SA153: NSS Vulnerabilities Apr-May 2017
SUMMARY
Symantec Network Protection products using affected versions of NSS are susceptible to two security vulnerabilities. A remote attacker can send empty SSLv2 messages and cause denial of service through application crashes. An attacker can also have unspecified impact by exploiting a computational flaw in the NSS DRBG implementation that may reduce the entropy of DRBG generated random data.
AFFECTED PRODUCTS
The following products are vulnerable:
| Director | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2017-7502 | 6.1 | Upgrade to a version of MC with the fixes. |
| Security Analytics | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2017-7502 | 8.0 and later | Not vulnerable, fixed in 8.0.1. |
| 7.3 | Upgrade to 7.3.2. | |
| 7.2, 7.1 | Upgrade to later release with fixes. | |
The following products have a vulnerable version of NSS, but are not vulnerable to known vectors of attack:
| Advanced Secure Gateway (ASG) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2017-7502 | 7.1 and later | Not vulnerable, fixed in 7.1.1.1. |
| 6.7 | Upgrade to 6.7.3.1. | |
| 6.6 | Upgrade to later release with fixes. | |
| Content Analysis (CA) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2017-7502 | 2.2 and later | Not vulnerable, fixed in 2.2.1.1 |
| 2.1 | Upgrade to later release with fixes. | |
| 1.3 | Upgrade to later release with fixes. | |
| Mail Threat Defense (MTD) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2017-7502 | 1.1 | Upgrade to a version of CAS and SMG with the fixes. |
| Management Center (MC) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2017-7502 | 1.11 and later | Not vulnerable, fixed in 1.11.1.1 |
| 1.10 | Upgrade to later release with fixes. | |
| PacketShaper (PS) S-Series | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2017-7502 | 11.9 and later | Not vulnerable, fixed in 11.9.1.1 |
| 11.8 | Upgrade to later release with fixes. | |
| 11.7 | Upgrade to later release with fixes. | |
| 11.6 | Upgrade to 11.6.4.2. | |
| 11.5 | Upgrade to later release with fixes. | |
| PolicyCenter (PC) S-Series | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2017-7502 | 1.1 | Upgrade to 1.1.4.2. |
| Reporter | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2017-7502 | 10.2 and later | Not vulnerable, fixed in 10.2.1.1 |
| 10.1 | Upgrade to 10.1.5.5. | |
| 9.5 | Not vulnerable | |
| SSL Visibility (SSLV) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2017-7502 | 4.2 and later | Not vulnerable, fixed in 4.2.1.1 |
| 4.1 | Upgrade to later release with fixes. | |
| 4.0 | Upgrade to later release with fixes. | |
| 3.x | Not vulnerable | |
ADDITIONAL PRODUCT INFORMATION
The following products are not vulnerable:
Android Mobile Agent
AuthConnector
BCAAA
Blue Coat HSM Agent for the Luna SP
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
IntelligenceCenter
IntelligenceCenter Data Collector
K9
Malware Analysis
Norman Shark Industrial Control System Protection
PacketShaper
PolicyCenter
ProxyAV
ProxyAV ConLog and ConLogXP
ProxyClient
ProxySG
Unified Agent
Web Isolation
The following products are under investigation:
X-Series XOS
ISSUES
| CVE-2017-5462 | |
|---|---|
| Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N) |
| References | SecurityFocus: BID 97940 / Red Hat: CVE-2017-5462 |
| Impact | Unspecified |
| Description | A computational flaw in the DRBG implementation may affect the entropy of DRBG generated random data. An attacker can exploit this vulnerability to have unspecified impact. |
| CVE-2017-7502 | |
|---|---|
| Severity / CVSSv2 | Medium / 4.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) |
| References | SecurityFocus: BID 98744 / NVD: CVE-2017-7502 |
| Impact | Denial of service |
| Description | A NULL pointer dereference flaw in the SSL server implementation allows a remote attacker to send empty SSLv2 messages and cause the SSL server application using NSS to crash. |
MITIGATION
By default, Director and Security Analytics do not use NSS as an SSL/TLS server. Customers who leave this behavior unchanged prevent attacks against these products using CVE-2017-7502.
Symantec's ProxySG appliance can be used to protect SSL/TLS servers against attacks using CVE-2017-7502. Customers using ProxySG as a forward or reverse proxy can block SSLv2 connections using the following CPL syntax:
<SSL> client.connection.negotiated_ssl_version=SSLV2 deny <SSL> server.connection.negotiated_ssl_version=SSLV2 deny
REFERENCES
MFSA 2017-10 (CVE-2017-5462) - https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/
REVISION
2021-07-13 A fix for Security Analytics 7.2 will not be provided. Please upgrade to a later version with the vulnerability fixes. Moving Advisory Status to Closed.
2020-11-18 A fix for MTD 1.1 will not be provided. Please upgrade to a version of CAS and SMG with the vulnerability fixes. A fix for Director 6.1 will not be provided. Please upgrade to a version of MC with the vulnerability fixes.
2020-04-17 Advanced Secure Gateway (ASG) 7.1 and later releases are not vulnerable because a fix is available in 7.1.1.1.
2019-10-02 Web Isolation is not vulnerable.
2019-08-07 A fix for ASG 6.6 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-01-21 A fix for Security Analytics 7.3 is available in 7.3.2. Security Analytics 8.0 is not vulnerable because a fix is available in 8.0.1.
2019-01-12 A fix for Security Analytics 7.1 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-01-11 A fix for CA 2.1 will not be provided. Please upgrade to a later version with the vulnerability fixes. Added remaining CVSS v2 scores from NVD.
2018-08-13 A fix for CA 1.3 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-06-26 A fix for CVE-2017-7502 in SSLV 4.1 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-04-26 A fix for SSLV 4.0 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-04-22 CA 2.3 is not vulnerable. PacketShaper S-Series 11.10 is not vulnerable. Reporter 10.2 is not vulnerable because a fix is available in 10.2.1.1.
2018-04-12 A fix for Reporter 10.1 is available in 10.1.5.5.
2018-01-31 A fix for ASG 6.7 is avaialble in 6.7.3.1.
2017-12-13 A fix for PS S-Series 11.6 is available in 11.6.4.2.
2017-12-12 A fix for PC S-Series 1.1 is available in 1.1.4.2.
2017-11-15 SSLV 4.2 is not vulnerable because a fix is available in 4.2.1.1.
2017-11-09 MC 1.11 is not vulnerable because a fix is available in 1.11.1.1. A fix for MC 1.10 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2017-11-08 CA 2.2 is not vulnerable because a fix is available in 2.2.1.1.
2017-11-06 ASG 6.7 has a vulnerable version of NSS, but is not vulnerable to known vectors of attack.
2017-08-03 SSLV 4.1 has a vulnerable version of NSS, but is not vulnerable to known vectors of attack.
2017-07-25 PS S-Series 11.9 is not vulnerable because a fix is available in 11.9.1.1.
2017-07-13 initial public release