buffer overflow, or cause a denial-of-service.

AFFECTED PRODUCTS

The following products are vulnerable to one or more of these vulnerabilities:

BCAAA
BCAAA 5.5 and 6.1 may be vulnerable to all CVEs when configured to use the CoreID or the Novell SSO.

CacheFlow
CacheFlow 2.x and 3.x prior to 3.4.2.1 are vulnerable to CVE-2014-3508.

Content Analysis System
CAS 1.1 prior to 1.1.5.6 is vulnerable.  CAS 1.2 prior to 1.2.3.1 is vulnerable.  CAS 1.3 and later releases are not vulnerable.

IntelligenceCenter
IC 3.x is vulnerable to all CVEs.

IntelligenceCenter Data Collector
DC 3.x is vulnerable to all CVEs.

Management Center
Management Center 1.x prior to 1.3.1.1 is vulnerable to CVE-2014-5139, CVE-2014-3509, and CVE-2014-3511.  MC 1.4 and later releases are not vulnerable.

Malware Analysis Appliance
All versions of MAA prior to 4.1.4 are vulnerable.  MAA 4.2 is not vulnerable.

Malware Analyzer G2
All versions of MAG2 are vulnerable.

Norman Shark Industrial Control System Protection
All versions of ICSP 5.x prior to 5.2.2 are vulnerable.

Norman Shark Network Protection
All versions of NNP 5.x prior to 5.2.2 are vulnerable.

Norman Shark SCADA Protection
All versions of NSP 5.x prior to 5.2.2 are vulnerable.

PacketShaper
All versions of PacketShaper prior to 9.2.10 are vulnerable to CVE-2014-3509.

PolicyCenter
All versions of PolicyCenter prior to 9.2.10 are vulnerable to CVE-2014-3509.

ProxyAV
ProxyAV 3.4 prior to 3.4.2.7 and 3.5 prior to 3.5.2.2 are vulnerable.

ProxySG
All versions fo SGOS 5.x are vulnerable to CVE-2014-3508.  All versions of SGOS 6.x prior to 6.5 are vulnerable to CVE-2014-3508.  All versions of SGOS 6.5.x prior to 6.5.2.10 and 6.5.5.2 are vulnerable to CVE-2014-3508, CVE-2014-5139, CVE-2014-3509, and CVE-2014-3511.  SGOS 6.6 and later releases are not vulnerable.

Reporter
Reporter 9.4 for is vulnerable to CVE-2014-3510 and CVE-2014-5139.  The Windows version of Reporter is vulnerable only to CVE-2014-3510, not to CVE-2014-5139.  Reporter 9.5 prior to 9.5.3.1 are vulnerable to all CVEs.  Reporter 10.1 and later releases are not vulnerable.

Security Analytics Platform
SA 6.6 prior to 6.6.10, 7.0, and 7.1 prior to 7.1.5 are vulnerable to CVE-2014-3505, CVE-2014-3506, CVE-2014-3507, CVE-2014-3508, and CVE-2014-3510.  SA 7.2 and later releases are not vulnerable.

SSL Visibility
SSLV 3.5.x, 3.6.x, and 3.7.x (prior to 3.7.4) are vulnerable.  SSLV 3.8 and later versions are not vulnerable.

X-Series XOS
XOS 8.5, 9.6 prior to 9.6.10, 9.7 prior to 9.7.6, and 10.0 prior to 10.0.3 include versions of OpenSSL that are vulnerable to CVE-2014-3505, CVE-2014-3506, CVE-2014-3510, and CVE-2014-3508. XOS 10.0 prior to 10.0.3 includes versions of OpenSSL that are also vulnerable to CVE-2014-3507, CVE-2014-3509, and CVE-2014-3511. XOS 11.0 is not vulnerable.

Patches

BCAAA
BCAAA 6.1 - a fix will not be provided. CoreID is no longer supported and an updated Novell SDK is not available.
BCAAA 5.5 - a fix will not be provided. CoreID is no longer supported and an updated Novell SDK is not available.

CacheFlow
CacheFlow 3.x - a fix is available in 3.4.2.1.
CacheFlow 2.x - a fix will not be provided. Please upgrade to a later version with the vulnerability fix.

Content Analysis System
CAS 1.2 - a fix is available in 1.2.3.1.
CAS 1.1 - a fix is available in 1.1.5.6.

IntelligenceCenter
IC 3.x - a fix will not be provided. NetDialog NetX is a replacement product for IntelligenceCenter. Please switch to a version of NetX with the fixes.

IntelligenceCenter Data Collector
DC 3.x - a fix will not be provided. NetDialog NetX is a replacement product for IntelligenceCenter. Please switch to a version of NetX with the fixes.

Malware Analysis Appliance
MAA 4.1.x - a fix is available in 4.1.4.

Malware Analyzer G2
MAG2 4.1 and prior – a fix will not be provided. Please upgrade to the latest MAA 4.x release with the vulnerability fix.

Management Center
MC 1.3 - a fix is available in 1.3.1.1.
MC 1.2 and prior - a fix is not available at this time.

Norman Shark Industrial Control System Protection
ICSP 5.2 - a fix is available in 5.2.2 and 5.3.1.
ICSP 5.1 and earlier - a fix will not be provided. Please upgrade to a later version with the vulnerability fix.

Norman Shark Network Protection
NNP 5.2 – a fix is available in 5.2.2 and 5.3.1.
NNP 5.1 and earlier – a fix will not be provided. Please upgrade to a later version with the vulnerability fix.

Norman Shark SCADA Protection
NSP 5.2 – a fix is available in 5.2.2 and 5.3.1.
NSP 5.1 and earlier – a fix will not be provided. Please upgrade to a later version with the vulnerability fix.

PacketShaper
PacketShaper 9.2 - a fix is available in 9.2.10.
PacketShaper 8.7 - a fix will not be provided.  Please upgrade to a later version with the vulnerability fix.

PolicyCenter
PolicyCenter 9.2 - a fix is available in 9.2.10.
PolicyCenter 8.7 - a fix will not be provided.  Please upgrade to a later version with the vulnerability fix.

ProxyAV
ProxyAV 3.5 - a fix is available in 3.5.1.3 and later, and 3.5.2.2 and later.
ProxyAV 3.4 - a fix is available in 3.4.2.7.

ProxySG
SGOS 6.5.x - a fix is available in 6.5.5.2 and later versions.of 6.5.5.x.  A fix is available in 6.5.2.10.
SGOS 6.4.x - a fix will not be provided.  Please upgrade to a later version that has the vulnerability fix.
SGOS 6.2.x - a fix is available in 6.2.16.1.
SGOS 5.5.x - a fix will not be provided.  Please upgrade to a later version that has the vulnerability fix.

Reporter
Reporter 9.5 - a fix is available in 9.5.3.1.
Reporter 9.4 and earlier - a fix will not be provided.  Please upgrade to a later version that has the vulnerability fix.

Security Analytics Platform
SA 7.1 - a fix is available in 7.1.5.
SA 7.0 - a patch RPM to update the version of OpenSSL is available through Blue Coat Support.
SA 6.6 - a fix is available in 6.6.10.

SSL Visibility
SSLV 3.7 - a fix is available in 3.7.4.

X-Series
XOS 10.0 - a fix is available in 10.0.3.
XOS 9.7 - a fix is available in 9.7.6.
XOS 9.6 - a fix is available in 9.6.10.

ADDITIONAL PRODUCT INFORMATION

The following products are not vulnerable to any of these vulnerabilites:
Advanced Secure Gateway
Android Mobile Agent
AuthConnector
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
Director
General Auth Connector Login Application
K9
Mail Threat Defense
OPIC
PacketShaper S-Series
PolicyCenter S-Series
ProxyAV ConLog and ConLogXP
ProxyClient
Unified Agent

Blue Coat no longer provides vulnerability information for the following products:

DLP
Please contact Digital Guardian technical support regarding vulnerability information for DLP.

ISSUES

CVE-2014-3505 - 5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-2014-3506 - 5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-2014-3507 - 5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-2014-3508 - 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVE-2014-3509 - 6.8 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVE-2014-3510 - 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVE-2014-3511 - 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVE-2014-3512 - 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVE-2014-5139 - 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:N/A:P)

Nine vulnerabilities were announced in OpenSSL Security Advisory August 6, 2014.

  • CVE-2014-3505 is a flaw in the DTLS implementation that allows an attacker to force memory to be freed twice, resulting in a crash.
  • CVE-2014-3506 is a flaw in the DTLS implementation that allows an attacker to use large amounts of memory, resulting in slowdowns and/or a crash.
  • CVE-2014-3507 is a flaw in the DTLS implementation that allows an attacker to leak memory, resulting in slowdowns and/or a crash.
  • CVE-2014-3508 allows an attacker to obtain information from the stack if pretty printing output is echoed to the attacker.
  • CVE-2014-3509 allows a malicious server to crash or overwrite memory by sending Elliptic Curve Supported Point Formats Extension data.
  • CVE-2014-3510 is a flaw in the DTLS client implementation that allows an attacking server to send data that will result in a crash due to a null pointer.
  • CVE-2014-3511 is a flaw in the SSL/TLS server implementaiton that allows an attacking client to force a downgrade to the TLS 1.0 protocol even if higher protocol versions are supported by the client and server.
  • CVE-2014-3512 is a flaw in the SRP implementation that allows a malicious client or server to send invalid parameters that will result in a buffer overflow.
  • CVE-2014-5139 allows a malicious server to crash a client by specifying an SRP ciphersuite, even if the ciphersuite was not negotiated with the client.

X-Series XOS 8.5 and later ship with a version of OpenSSL that that is vulnerable to DTLS related vulnerabilities CVE-2014-3505, CVE-2014-3506, and CVE-2014-3510.  The DTLS functionality is not utilized on the chassis, but could be used by other software. 

Blue Coat products act as both client and server. Blue Coat hosts services such as WebPulse and licensing services that Blue Coat products may connect with as a client.

Some Blue Coat products that can be installed on client or on non-Blue Coat hardware use the version of OpenSSL that is already installed. Blue Coat urges our customers to update the versions of OpenSSL that are installed for Reporter on Linux, Unified Agent on Linux, and ProxyClient.

MITIGATION

The version of OpenSSL in the Linux and ISO versions of Reporter can be updated to a later version of OpenSSL that includes a fix for CVE-2014-3510 and CVE-2014-5139.  For assistance, please contact Blue Coat Technical Support.

REFERENCES

OpenSSL Security Advisory - https://www.openssl.org/news/secadv_20140806.txt
CVE-2014-3505 - https://nvd.nist.gov/vuln/detail/CVE-2014-3505
CVE-2014-3506 - https://nvd.nist.gov/vuln/detail/CVE-2014-3506
CVE-2014-3507 - https://nvd.nist.gov/vuln/detail/CVE-2014-3507
CVE-2014-3508 - https://nvd.nist.gov/vuln/detail/CVE-2014-3508
CVE-2014-3509 - https://nvd.nist.gov/vuln/detail/CVE-2014-3509
CVE-2014-3510 - https://nvd.nist.gov/vuln/detail/CVE-2014-3510
CVE-2014-3511 - https://nvd.nist.gov/vuln/detail/CVE-2014-3511
CVE-2014-3512 - https://nvd.nist.gov/vuln/detail/CVE-2014-3512
CVE-2014-5139 - https://nvd.nist.gov/vuln/detail/CVE-2014-5139

REVISION

2019-08-16 Fixes for IntelligenceCenter and IntelligenceCenter Data Collector will not be provided.  NetDialog NetX is a replacement product for IntelligenceCenter. Please switch to a version of NetX with the fixes. SA status moved to Closed.
2019-01-20 Security Analytics 8.0 is not vulnerable.
2019-01-17 IntelligenceCenter, IntelligenceCenter 3.x, and Reporter 9.5 prior to 9.5.3.1 are vulnerable to all CVEs.  A fix will not be provided for Reporter 9.4.  Please upgrade to a later version that has the vulnerability fix.
2017-08-02 SSLV 4.1 is not vulnerable.
2017-07-18 MC 1.10 is not vulnerable.
2017-06-22 Security Analytics 7.3 is not vulnerable.
2017-05-16 CAS 2.1 is not vulnerable.
2017-03-06 ProxySG 6.7 is not vulnerable.  SSLV 4.0 is not vulnerable.
2017-02-15 MC 1.8 is not vulnerable.  Reporter 9.5 and 10.1 are not vulnerable.  Vulnerability inquiries for DLP should be addressed to Digital Guardian technical support.
2016-12-04 SSLV 3.11 is not vulnerable.
2016-11-17 Cloud Data Protection for Oracle Field Service Cloud is not vulnerable.
2016-11-14 MC 1.6 and 1.7 are not vulnerable.
2016-11-11 SSLV 3.10 is not vulnerable.
2016-09-15 Advanced Secure Gateway is not vulnerable.
2016-08-11 Security Analytics 7.2 is not vulnerable.
2016-07-24 SSLV 3.8, 3.8.2F, 3.8.4FC, and 3.9 are not vulnerable.
2016-07-17 SGOS 6.6 is not vulnerable.
2016-06-16 XOS 11.0 is not vulnerable.
2016-06-07 MAA 4.2 is not vulnerable.
2016-05-26 IntelligenceCenter is not vulnerable.
2016-05-24 PolicyCenter S-Series is not vulnerable.
2016-05-23 Previously it was reported that the CAS fix is available in 1.1.5.5.  Further investigation has shown that the CAS 1.1 fix is available in 1.1.5.6 and the CAS 1.2 fix is available in 1.2.3.1.  CAS 1.3 is not vulnerable.
2016-05-22 A fix for MAG2 will not be provided.  MC 1.4 and 1.5 are not vulnerable.
2016-05-21 General Auth Connector Login Application and K9 are not vulnerable.
2016-05-11 No Cloud Data Protection products are vulnerable.
2016-04-23 Mail Threat Defense is not vulnerable.
2015-12-02 All fixes are available for Security Analytics
2015-10-02 Fix is available for ProxyAV 3.5.1
2015-07-26 Fixes for XOS are available; fixes for CacheFlow are available
2015-03-12 Clarified CVEs that Security Analytics is vulnerable to; fix is available for Security Analytics 6.6; clarified CVE that PacketShaper and PolicyCenter are vulnerable to
2015-03-11 Fix will not be provided for SGOS 6.2 and 5.5
2015-03-04 PacketShaper and PolicyCenter are vulnerable and fixes are available
2015-03-03 ProxyAV ConLog and ConLogXP are not vulnerable; fix available for MC
2015-03-02 PacketShaper S-Series is not vulnerable
2015-02-24 Reporter is vulnerable
2015-02-20 Fixes are available for Norman Shark products; Auth Connector is not vulnerable; BCAAA may be vulnerable but not fixes will be provided; XOS is vulnerable
2015-02-19 CacheFlow is vulnerable
2015-02-17 Android Mobile Agent, Client Connector, OPIC, ProxyClient, and Unfied Agent are not vulnerable.
2015-01-21 ProxyAV is vulnerable and fixes are available. CAS is vulnerable and a fix is available.
2015-01-14 SGOS fixes added
2015-01-13 Initial public release