SA90 : Ghost Remote Code Execution GNU C Library (glibc)
SUMMARY
A buffer overflow exists in the GNU C Library (glibc) that allows a remote attacker to execute arbitrary code using the permissions of the application. A remote attacker could use this vulnerability to gain administrator or root access to Blue Coat products using affected versions of glibc.
AFFECTED PRODUCTS
The following products are vulnerable:
Director
Director 6.x prior to 6.1.17.2 are vulnerable.
DLP
DLP 9.x, 8.x, and 7.x are vulnerable.
Malware Analysis Appliance
MAA 4.2 prior to 4.2.3, and MAA 4.1 are vulnerable.
Malware Analyzer G2
All versions of MAG2 are vulnerable.
Management Center
MC 1.x prior to 1.3.2.1 is vulnerable. MC 1.4, 1.5, 1.6, 1.7, 1.8, and 1.9 are not vulnerable.
Norman Shark Industrial Control System Protection
ICSP 5.x prior to 5.3.2 is vulnerable.
Norman Shark Network Protection
NNP 5.x prior to 5.3.2 is vulnerable.
Norman Shark SCADA Protection
NSP 5.x prior to 5.3.2 is vulnerable.
PacketShaper S-Series
PacketShaper S-Series 11.x prior to 11.5.2.1 is vulnerable.
Reporter
The ISO version of Reporter 9.4 (Virtualized Reporter) is vulnerable. Reporter 9.4 and 9.5 for Windows and Linux are not vulnerable. Reporter 10.1 is not vulnerable.
Security Analytics
SA 6.6 prior to 6.6.11, 7.0, and 7.1 prior to 7.1.7 are vulnerable. SA 7.2 is not vulnerable.
SSL Visibility
The SSLV 3.5.2 FIPS Release contains the vulnerable code but is not vulnerable to currently known attack vectors. SSLV 3.6, SSLV 3.7 prior to 3.7.4-41, and SSLV 3.8 prior to 3.8.2-406 are vulnerable. SSLV 3.8.4FC, 3.9, 3.10, 3.11, and 4.0 are not vulnerable.
X-Series
XOS 10.0 prior to 10.0.3, XOS 9.7 prior to 9.7.6, XOS 9.6 prior to 9.6.10, and XOS 9.5 are vulnerable. XOS 11.0 is not vulnerable.
The following products contain a vulnerable version of gethostbyname, but are not vulnerable to known vectors of attack:
Content Analysis System
CAS 1.1 and CAS 1.2 prior to 1.2.4.1 have vulnerable versions of gethostbyname. The CAS software does not call gethostbyname directly. CAS has three open ports for four services: ICAP, Tomcat, SNMP, and OpenSSH. None of these software packages are vulnerable.
CAS 1.3 and 2.1 are not vulnerable.
Patches
Content Analysis System
CAS contains a vulnerable version of gethostbyname, but are not vulnerable to known vectors of attack.
CAS 1.2 - a release with a non-vulnerable glibc is available in 1.2.4.1.
CAS 1.1.- a fix will not be provided. Please upgrade to a later version that has the vulnerability fix.
Director
Director 6.1 - a fix is available in 6.1.17.2.
DLP
DLP 9.x - a patch is available from Blue Coat Support for 9.x.
DLP 8.x - a patch is available from Blue Coat Support for 8.x.
DLP 7.x - a fix is not available at this time.
Malware Analysis Appliance
MAA 4.2 - a fix is is available in 4.2.3.
MAA 4.1 - a fix will not be provided. Please upgrade to a later release with the vulnerability fix.
Malware Analyzer G2
MAG2 4.1 and prior – a patch will not be provided. Please upgrade to the latest MAA 4.x release with the vulnerability fix.
Management Center
MC 1.x - a fix is available in 1.3.2.1.
Norman Shark Industrial Control System Protection
ICSP 5.x - a fix is available in 5.3.2.
Norman Shark Network Protection
NNP 5.x - a fix is available in 5.3.2.
Norman Shark SCADA Protection
NSP 5.x - a fix is available in 5.3.2.
PacketShaper S-Series
PS 11.5 - a fix is available in 11.5.2.1.
PS 11.4 - a fix will not be provided. Please upgrade to a later version with the vulnerability fix.
PS 11.3 - a fix will not be provided. Please upgrade to a later version with the vulnerability fix.
PS 11.2 - a fix will not be provided. Please upgrade to a later version with the vulnerability fix.
PS 11.1 - a fix will not be provided. Please upgrade to a later version with the vulnerability fix.
Reporter
Reporter ISO version 9.4 - a fix will not be provided. Please upgrade to a later version with the vulnerability fix.
Security Analytics
SA 7.1 - a fix is available in 7.1.7.
SA 7.0 - a patch RPM to update the version of OpenSSL is available through Blue Coat Support.
SA 6.6 - a fix is available in 6.6.11.
SSL Visibility
A patch is available for SV800, SV1800, SV2800, and SV3800 systems running software version3.6.x, 3.7.x, and 3.8.x. The patch upgrades the system to 3.8.2-406. Refer to the 3.8.2-406 Release Notes for specific details on the defect fixes and upgrade procedures.
SSLV 3.8 - a fix is available by applying patch sslv-3.8.2-406-bluecoat.patch.
SSLV 3.7 - a fix is available by applying patch sslv-3.8.2-406-bluecoat.patch. If it is not possible to upgrade immediately, then the 3.7.4-41 patch can be applied to systems running 3.7.x.
SSLV 3.6 - a fix is available by applying patch sslv-3.6-to-3.8.2-406-bluecoat.patch.
SSLV 3.5.2 - a fix to update to glibc will not be provided.
X-Series
XOS 10.0 - a fix is available in 10.0.3.
XOS 9.7 - a fix is available in 9.7.6.
XOS 9.6 - a fix is available in 9.6.10.
XOS 9.5 - a fix will not be provided. Please upgrade to a later version that has the vulnerability fix.
ADDITIONAL PRODUCT INFORMATION
The following products are not vulnerable:
Advanced Secure Gateway
Android Mobile Agent
AuthConnector
BCAAA
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
IntelligenceCenter
IntelligenceCenter Data Collector
K9
Mail Threat Defense
Mobile Device Security
PacketShaper
PolicyCenter
PolicyCenter S-Series
ProxyAV
ProxyAV ConLog and ConLogXP
ProxyClient
ProxySG
Reporter for Linux and Windows
Unified Agent
ISSUES
CVE-2015-0235
A heap-based buffer overflow exists in versions of the GNU C Library (glibc) prior to 2.18. Blue Coat products that includes a vulnerable version of glibc are vulnerable.
The buffer overflow is found in the function __nss_hostname_digits_dots(). This function is used by gethostbyname() and gethostbyname2(). Applications that use this function can be exploited by a remote attacker to execute attacker provided code with the same rights and privileges as the application. If the application runs as root, the remote attacker will gain root access and have complete control.
Blue Coat products that are installed on existing clients or servers do not install glibc and therefore not vulnerable. The overall client or server may be vulnerable itself if a vulnerable version of glibc is installed. Blue Coat urges our customers to update the operating system or the version of glibc for these products.
REFERENCES
CVE-2015-0235 - https://nvd.nist.gov/vuln/detail/CVE-2015-0235
Qualys vulnerability report - https://blog.qualys.com/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability
OSS-security analysis - http://www.openwall.com/lists/oss-security/2015/01/27/9
REVISION
2017-05-30 SA status moved to Final.
2017-05-29 A fix for PacketShaper S-Series 11.5 is available in 11.5.2.1.
2017-05-16 CAS 2.1 is not vulnerable.
2017-03-06 ProxySG 6.7 is not vulnerable. SSLV 4.0 is not vulnerable.
2016-12-04 SSLV 3.11 is not vulnerable.
2016-11-17 Cloud Data Protection for Oracle Field Service Cloud is not vulnerable.
2016-11-14 MC 1.6 and 1.7 are not vulnerable.
2016-11-11 SSLV 3.10 is not vulnerable.
2016-09-15 Advanced Secure Gateway is not vulnerable.
2016-08-11 Security Analytics 7.2 is not vulnerable.
2016-07-24 SSLV 3.8.4FC and 3.9 are not vulnerable.
2016-06-17 XOS 11.0 is not vulnerable.
2016-06-16 PolicyCenter S-Series is not vulnerable.
2016-06-07 A fix for MAA 4.1 will not be provided. Please upgrade to a later release with the vulnerability fix.
2016-05-26 IntelligenceCenter Data Collector is not vulnerable.
2016-05-25 Reporter 10.1 is not vulnerable. A fix for Reporter ISO 9.4 will not be provided.
2016-05-21 MC 1.4 and 1.5 are not vulnerable.
2016-05-20 A fix will not be provided for CAS 1.1. Please upgrade to a later version with the vulnerability fix. CAS 1.3 is not vulnerable.
2016-05-11 No Cloud Data Protection products are vulnerable.
2016-04-23 Mail Threat Defense is not vulnerable.
2015-12-02 All fixes are available for Security Analytics
2015-09-30 Updated interfaces listed for CAS
2015-03-12 Fixes are available for Security Analytics
2015-03-11 Reporter ISO version is vulnerable
2015-03-04 Patches are available for DLP 8.x and 9.x
2015-03-03 Fixes are available for Norman Shark NNP, ICSP, and SCADA; updated glibc available for CAS 1.2.4.1
2015-02-17 CAS is not vulnerable to known vectors of attack.
2015-02-12 Fix is available for Management Center; clarification of which versions are vulnerable in Affected Products
2015-02-11 Fixes are available for Director 6.1, MAA 4.2, SSLV 3..4-41, XOS 10.0, XOS 9.7, XOS 9.6. SSLV 3.5.2 is not vulnerable.
2015-02-04 A fix for XOS 9.5 will not be provided.
2015-02-02 Added CVSS score of 10.0. Patch release for SSLV is available.
2015-01-29 Corrected CVE number
2015-01-28 Initial public release2017-05-30 SA status moved to Final.
2017-05-29 A fix for PacketShaper S-Series 11.5 is available in 11.5.2.1.
2017-05-16 CAS 2.1 is not vulnerable.
2017-03-06 ProxySG 6.7 is not vulnerable. SSLV 4.0 is not vulnerable.
2016-12-04 SSLV 3.11 is not vulnerable.
2016-11-17 Cloud Data Protection for Oracle Field Service Cloud is not vulnerable.
2016-11-14 MC 1.6 and 1.7 are not vulnerable.
2016-11-11 SSLV 3.10 is not vulnerable.
2016-09-15 Advanced Secure Gateway is not vulnerable.
2016-08-11 Security Analytics 7.2 is not vulnerable.
2016-07-24 SSLV 3.8.4FC and 3.9 are not vulnerable.
2016-06-17 XOS 11.0 is not vulnerable.
2016-06-16 PolicyCenter S-Series is not vulnerable.
2016-06-07 A fix for MAA 4.1 will not be provided. Please upgrade to a later release with the vulnerability fix.
2016-05-26 IntelligenceCenter Data Collector is not vulnerable.
2016-05-25 Reporter 10.1 is not vulnerable. A fix for Reporter ISO 9.4 will not be provided.
2016-05-21 MC 1.4 and 1.5 are not vulnerable.
2016-05-20 A fix will not be provided for CAS 1.1. Please upgrade to a later version with the vulnerability fix. CAS 1.3 is not vulnerable.
2016-05-11 No Cloud Data Protection products are vulnerable.
2016-04-23 Mail Threat Defense is not vulnerable.
2015-12-02 All fixes are available for Security Analytics
2015-09-30 Updated interfaces listed for CAS
2015-03-12 Fixes are available for Security Analytics
2015-03-11 Reporter ISO version is vulnerable
2015-03-04 Patches are available for DLP 8.x and 9.x
2015-03-03 Fixes are available for Norman Shark NNP, ICSP, and SCADA; updated glibc available for CAS 1.2.4.1
2015-02-17 CAS is not vulnerable to known vectors of attack.
2015-02-12 Fix is available for Management Center; clarification of which versions are vulnerable in Affected Products
2015-02-11 Fixes are available for Director 6.1, MAA 4.2, SSLV 3..4-41, XOS 10.0, XOS 9.7, XOS 9.6. SSLV 3.5.2 is not vulnerable.
2015-02-04 A fix for XOS 9.5 will not be provided.
2015-02-02 Added CVSS score of 10.0. Patch release for SSLV is available.
2015-01-29 Corrected CVE number
2015-01-28 Initial public release