SA141 : OpenSSL Vulnerabilities 26-Jan-2017
SUMMARY
Symantec Network Protection products using affected versions of OpenSSL are susceptible to several vulnerabilities. A remote attacker can exploit these vulnerabilities to cause denial of service and obtain private key information.
AFFECTED PRODUCTS
The following products are vulnerable:
| CacheFlow | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2017-3731 | 3.4 | Upgrade to 3.4.2.8. |
| Director | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2017-3731 | 6.1 starting with 6.1.22.1 | Upgrade to 6.1.23.1. |
| IntelligenceCenter (IC) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2017-3731 | 3.3 | Upgrade to a version of NetDialog NetX with fixes. |
| Malware Analysis (MA) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2017-3732 | 4.2 | Upgrade to 4.2.12. |
| PacketShaper (PS) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2017-3731 | 9.2 | Fixed in 9.2.13p7 |
| PolicyCenter (PC) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2017-3731 | 9.2 | Fixed in 9.2.13p7 |
| ProxyAV | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2017-3731 | 3.5 | Upgrade to a version of CAS with fixes. |
| ProxySG | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2017-3731 | 7.1 and later | Not vulnerable, fixed in 7.1.1.1 |
| 6.7 | Upgrade to 6.7.1.2. | |
| 6.6 | Upgrade to 6.6.5.8. | |
| 6.5 | Upgrade to 6.5.10.4. | |
| Reporter | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2017-3731 | 10.2 and later | Not vulnerable, fixed in 10.2.1.1. |
| 10.1 (has vulnerable version of OpenSSL, but not vulnerable to known vectors of impact). | Upgrade to 10.1.5.5. | |
| 9.5 | Not vulnerable | |
| CVE-2017-3732 | 10.2 and later | Not vulnerable |
| 10.1 | Not vulnerable | |
| 9.5 | Upgrade to 9.5.4.1. | |
| All CVEs | 9.4 | Not vulnerable |
| SSL Visibility (SSLV) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2017-3731 | 4.1 and later | Not vulnerable, fixed in 4.1.1.1. |
| 4.0 (has vulnerable version of OpenSSL, but not vulnerable to known vectors of impact). | Upgrade to 4.0.2.1. | |
| 3.x | Not vulnerable | |
| CVE-2017-3732 | 3.12 and later | Not vulnerable |
| 3.11 | Upgrade to 3.11.3.1. | |
| 3.10 | Upgrade to 3.10.4.1. | |
| 3.9 | Not available at this time | |
| Unified Agent (UA) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2017-3732 | 4.8 and later | Not vulnerable, fixed in 4.8.0 |
| 4.7 | Upgrade to later release with fixes | |
| 4.6 | Upgrade to later release with fixes | |
| 4.1 | Not vulnerable | |
The following products contain a vulnerable version of OpenSSL, but are not vulnerable to known vectors of attack:
| Advanced Secure Gateway (ASG) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2017-3731 | 7.1 | Not vulnerable, fixed in 7.1.1.1 |
| 6.7 | Upgrade to 6.7.3.1. | |
| 6.6 | Upgrade to later release with fixes. | |
| Android Mobile Agent | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2017-3731 | 2.0 | Not vulnerable, fixed |
| 1.3 | Upgrade to 1.3.8. | |
| Content Analysis (CA) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2017-3731 | 2.2 and later | Not vulnerable, fixed in 2.2.1.1. |
| 2.1 | Upgrade to later release with fixes. | |
| 1.3 | Upgrade to later release with fixes. | |
| Mail Threat Defense (MTD) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2017-3731 | 1.1 | Not available at this time |
| Management Center (MC) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2017-3731 | 1.11 and later | Not vulnerable, fixed in 1.11.1.1. |
| 1.10 | Upgrade to later release with fixes. | |
| 1.9 | Upgrade to later release with fixes. | |
| 1.8 | Upgrade to later release with fixes. | |
| Norman Shark Industrial Control System Protection (ICSP) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2017-3731 | 5.4 and later | Not vulnerable, fixed in 5.4.1 |
| 5.3 | Not available at this time | |
| Norman Shark Network Protection (NNP) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2017-3731 | 5.3 | A fix will not be provided. |
| Norman Shark SCADA Protection (NSP) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2017-3731 | 5.3 | A fix will not be provided. Customers who use NSP for USB cleaning can switch to a version of ICSP with fixes. |
| PacketShaper (PS) S-Series | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2017-3731 | 11.9 and later | Not vulnerable, fixed in 11.9.1.1. |
| 11.8 | Upgrade to later release with fixes. | |
| 11.7 | Upgrade to later release with fixes. | |
| 11.6 | Upgrade to 11.6.4.2. | |
| 11.5 | Upgrade to later release with fixes. | |
| PolicyCenter (PC) S-Series | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2017-3731 | 1.1 | Upgrade to 1.1.4.2. |
| Security Analytics | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2017-3731 | 7.3 and later | Not vulnerable, fixed in 7.3.1. |
| 7.2 | Upgrade to 7.2.3. | |
| 7.1 | Upgrade to later release with fixes. | |
| 6.6 | Upgrade to later release with fixes. | |
| X-Series XOS | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2017-3731 | 11.0 | Not available at this time |
| 10.0 | Upgrade to later release with fixes. | |
| 9.7 | Upgrade to later release with fixes. | |
ADDITIONAL PRODUCT INFORMATION
Symantec Network Protection products that use a native installation of OpenSSL but do not install or maintain that implementation are not vulnerable to any of these CVEs. However, the underlying platform or application that installs and maintains OpenSSL may be vulnerable. Symantec urges our customers to update the versions of OpenSSL that are natively installed for Client Connector for OS X, Proxy Client for OS X, and Reporter 9.x for Linux.
Some Symantec Network Protection products do not enable or use all functionality within OpenSSL. The products listed below do not utilize the functionality described in the CVEs below and are thus not known to be vulnerable to them. However, fixes for these CVEs will be included in the patches that are provided.
- Android Mobile Agent: CVE-2017-3731
- ASG: CVE-2017-3731
- CA: CVE-2017-3731
- Director 6.1.22.1: CVE-2017-3732
- MTD: CVE-2017-3731
- MA: CVE-2017-3731
- MC: CVE-2017-3731
- ICSP: CVE-2017-3731
- NNP: CVE-2017-3731
- NSP: CVE-2017-3731
- PacketShaper S-Series: CVE-2017-3731
- PolicyCenter S-Series: CVE-2017-3731
- Reporter 9.5 and 10.1: CVE-2017-3731
- Security Analytics: CVE-2017-3731
- SSLV: CVE-2017-3731
- Unified Agent: CVE-2017-3731
The following products are not vulnerable:
AuthConnector
BCAAA
Symantec HSM Agent for the Luna SP
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
IntelligenceCenter Data Collector
K9
ProxyClient
ProxyAV ConLog and ConLogXP
Web Isolation
Symantec no longer provides vulnerability information for the following products:
DLP
Please, contact Digital Guardian technical support regarding vulnerability information for DLP.
ISSUES
| CVE-2017-3730 | |
|---|---|
| Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) |
| References | SecurityFocus: BID 95812 / NVD: CVE-2017-3730 |
| Impact | Denial of service |
| Description | A NULL pointer dereference flaw in the SSL client implementation allows a remote attacker to send crafted DHE or ECDHE key exchange parameters to an SSL client and cause an application crash, resulting in denial of service. |
| CVE-2017-3731 | |
|---|---|
| Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) |
| References | SecurityFocus: BID 95813 / NVD: CVE-2017-3731 |
| Impact | Denial of service |
| Description | An out-of-bounds read flaw in the 32-bit SSL client and server implementations allows a remote attacker to send crafted packets and cause an application crash, resulting in denial of service. |
| CVE-2017-3732 | |
|---|---|
| Severity / CVSSv2 | Medium / 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) |
| References | SecurityFocus: BID 95814 / NVD: CVE-2017-3732 |
| Impact | Information disclosure |
| Description | A flaw in the 64-bit Montgomery squaring implementation (used in RSA, DSA, and DHE) allows a remote attacker to obtain private key information. |
REFERENCES
OpenSSL Security Advisory - https://www.openssl.org/news/secadv/20170126.txt
REVISION
2020-04-23 Advanced Secure Gateway (ASG) and ProxySG 7.1 and later versions are not vulnerable because fixes are available in 7.1.1.1. Industrial Control System Protection (ICSP) 5.4 is not vulnerable because a fix is available in 5.4.1. A fix for Security Analytics 7.2 is available in 7.2.3. Advisory status moved to Closed.
2020-01-15 A fix will not be provided for ProxyAV 3.5. Content Analysis System (CAS) is a replacement product for ProxyAV. Please switch to a version of CAS with the vulnerability fixes.
2019-10-02 Web Isolation is not vulnerable.
2019-08-21 A fix for IntelligenceCenter (IC) 3.3 will not be provided. NetDialog NetX is a replacement product for IntelligenceCenter. Please switch to a version of NetX with the vulnerability fixes.
2019-08-07 A fix for ASG 6.6 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-01-29 ICSP 5.4 is not vulnerable because a fix is available in 5.4.1.
2019-01-21 Security Analytics 8.0 is not vulnerable.
2019-01-12 A fix for Security Analytics 7.1 will not be provided. Please upgrade to a later release with the vulnerability fixes.
2019-01-11 A fix for CA 2.1 will not be provided. Please upgrade to a later release with the vulnerability fixes.
2018-08-07 A fix for CA 1.3 will not be provided. Please upgrade to a later release with the vulnerability fixes.
2018-08-03 Customers who use NSP for USB cleaning can switch to a version of Industrial Control System Protection (ICSP) with fixes.
2018-07-27 A fix for MA 4.2 is available in 4.2.12.
2018-07-02 A fix for PolicyCenter 9.2 is available in 9.2.13p7.
2018-07-01 A fix for PacketShaper 9.2 is available in 9.2.13p7.
2018-06-29 A fix for Norman Shark Network Protection (NNP) 5.3 and Norman Shark SCADA Protection (NSP) 5.3 will not be provided.
2018-06-04 A fix for PolicyCenter S-Series is available in 1.1.4.2.
2018-04-22 CA 2.3 is not vulnerable. Reporter 10.2 is not vulnerable because a fix is available in 10.2.1.1. A fix for PacketShaper S-Series 11.6 is available in 11.6.4.2. PacketShaper S-Series 11.10 is not vulnerable.
2018-04-12 A fix for Reporter 10.1 is available in 10.1.5.5.
2018-02-22 A fix for SSLV 3.10 is available in 3.10.4.1.
2018-02-05 A fix for Reporter 9.5 is available in 9.5.4.1.
2018-01-31 A fix for ASG 6.7 is avaialble in 6.7.3.1.
2017-11-16 A fix for PS S-Series 11.5, 11.7, and 11.8 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2017-11-15 SSLV 3.12 is not vulnerable because a fix is available in 3.12.1.1.
2017-11-09 MC 1.11 is not vulnerable because a fix is available in 1.11.1.1. A fix for MC 1.10 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2017-11-08 CA 2.2 is not vulnerable because a fix is available in 2.2.1.1.
2017-11-06 ASG 6.7 has a vulnerable version of OpenSSL, but is not vulnerable to known vectors of attack.
2017-09-08 Added CVSS v2 base scores. Corrected response for Reporter 9.5 - it is vulnerable to CVE-2017-3732.
2017-08-02 SSLV 4.1 is not vulnerable.
2017-07-25 PS S-Series 11.9 is not vulnerable because a fix is available in 11.9.1.1.
2017-07-23 MC 1.10 has a vulnerable version of OpenSSL, but is not vulnerable to known vectors of attack. A fix for MC 1.9 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2017-06-30 A fix for ProxySG 6.5 is available in 6.5.10.4.
2017-06-22 Security Analytics 7.3 is not vulnerable because a fix is available in 7.3.1.
2017-06-05 PS S-Series 11.8 has a vulnerable version of OpenSSL, but is not vulnerable to known vectors of attack. A fix is not available a this time.
2017-05-22 UA 4.8 is not vulnerable because a fix is available in 4.8.0.
2017-05-19 A fix for ProxySG 6.6 is available in 6.6.5.8.
2017-05-18 CAS 2.1 has a vulnerable version of OpenSSL, but is not vulnerable to known vectors of attack.
2017-04-30 A fix for Director 6.1 is available in 6.1.23.1.
2017-04-29 A fix for CacheFlow 3.4 is available in 3.4.2.8.
2017-04-19 A fix for ProxySG 6.7 is available in 6.7.1.2.
2017-04-11 A fix for SSLV 3.11 is available in 3.11.3.1.
2017-03-30 A fix for SSLV 4.0 is available in 4.0.2.1. MC 1.9 has a vulnerable version of OpenSSL, but is not vulnerable to known vectors of attack.
2017-03-08 ProxySG 6.7 is vulnerable to CVE-2017-3731. SSLV 4.0 has a vulnerable version of OpenSSL, but is not vulnerable to known vectors of attack.
2017-02-09 initial public release