SA124 : NSS Vulnerabilities March 2016
SUMMARY
Blue Coat products that include affected versions of NSS are susceptible to multiple vulnerabilities. A remote attacker can exploit these vulnerabilities to cause denial of service through application crashes, or to possibly execute arbitrary code.
AFFECTED PRODUCTS
The following products are vulnerable:
Advanced Secure Gateway (ASG) | ||
---|---|---|
CVE | Affected Version(s) | Remediation |
All CVEs | 6.7 and later | Not vulnerable, fixed in 6.7.2.1. |
6.6 | Upgrade to 6.6.5.1. |
Content Analysis System (CAS) | ||
---|---|---|
CVE | Affected Version(s) | Remediation |
All CVEs | 2.1 and later | Not vulnerable, fixed in 2.1.1.1 |
1.3 | Upgrade to 1.3.7.1. |
Director | ||
---|---|---|
CVE | Affected Version(s) | Remediation |
CVE-2016-1978 | 6.1 | Upgrade to a version of MC with the fixes. |
Mail Threat Defense (MTD) | ||
---|---|---|
CVE | Affected Version(s) | Remediation |
All CVEs | 1.1 | Upgrade to a version of CAS and SMG with the fixes. |
Management Center (MC) | ||
---|---|---|
CVE | Affected Version(s) | Remediation |
All CVEs | 1.6 and later | Not vulnerable, fixed in 1.6.1.1 |
1.5 | Upgrade to later release with fixes. |
PacketShaper (PS) S-Series | ||
---|---|---|
CVE | Affected Version(s) | Remediation |
All CVEs | 11.6 and later | Not vulnerable, fixed in 11.6.1.1 |
CVE-2016-1978 | 11.5 | Upgrade to 11.5.3.2. |
11.2, 11.3, 11.4 | Upgrade to later release with fixes. | |
CVE-2016-1979 | 11.5 | Upgrade to 11.5.3.2 |
11.2, 11.3, 11.4 | Upgrade to later release with fixes. |
PolicyCenter (PC) S-Series | ||
---|---|---|
CVE | Affected Version(s) | Remediation |
CVE-2016-1978 | 1.1 | Upgrade to 1.1.2.2. |
Security Analytics | ||
---|---|---|
CVE | Affected Version(s) | Remediation |
All CVEs | 8.0 | Not vulnerable, fixed in 8.0.1 |
7.3 (not vulnerable to known vectors of attack) | Upgrade to 7.3.2. | |
7.2 (not vulnerable to known vectors of attack) | Upgrade to later release with fixes. | |
CVE-2016-1978 | 6.6, 7.0, 7.1 | Upgrade to later release with fixes. |
CVE-2016-1979 | 6.6, 7.0, 7.1 (not vulnerable to known vectors of attack) | Upgrade to later release with fixes. |
X-Series XOS | ||
---|---|---|
CVE | Supported Version(s) | Remediation |
All CVEs | 9.7, 10.0, 11.0 | A fix will not be provided. |
The following products contain a vulnerable version of NSS, but are not vulnerable to known vectors of attack:
Reporter | ||
---|---|---|
CVE | Affected Version(s) | Remediation |
All CVEs | 10.2 and later | Not vulnerable, fixed in 10.2.1.1 |
10.1 | Upgrade to 10.1.4.2. | |
9.4, 9.5 | Not vulnerable |
ADDITIONAL PRODUCT INFORMATION
Some Blue Coat products do not enable or use all functionality within NSS. The products listed below do not utilize the functionality described in the CVEs below and are thus not known to be vulnerable to them. However, fixes for these CVEs will be included in the patches that are provided.
- Director: CVE-2016-1979
- PS S-Series: CVE-2016-1978 (11.2, 11.3, and 11.4 only) and CVE-2016-1979
- PC S-Series: CVE-2016-1979
- Reporter 10.1: CVE-2016-1978 and CVE-2016-1979
- Security Analytics: CVE-2016-1978 (7.2 and 7.3 only), CVE-2016-1979
The following products are not vulnerable:
Android Mobile Agent
AuthConnector
BCAAA
Blue Coat HSM Agent for the Luna SP
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Communication Server
Cloud Data Protection Integration Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
IntelligenceCenter
IntelligenceCenter Data Collector
K9
Malware Analysis Appliance
Norman Shark Industrial Control System Protection
Norman Shark Network Protection
Norman Shark SCADA Protection
PacketShaper
PolicyCenter
ProxyAV
ProxyAV ConLog and ConLogXP
ProxyClient
ProxySG
SSL Visibility
Unified Agent
Web Isolation
Blue Coat no longer provides vulnerability information for the following products:
DLP
Please, contact Digital Guardian technical support regarding vulnerability information for DLP.
ISSUES
CVE-2016-1978 | |
---|---|
Severity / CVSSv2 | Medium / 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) |
References | SecurityFocus: BID 84275 / NVD: CVE-2016-1978 |
Impact | Denial of service, code execution |
Description | A use-after-free flaw in the SSL/TLS client implementation for DHE and ECDHE cipher suites allows a remote attacker to cause application crashes resulting in denial of service. The attacker may also execute arbitrary code with the permission of the user running the NSS SSL/TLS client application. |
CVE-2016-1979 | |
---|---|
Severity / CVSSv2 | Medium / 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) |
References | SecurityFocus: BID 84221 / NVD: CVE-2016-1979 |
Impact | Denial of service, code execution |
Description | A use-after-free flaw in DER encoded private key parsing allows a remote attacker to cause application crashes resulting in denial of service. The attacker may also execute arbitrary code with the permissions of the user running the NSS application. |
MITIGATION
CVE-2016-1979 can be exploited in affected products only through their management interfaces. Allowing only machines, IP addresses and subnets from a trusted network to access the management interface reduces the threat of exploiting the vulnerabilities.
REFERENCES
MFSA2016-15 - https://www.mozilla.org/en-US/security/advisories/mfsa2016-15/
MFSA2016-36 - https://www.mozilla.org/en-US/security/advisories/mfsa2016-36/
REVISION
2021-07-13 A fix for Security Analytics 7.2 will not be provided. Please upgrade to a later version with the vulnerability fixes. Moving Advisory Status to Closed.
2020-11-20 X-Series XOS is vulnerable. A fix for XOS 9.7, 10.0, and 11.0 will not be provided.
2020-11-17 A fix for MTD 1.1 will not be provided. Please upgrade to a version of CAS and SMG with the vulnerability fixes. A fix for SA 7.1 will not be provided. Please upgrade to a later version with the vulnerability fixes. A fix for Director 6.1 will not be provided. Please upgrade to a version of MC with the vulnerability fixes.
2020-04-26 A fix for Security Analytics 7.3 is available in 7.3.2.
2019-10-03 Web Isolation is not vulnerable.
2019-08-01 Security Analytics 8.0 is not vulnerable.
2018-04-22 PacketShaper S-Series 11.10 is not vulnerable.
2017-11-06 ASG 6.7 is not vulnerable because a fix is available in 6.7.2.1.
2017-07-24 PacketShaper S-Series 11.9 is not vulnerable.
2017-07-20 MC 1.10 is not vulnerable.
2017-06-22 Security Analytics 7.3 has a vulnerable version of NSS, but is not vulnerable to known vectors of attack.
2017-06-05 PacketShaper S-Series 11.8 is not vulnerable.
2017-05-18 CAS 2.1 is not vulnerable.
2017-03-30 MC 1.9 is not vulnerable.
2017-03-06 MC 1.8 is not vulnerable.
2017-01-25 It was previously reported that Security Analytics 7.2 is vulnerable to CVE-2016-1978. Further investigation indicates that Security Analytics 7.2 has a vulnerable version of NSS, but is not vulnerable to known vectors of attack. A fix will be provided in a future release.
2016-12-15 IntelligenceCenter and IntelligenceCenter Data Collector are not vulnerable. Customers should contact Digital Guardian technical support regarding vulnerability information for DLP.
2016-12-04 PacketShaper S-Series 11.7 is not vulnerable.
2016-11-17 Cloud Data Protection for Oracle Field Service Cloud is not vulnerable.
2016-11-03 A fix for ASG is available in 6.6.5.1. A fix for MC 1.6 is available in 1.6.1.1. MC 1.7 is not vulnerable. A fix will not be provided for MC 1.5. A fix for Reporter 10.1 is avaialble in 10.1.4.2.
2016-08-12 A fix for CAS 1.3 is available in 1.3.7.1. Security Analytics 7.2 is vulnerable to CVE-2016-1978 and has vulnerable code for CVE-2016-1979.
2016-06-30 PacketShaper S-Series 11.6 is not vulnerable.
2016-06-24 A fix for PacketShaper S-Series 11.5 is available in 11.5.3.2. A fix for PolicyCenter S-Series is available in 1.1.2.2.
2016-06-10 Security Analytics 6.6, 7.0, and 7.1 are vulnerable to CVE-2016-1978 and have vulnerable code for CVE-2016-1979.
2016-06-08 Reporter 10.1 has a vulnerable version of NSS. Reporter 9.4 and 9.5 are not vulnerable.
2016-06-07 initial public release