SA141 : OpenSSL Vulnerabilities 26-Jan-2017

IntelligenceCenter

6 more products

1395

04 May 2021

09 February 2017

CLOSED

Medium

CVSS v2: 5.0

SUMMARY

Symantec Network Protection products using affected versions of OpenSSL are susceptible to several vulnerabilities.  A remote attacker can exploit these vulnerabilities to cause denial of service and obtain private key information.

AFFECTED PRODUCTS 

The following products are vulnerable:

CacheFlow
CVE Affected Version(s) Remediation
CVE-2017-3731 3.4 Upgrade to 3.4.2.8.

 

Director
CVE Affected Version(s) Remediation
CVE-2017-3731 6.1 starting with 6.1.22.1 Upgrade to 6.1.23.1.

 

IntelligenceCenter (IC)
CVE Affected Version(s) Remediation
CVE-2017-3731 3.3 Upgrade to a version of NetDialog NetX with fixes.

 

Malware Analysis (MA)
CVE Affected Version(s) Remediation
CVE-2017-3732 4.2 Upgrade to 4.2.12.

 

PacketShaper (PS)
CVE Affected Version(s) Remediation
CVE-2017-3731 9.2 Fixed in 9.2.13p7

 

PolicyCenter (PC)
CVE Affected Version(s) Remediation
CVE-2017-3731 9.2 Fixed in 9.2.13p7

 

ProxyAV
CVE Affected Version(s) Remediation
CVE-2017-3731 3.5 Upgrade to a version of CAS with fixes.

 

ProxySG
CVE Affected Version(s) Remediation
CVE-2017-3731 7.1 and later Not vulnerable, fixed in 7.1.1.1
6.7 Upgrade to 6.7.1.2.
6.6 Upgrade to 6.6.5.8.
6.5 Upgrade to 6.5.10.4.

 

 

Reporter
CVE Affected Version(s) Remediation
CVE-2017-3731 10.2 and later Not vulnerable, fixed in 10.2.1.1.
10.1 (has vulnerable version of OpenSSL, but not vulnerable to known vectors of impact). Upgrade to 10.1.5.5.
9.5 Not vulnerable
CVE-2017-3732 10.2 and later Not vulnerable
10.1 Not vulnerable
9.5 Upgrade to 9.5.4.1.
All CVEs 9.4 Not vulnerable

 

SSL Visibility (SSLV)
CVE Affected Version(s) Remediation
CVE-2017-3731 4.1 and later Not vulnerable, fixed in 4.1.1.1.
4.0 (has vulnerable version of OpenSSL, but not vulnerable to known vectors of impact). Upgrade to 4.0.2.1.
3.x Not vulnerable
CVE-2017-3732 3.12 and later Not vulnerable
3.11 Upgrade to 3.11.3.1.
3.10 Upgrade to 3.10.4.1.
3.9 Not available at this time

 

Unified Agent (UA)
CVE Affected Version(s) Remediation
CVE-2017-3732 4.8 and later Not vulnerable, fixed in 4.8.0
4.7 Upgrade to later release with fixes
4.6 Upgrade to later release with fixes
4.1 Not vulnerable

 

The following products contain a vulnerable version of OpenSSL, but are not vulnerable to known vectors of attack:

Advanced Secure Gateway (ASG)
CVE Affected Version(s) Remediation
CVE-2017-3731 7.1 Not vulnerable, fixed in 7.1.1.1
6.7 Upgrade to 6.7.3.1.
6.6 Upgrade to later release with fixes.

 

Android Mobile Agent
CVE Affected Version(s) Remediation
CVE-2017-3731 2.0 Not vulnerable, fixed
1.3 Upgrade to 1.3.8.

 

Content Analysis (CA)
CVE Affected Version(s) Remediation
CVE-2017-3731 2.2 and later Not vulnerable, fixed in 2.2.1.1.
2.1 Upgrade to later release with fixes.
1.3 Upgrade to later release with fixes.

 

Mail Threat Defense (MTD)
CVE Affected Version(s) Remediation
CVE-2017-3731 1.1 Not available at this time

 

Management Center (MC)
CVE Affected Version(s) Remediation
CVE-2017-3731 1.11 and later Not vulnerable, fixed in 1.11.1.1.
1.10 Upgrade to later release with fixes.
1.9 Upgrade to later release with fixes.
1.8 Upgrade to later release with fixes.

 

Norman Shark Industrial Control System Protection (ICSP)
CVE Affected Version(s) Remediation
CVE-2017-3731 5.4 and later Not vulnerable, fixed in 5.4.1
5.3 Not available at this time

 

Norman Shark Network Protection (NNP)
CVE Affected Version(s) Remediation
CVE-2017-3731 5.3 A fix will not be provided.

 

Norman Shark SCADA Protection (NSP)
CVE Affected Version(s) Remediation
CVE-2017-3731 5.3 A fix will not be provided.  Customers who use NSP for USB cleaning can switch to a version of ICSP with fixes.

 

PacketShaper (PS) S-Series
CVE Affected Version(s) Remediation
CVE-2017-3731 11.9 and later Not vulnerable, fixed in 11.9.1.1.
11.8 Upgrade to later release with fixes.
11.7 Upgrade to later release with fixes.
11.6 Upgrade to 11.6.4.2.
11.5 Upgrade to later release with fixes.

 

PolicyCenter (PC) S-Series
CVE Affected Version(s) Remediation
CVE-2017-3731 1.1 Upgrade to 1.1.4.2.

 

Security Analytics
CVE Affected Version(s) Remediation
CVE-2017-3731 7.3 and later Not vulnerable, fixed in 7.3.1.
7.2 Upgrade to 7.2.3.
7.1 Upgrade to later release with fixes.
6.6 Upgrade to later release with fixes.

 

X-Series XOS
CVE Affected Version(s) Remediation
CVE-2017-3731 11.0 Not available at this time
10.0 Upgrade to later release with fixes.
9.7 Upgrade to later release with fixes.

 

ADDITIONAL PRODUCT INFORMATION

Symantec Network Protection products that use a native installation of OpenSSL but do not install or maintain that implementation are not vulnerable to any of these CVEs.  However, the underlying platform or application that installs and maintains OpenSSL may be vulnerable. Symantec urges our customers to update the versions of OpenSSL that are natively installed for Client Connector for OS X, Proxy Client for OS X, and Reporter 9.x for Linux.

Some Symantec Network Protection products do not enable or use all functionality within OpenSSL. The products listed below do not utilize the functionality described in the CVEs below and are thus not known to be vulnerable to them.  However, fixes for these CVEs will be included in the patches that are provided.

  • Android Mobile Agent: CVE-2017-3731
  • ASG: CVE-2017-3731
  • CA: CVE-2017-3731
  • Director 6.1.22.1: CVE-2017-3732
  • MTD: CVE-2017-3731
  • MA: CVE-2017-3731
  • MC: CVE-2017-3731
  • ICSP: CVE-2017-3731
  • NNP: CVE-2017-3731
  • NSP: CVE-2017-3731
  • PacketShaper S-Series: CVE-2017-3731
  • PolicyCenter S-Series: CVE-2017-3731
  • Reporter 9.5 and 10.1: CVE-2017-3731
  • Security Analytics: CVE-2017-3731
  • SSLV: CVE-2017-3731
  • Unified Agent: CVE-2017-3731

The following products are not vulnerable:
AuthConnector
BCAAA
Symantec HSM Agent for the Luna SP
Client Connector

Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
IntelligenceCenter Data Collector
K9
ProxyClient
ProxyAV ConLog and ConLogXP
Web Isolation

Symantec no longer provides vulnerability information for the following products:

DLP
Please, contact Digital Guardian technical support regarding vulnerability information for DLP.

ISSUES 

CVE-2017-3730
Severity / CVSSv2 Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
References SecurityFocus: BID 95812 / NVD: CVE-2017-3730
Impact Denial of service
Description A NULL pointer dereference flaw in the SSL client implementation allows a remote attacker to send crafted DHE or ECDHE key exchange parameters to an SSL client and cause an application crash, resulting in denial of service.

 

CVE-2017-3731
Severity / CVSSv2 Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
References SecurityFocus: BID 95813 / NVD: CVE-2017-3731
Impact Denial of service
Description An out-of-bounds read flaw in the 32-bit SSL client and server implementations allows a remote attacker to send crafted packets and cause an application crash, resulting in denial of service.

 

CVE-2017-3732
Severity / CVSSv2 Medium / 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
References SecurityFocus: BID 95814 / NVD: CVE-2017-3732
Impact Information disclosure
Description A flaw in the 64-bit Montgomery squaring implementation (used in RSA, DSA, and DHE) allows a remote attacker to obtain private key information.

 

REFERENCES

OpenSSL Security Advisory - https://www.openssl.org/news/secadv/20170126.txt

REVISION 

2020-04-23 Advanced Secure Gateway (ASG) and ProxySG 7.1 and later versions are not vulnerable because fixes are available in 7.1.1.1. Industrial Control System Protection (ICSP) 5.4 is not vulnerable because a fix is available in 5.4.1. A fix for Security Analytics 7.2 is available in 7.2.3. Advisory status moved to Closed.
2020-01-15 A fix will not be provided for ProxyAV 3.5.  Content Analysis System (CAS) is a replacement product for ProxyAV.  Please switch to a version of CAS with the vulnerability fixes.
2019-10-02 Web Isolation is not vulnerable.
2019-08-21 A fix for IntelligenceCenter (IC) 3.3 will not be provided. NetDialog NetX is a replacement product for IntelligenceCenter. Please switch to a version of NetX with the vulnerability fixes.
2019-08-07 A fix for ASG 6.6 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-01-29 ICSP 5.4 is not vulnerable because a fix is available in 5.4.1.
2019-01-21 Security Analytics 8.0 is not vulnerable.
2019-01-12 A fix for Security Analytics 7.1 will not be provided.  Please upgrade to a later release with the vulnerability fixes.
2019-01-11 A fix for CA 2.1 will not be provided.  Please upgrade to a later release with the vulnerability fixes.
2018-08-07 A fix for CA 1.3 will not be provided.  Please upgrade to a later release with the vulnerability fixes.
2018-08-03 Customers who use NSP for USB cleaning can switch to a version of Industrial Control System Protection (ICSP) with fixes.
2018-07-27 A fix for MA 4.2 is available in 4.2.12.
2018-07-02 A fix for PolicyCenter 9.2 is available in 9.2.13p7.
2018-07-01 A fix for PacketShaper 9.2 is available in 9.2.13p7.
2018-06-29 A fix for Norman Shark Network Protection (NNP) 5.3 and Norman Shark SCADA Protection (NSP) 5.3 will not be provided.
2018-06-04 A fix for PolicyCenter S-Series is available in 1.1.4.2.
2018-04-22 CA 2.3 is not vulnerable.  Reporter 10.2 is not vulnerable because a fix is available in 10.2.1.1.  A fix for PacketShaper S-Series 11.6 is available in 11.6.4.2.  PacketShaper S-Series 11.10 is not vulnerable.
2018-04-12 A fix for Reporter 10.1 is available in 10.1.5.5.
2018-02-22 A fix for SSLV 3.10 is available in 3.10.4.1.
2018-02-05 A fix for Reporter 9.5 is available in 9.5.4.1.
2018-01-31 A fix for ASG 6.7 is avaialble in 6.7.3.1.
2017-11-16 A fix for PS S-Series 11.5, 11.7, and 11.8 will not be provided.  Please upgrade to a later version with the vulnerability fixes.
2017-11-15 SSLV 3.12 is not vulnerable because a fix is available in 3.12.1.1.
2017-11-09 MC 1.11 is not vulnerable because a fix is available in 1.11.1.1.  A fix for MC 1.10 will not be provided.  Please upgrade to a later version with the vulnerability fixes.
2017-11-08 CA 2.2 is not vulnerable because a fix is available in 2.2.1.1.
2017-11-06 ASG 6.7 has a vulnerable version of OpenSSL, but is not vulnerable to known vectors of attack.
2017-09-08 Added CVSS v2 base scores.  Corrected response for Reporter 9.5 - it is vulnerable to CVE-2017-3732.
2017-08-02 SSLV 4.1 is not vulnerable.
2017-07-25 PS S-Series 11.9 is not vulnerable because a fix is available in 11.9.1.1.
2017-07-23 MC 1.10 has a vulnerable version of OpenSSL, but is not vulnerable to known vectors of attack.  A fix for MC 1.9 will not be provided.  Please upgrade to a later version with the vulnerability fixes.
2017-06-30 A fix for ProxySG 6.5 is available in 6.5.10.4.
2017-06-22 Security Analytics 7.3 is not vulnerable because a fix is available in 7.3.1.
2017-06-05 PS S-Series 11.8 has a vulnerable version of OpenSSL, but is not vulnerable to known vectors of attack.  A fix is not available a this time.
2017-05-22 UA 4.8 is not vulnerable because a fix is available in 4.8.0.
2017-05-19 A fix for ProxySG 6.6 is available in 6.6.5.8.
2017-05-18 CAS 2.1 has a vulnerable version of OpenSSL, but is not vulnerable to known vectors of attack.
2017-04-30 A fix for Director 6.1 is available in 6.1.23.1.
2017-04-29 A fix for CacheFlow 3.4 is available in 3.4.2.8.
2017-04-19 A fix for ProxySG 6.7 is available in 6.7.1.2.
2017-04-11 A fix for SSLV 3.11 is available in 3.11.3.1.
2017-03-30 A fix for SSLV 4.0 is available in 4.0.2.1.  MC 1.9 has a vulnerable version of OpenSSL, but is not vulnerable to known vectors of attack.
2017-03-08 ProxySG 6.7 is vulnerable to CVE-2017-3731.  SSLV 4.0 has a vulnerable version of OpenSSL, but is not vulnerable to known vectors of attack.
2017-02-09 initial public release