SA101 : OpenSSL Security Advisory 09-July-2015
1328
04 May 2021
10 July 2015
CLOSED
MEDIUM
CVSS v2: 6.4
SUMMARY
Blue Coat products using affected versions of OpenSSL 1.0.2 and 1.0.1 are vulnerable to certificate forgery. A remote attacker may exploit this vulnerability to act as a CA using a valid leaf certificate and then issue falsified certificates that appear to be valid. At this time, no products have been identified as vulnerable. Blue Coat is actively assessing the remaining products.
AFFECTED PRODUCTS
At this time, no products have been found vulnerable to CVE-2015-1793.
ADDITIONAL PRODUCT INFORMATION
Blue Coat products that use a native installation of OpenSSL but do not install or maintain that implementation are not vulnerable to any of these CVEs. However, the underlying platform or application that installs and maintains OpenSSL may be vulnerable. Blue Coat urges our customers to update the versions of OpenSSL that are natively installed for Reporter on Linux, Unified Agent on Linux, ProxyClient, and the Blue Coat HSM Agent on the SafeNet Luna SP.
The following products are not vulnerable:
Advanced Secure Gateway
Android Mobile Agent
AuthConnector
BCAAA
Blue Coat HSM Agent for the Luna SP
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
Content Analysis System
Director
General Auth Connector Login Application (aclogon.exe)
Intelligence Center
Intelligence Center Data Collector
K9
Mail Threat Defense
Malware Analysis Appliance
Malware Analyzer G2
Management Center
Norman Shark Industrial Control System Protection
Norman Shark Network Protection
Norman Shark SCADA Protection
OPIC
PacketShaper
PacketShaper S-Series
PolicyCenter
PolicyCenter S-Series
ProxyAV
ProxyAV ConLog and ConLogXP
ProxyClient
ProxySG
Reporter
Security Analytics Platform
SSL Visibility
Unified Agent
X-Series XOS
Blue Coat no longer provides vulnerability information for the following products:
DLP
Please, contact Digital Guardian technical support regarding vulnerability information for DLP.
ISSUES
A vulnerability was announced by OpenSSL in OpenSSL Security Advisory 9-Jul-2015. Blue Coat products that include a vulnerable version of OpenSSL and make use of the affected functionality are vulnerable. At this time, no products have been identified as vulnerable. Blue Coat is actively investigating the remaining products.
CVE-2015-1793 is a flaw in in certificate verification that allows an attacker to bypass certain checks and present a certificate that, under normal conditions, would not be accepted. This flaw is exercised only when OpenSSL attempts to find an alternate certificate chain to validate the certificate. One check that is bypassed in this situation is the flag in the certificate that indicates that the certificate is for a Certificate Authority (CA). An attacker can exploit this flaw by using a valid leaf certificate signed by a trusted CA to act as a CA and sign invalid certificates. These certificates will be accepted as valid by the vulnerable versions of OpenSSL. Blue Coat products that use affected versions of OpenSSL and that validate certificates (either as a client or as a server) are vulnerable.
CVE-2015-1793 | |
Severity / CVSSv2 | Medium / 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N) |
References | SecurityFocus: BID 75652 / NVD: CVE-2015-1793 |
Impact | Information disclosure, unauthorized modification of data |
Description | A certificate verification flaw allows a remote attacker to intercept SSL connection as man-in-the-middle and view/modify their encrypted data. |
REFERENCES
OpenSSL Security Advisory - https://www.openssl.org/news/secadv_20150709.txt
REVISION
2017-02-15 Vulnerability inquiries for DLP should be addressed to Digital Guardian technical support. SA status moved to Final.
2016-11-17 Cloud Data Protection for Oracle Field Service Cloud is not vulnerable.
2016-05-25 Reporter 9.5 and 10.1 are not vulnerable.
2016-05-11 No Cloud Data Protection products are vulnerable.
2016-05-03 Advanced Secure Gateway and PolicyCenter S-Series are not vulnerable.
2016-04-23 Mail Threat Defense is not vulnerable.
2015-07-13 updated identifier from 101 to SA101; Reporter for Windows is not vulnerable
2015-07-10 removed PolicyCenter S-Series as it is not shipping yet
2015-07-10 initial public release