SA150: NSS Vulnerability April 2017

ASG-S200

19 more products

1405

20 July 2021

25 May 2017

CLOSED

HIGH

CVSS v2: 7.5

SUMMARY

Symantec Network Protection products using affected versions of NSS are susceptible to a security vulnerability.  A remote attacker can send crafted Base64-encoded data and execute arbitrary code or cause denial of service through an application crash.

AFFECTED PRODUCTS 

The following products are vulnerable:

Director
CVE Affected Version(s) Remediation
All CVEs 6.1 Upgrade to a version of MC with the fixes.

 

PacketShaper (PS) S-Series
CVE Affected Version(s) Remediation
All CVEs 11.9 and later Not vulnerable, fixed in 11.9.1.1
11.8 Upgrade to later release with fixes.
11.7 Upgrade to later release with fixes.
11.6 Upgrade to 11.6.4.2.
11.5 Upgrade to later release with fixes.

 

PolicyCenter (PC) S-Series
CVE Affected Version(s) Remediation
All CVEs 1.1 Upgrade to 1.1.4.2.

 

Security Analytics
CVE Affected Version(s) Remediation
All CVEs 8.0 and later Not vulnerable, fixed in 8.0.1.
7.3 Upgrade to 7.3.2.
7.2, 7.1 Upgrade to later release with fixes.

 

SSL Visibility (SSLV)
CVE Affected Version(s) Remediation
All CVEs 4.2 and later Not vulnerable, fixed in 4.2.1.1
4.1 Upgrade to later release with fixes.
4.0 Upgrade to later release with fixes.
3.x Not vulnerable

 

X-Series XOS
CVE Affected Version(s) Remediation
All CVEs 9.7, 10.0, 11.0 A fix will not be provided.

 

The following products have a vulnerable version of NSS, but are not vulnerable to known vectors of attack:

Advanced Secure Gateway (ASG)
CVE Affected Version(s) Remediation
All CVEs 7.1 and later Not vulnerable, fixed in 7.1.1.1
6.7 Upgrade to 6.7.3.1.
6.6 Upgrade to 6.6.5.10.

 

Content Analysis (CA)
CVE Affected Version(s) Remediation
All CVEs 2.2 and later Not vulnerable, fixed in 2.2.1.1
2.1 Upgrade to later release with fixes.
1.3 Fixed in 1.3.7.8.

 

Mail Threat Defense (MTD)
CVE Affected Version(s) Remediation
All CVEs 1.1 Upgrade to a version of CAS and SMG with the fixes.

 

Management Center (MC)
CVE Affected Version(s) Remediation
All CVEs 1.11 and later Not vulnerable, fixed in 1.11.1.1
1.10 Upgrade to later release with fixes.
1.9 Upgrade to later release with fixes.

 

Reporter
CVE Affected Version(s) Remediation
All CVEs 10.2 and later Not vulnerable, fixed in 10.2.1.1
10.1 Upgrade to 10.1.5.5.
9.5 Not vulnerable
9.4 Not vulnerable.

 

ADDITIONAL PRODUCT INFORMATION

PacketShaper S-Series and PolicyCenter S-Series are only vulnerable through LDAPS client connections.

The following products are not vulnerable:
Android Mobile Agent
AuthConnector
BCAAA
Blue Coat HSM Agent for the Luna SP
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder

General Auth Connector Login Application
IntelligenceCenter
IntelligenceCenter Data Collector
K9
Malware Analysis
Norman Shark Industrial Control System Protection
PacketShaper

PolicyCenter
ProxyAV
ProxyAV ConLog and ConLogXP

ProxyClient
ProxySG
Unified Agent
Web Isolation

ISSUES 

CVE-2017-5461
Severity / CVSSv2 High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
References SecurityFocus: BID 98050 / NVD: CVE-2017-5461
Impact Denial of service, code execution
Description An out-of-bounds write flaw in the Base64 encoder/decoder allows a remote attacker to send crafted Base64 data, such as an X.509 certificate, and cause denial of service through an application crash. The attacker could also execute arbitrary code with the permission of the application using NSS.

 

MITIGATION

By default, Director, Security Analytics, and XOS do not use NSS to parse Base64 data from external sources.  Customers who leave this behavior unchanged prevent attacks against these products using CVE-2017-5461.

CVE-2017-5461 only affects LDAPS client connections in PacketShaper S-Series and PolicyCenter S-Series. Deploying these products in a secure, trusted network reduces the threat of exploiting this vulnerability.

REFERENCES 

MFSA 2017-10 - https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/

REVISION 

2021-07-13 A fix for Security Analytics 7.2 will not be provided.  Please upgrade to a later version with the vulnerability fixes.  Moving Advisory Status to Closed.
2020-11-18 A fix for MTD 1.1 will not be provided.  Please upgrade to a version of CAS and SMG with the vulnerability fixes.  A fix for XOS 9.7, 10.0, and 11.0 will not be provided.  A fix for Director 6.1 will not be provided. Please upgrade to a version of MC with the vulnerability fixes. 
2020-04-17 Advanced Secure Gateway (ASG) 7.1 and later versions are not vulnerable because a fix is available in 7.1.1.1.
2019-10-02 Web Isolation is not vulnerable.
2019-01-21 A fix for Security Analytics 7.3 is available in 7.3.2.  Security Analytics 8.0 is not vulnerable because a fix is available in 8.0.1.
2019-01-12 A fix for Security Analytics 7.1 will not be provided.  Please upgrade to a later version with the vulnerability fixes.
2019-01-11 A fix for CA 2.1 will not be provided.  Please upgrade to a later version with the vulnerability fixes.
2018-10-25 A fix for CA 1.3 is available in 1.3.7.8.
2018-08-07 A fix for CA 1.3 will not be provided.  Please upgrade to a later version with the vulnerability fixes.
2018-06-26 A fix for SSLV 4.1 will not be provided.  Please upgrade to a later version with the vulnerability fixes.
2018-04-26 A fix for SSLV 4.0 will not be provided.  Please upgrade to a later version with the vulnerability fixes.
2018-04-25 A fix for XOS 9.7 will not be provided.  Please upgrade to a later version with the vulnerability fixes.
2018-04-22 CA 2.3 is not vulnerable.  PacketShaper S-Series 11.10 is not vulnerable.  Reporter 10.2 is not vulnerable because a fix is available in 10.2.1.1.
2018-04-12 A fix for Reporter 10.1 is available in 10.1.5.5.
2018-01-31 A fix for ASG 6.7 is avaialble in 6.7.3.1.
2017-12-13 A fix for PS S-Series 11.6 is available in 11.6.4.2.
2017-12-12 A fix for PC S-Series 1.1 is available in 1.1.4.2.
2017-11-16 A fix for PS S-Series 11.5, 11.7, and 11.8 will not be provided.  Please upgrade to a later version with the vulnerability fixes.
2017-11-15 SSLV 4.2 is not vulnerable because a fix is available in 4.2.1.1.
2017-11-09 MC 1.11 is not vulnerable because a fix is available in 1.11.1.1.  A fix for MC 1.10 will not be provided.  Please upgrade to a later version with the vulnerability fixes.
2017-11-08 CAS 2.2 is not vulnerable because a fix is available in 2.2.1.1.
2017-11-06 ASG 6.7 has a vulnerable version of NSS, but is not vulnerable to known vectors of attack.
2017-08-03 SSLV 4.1 is vulnerable.
2017-06-22 Security Analytics 7.3 is vulnerable.2017-07-23 MC 1.10 has a vulnerable version of NSS, but is not vulnerable to known vectors of attack.  A fix for MC 1.9 will not be provided.  Please upgrade to a later version with the vulnerability fixes.
2017-06-26 A fix for ASG 6.6 is available in 6.6.5.10.
2017-06-22 Security Analytics 7.3 is vulnerable.
2017-06-05 PS S-Series 11.8 has a vulnerable version of NSS.
2017-05-25 initial public release