SA166: OpenSSL Vulnerabilities 27-Mar-2018
SUMMARY
Symantec Network Protection products using affected versions of OpenSSL are susceptible to several vulnerabilities. A remote attacker can forge cryptographic messages and cause denial of service through application crashes.
AFFECTED PRODUCTS
The following products are vulnerable:
| Advanced Secure Gateway (ASG) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2018-0739 | 6.7, 7.2, 7.3 | Not available at this time |
| 6.6, 7.1 | Upgrade to later release with fixes. | |
| CacheFlow | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2018-0739 | 3.4 | Upgrade to 3.4.2.9. |
| Content Analysis (CA) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2018-0739 | 3.1 | Not vulnerable, fixed in 3.1.0.0 |
| 3.0 | Not available at this time | |
| 2.4 | Not vulnerable, fixed in 2.4.1.1 | |
| 2.3 | Upgrade to 2.3.5.1. | |
| 2.1, 2.2 | Upgrade to later version with fixes. | |
| Director | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2018-0739 | 6.1 | Upgrade to a version of MC with the fixes. |
| IntelligenceCenter (IC) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2018-0739 | 3.3 | Upgrade to a version of NetDialog NetX with fixes |
| IntelligenceCenter Data Collector | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2018-0739 | 3.3 | Upgrade to a version of NetDialog NetX with fixes. |
| Mail Threat Defense (MTD) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2018-0739 | 1.1 | Upgrade to a version of CAS and SMG with the fixes. |
| Malware Analysis (MA) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2018-0739 | 4.2 | Upgrade to 4.2.12. |
| Management Center (MC) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2018-0739 | 3.0 and later | Not vulnerable, fixed in 3.0.1.1 |
| 2.4 and earlier | Upgrade to a later version with fixes. | |
| PacketShaper (PS) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2018-0739 | 9.2 | A fix will not be provided. Allot Secure Services Gateway (SSG) is a replacement product for PacketShaper. Switch to a version of SSG with the vulnerability fixes. |
| PolicyCenter (PC) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2018-0739 | 9.2 | A fix will not be provided. Allot NetXplorer is a replacement product for PolicyCenter. Switch to a version of NetXplorer with the vulnerability fixes. |
| ProxyAV | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2018-0739 | 3.5 | Upgrade to a version of CA with fixes. |
| ProxySG | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2018-0739 | 7.1 and later | Not vulnerable, fixed in 7.1.1.1 |
| 6.7 | Upgrade to 6.7.4.4 | |
| 6.6 | Upgrade to later release with fixes. | |
| 6.5 | Upgrade to 6.5.10.15. | |
| Reporter | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2018-0739 | 10.5 | Not vulnerable, fixed in 10.5.1.1 |
| 9.5, 10.1, 10.2, 10.3, 10.4 | Upgrade to later release with fixes. | |
| Security Analytics | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2018-0739 | 8.2 | Not vulnerable, fixed in 8.2.1 |
| 8.1 | Not available at this time | |
| 7.1, 7.2, 7.3, 8.0 | Upgrade to later version with fixes. | |
| SSL Visibility (SSLV) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2018-0739 | 4.3, 4.4, 4.5, 5.0 | Not vulnerable, fixed in 4.3.1.1 |
| 4.2 | Upgrade to later version with fixes. | |
| 3.12 | Fixed in 3.12.3.1 | |
| 3.10 | Upgrade to later version with fixes. | |
| 3.8.4FC | Upgrade to later version with fixes. | |
| X-Series XOS | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2018-0739 | 10.0, 11.0 | A fix will not be provided. |
The following products have a vulnerable version of OpenSSL, but are not vulnerable to known vectors of attack:
| BCAAA | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2018-0739 | 6.1 (only when Novell SSO realm is used) | A fix will not be provided. The vulnerable OpenSSL library is in the Novell SSO SDK and an updated Novell SSO SDK is no longer available. Please contact Novell for more information. |
| Client Connector | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2018-0739 | 1.6 | Upgrade to latest release of Unified Agent with fixes. |
| PacketShaper (PS) S-Series | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2018-0739 | 11.6, 11.9, 11.10 | A fix will not be provided. Allot Secure Services Gateway (SSG) is a replacement product for PS S-Series. Switch to a version of SSG with the vulnerability fixes. |
| PolicyCenter (PC) S-Series | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2018-0739 | 1.1 | A fix will not be provided. Allot NetXplorer is a replacement product for PC S-Series. Switch to a version of NetXplorer with the vulnerability fixes. |
| ProxyClient | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2018-0739 | 3.4 | Upgrade to latest release of Unified Agent with fixes. |
| Unified Agent (UA) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2018-0739 | 4.10 | Not vulnerable, fixed in 4.10.1. |
| 4.6, 4.7, 4.8, 4.9 | Upgrade to later release with fixes. | |
| WSS Mobile Agent | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2018-0739 | 2.0 | A fix will not be provided. Please switch to a version of SEP Mobile with fixes. |
ADDITIONAL PRODUCT INFORMATION
Symantec Network Protection products that use a native installation of OpenSSL but do not install or maintain that implementation are not vulnerable to any of these CVEs. However, the underlying platform or application that installs and maintains OpenSSL may be vulnerable. Symantec urges our customers to update the versions of OpenSSL that are natively installed for Client Connector for OS X, Proxy Client for OS X, and Reporter 9.x for Linux.
Some Symantec Network Protection products do not enable or use all functionality within OpenSSL. The products listed below do not utilize the functionality described in the CVEs below and are thus not known to be vulnerable to them. However, fixes for these CVEs will be included in the patches that are provided.
- BCAAA: CVE-2018-0739
- Client Connector: CVE-2018-0739
- PS S-Series: CVE-2018-0739
- PC S-Series: CVE-2018-0739
- ProxyClient: CVE-2018-0739
- UA: CVE-2018-0739
- WSS Mobile Agent: CVE-2018-0739
The following products are not vulnerable:
AuthConnector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
General Auth Connector Login Application
HSM Agent for the Luna SP
K9
ProxyAV ConLog and ConLogXP
Unified Agent
Web Isolation
WSS Agent
The following products are under investigation:
Norman Shark Industrial Control System Protection
ISSUES
| CVE-2018-0733 | |
|---|---|
| Severity / CVSSv2 | Medium / 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) |
| References | SecurityFocus: BID 103517 / NVD: CVE-2018-0733 |
| Impact | Message forgery |
| Description | A computational flaw in the PA-RISC cryptographic functionality allows attackers to forge cryptographic messages via unspecified vectors. |
| CVE-2018-0739 | |
|---|---|
| Severity / CVSSv2 | Medium / 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) |
| References | SecurityFocus: BID 103518 / NVD: CVE-2018-0739 |
| Impact | Denial of service |
| Description | A flaw in the ASN.1 module allows remote attackers to send crafted ASN.1 data and cause denial of service through stack exhaustion. |
MITIGATION
CVE-2018-0739 can be remediated in SSLV by converting certificates and CRLs from PKCS#7 to a different format before importing them.
REFERENCES
OpenSSL Security Advisory [27 Mar 2018] - https://www.openssl.org/news/secadv/20180327.txt
REVISION
2021-08-27 Unified Agent is not vulnerable.
2021-08-18 WSS Agent is not vulnerable. A fix for WSS Mobile Agent 2.0 will not be provided. Please switch to a version of SEP Mobile with the vulnerability fixes.
2021-07-15 A fix for Security Analytics 7.2 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2021-03-30 SSLV 4.5 and 5.0 are not vulnerable because a fix is available since SSLV 4.3.1.1.
2021-02-17 A fix for MC 2.4 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2021-01-12 A fix for SSLV 3.10 and SSLV 3.12 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2020-12-10 A fix for ASG 7.1 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2020-12-09 SA 8.2 is not vulnerable because a fix is available in 8.2.1.
2020-11-18 A fix for MTD 1.1 will not be provided. Please upgrade to a version of CAS and SMG with the vulnerability fixes. A fix for SA 7.3 and 8.0 will not be provided. Please upgrade to a later version with the vulnerability fixes. A fix for XOS 9.7, 10.0, and 11.0 will not be provided. A fix for Director 6.1 will not be provided. Please upgrade to a version of MC with the vulnerability fixes. A fix for Reporter 10.4 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2020-11-12 Content Analysis 3.1 is not vulnerable because a fix is available in 3.1.0.0.
2020-08-19 MC 3.0 is not vulnerable because a fix is available in 3.0.1.1. A fix for MC 2.3 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2020-04-17 Advanced Secure Gateway (ASG) 6.7, 7.1, and 7.2 are vulnerable to CVE-2018-0739. A fix for Content Analysis 2.3 is available in 2.3.5.1. CA 2.4 is not vulnerable because a fix is available in 2.4.1.1. CA 3.0 is vulnerable to CVE-2018-0739. Management Center (MC) 2.3 and 2.4 are vulnerable to CVE-2018-0739. ProxySG 7.1 and later versions are not vulnerable because a fix is available in 7.1.1.1. Reporter 10.4 is vulnerable to CVE-2018-0739. Reporter 10.5 is not vulnerable because a fix is available in 10.5.1.1. Security Analytics (SA) 8.1 is vulnerable to CVE-2018-0739. SSL Visibility (SSLV) 4.5 and 5.0 are vulnerable to CVE-2018-0739. Fixes will not be provided for MC 2.2, Reporter 10.3, and SSLV 4.4. Please upgrade to later versions with the vulnerability fixes.
2020-04-04 A fix for PacketShaper S-Series will not be provided. Allot Secure Services Gateway (SSG) is a replacement product for PacketShaper S-Series. Switch to a version of SSG with the vulnerability fixes. A fix for PolicyCenter S-Series will not be provided. Allot NetXplorer is a replacement product for PolicyCenter S-Series. Switch to a version of NetXplorer with the vulnerability fixes.
2020-01-15 A fix for ProxyAV will not be provided. Please upgrade to a version of CA with the vulnerability fixes.
2019-10-10 A fix for PacketShaper 9.2 will not be provided. Please upgrade to a version of PacketShaper S-Series with the vulnerability fixes. A fix for PolicyCenter 9.2 will not be provided. Please upgrade to a version of PolicyCenter S-Series with the vulnerability fixes.
2019-10-02 Web Isolation is not vulnerable.
2019-09-05 A fix for MC 2.1 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-08-22 A fix for IntelligenceCenter (IC) 3.3 and IntelligenceCenter Data Collector (DC) 3.3 will not be provided. NetDialog NetX is a replacement product for IntelligenceCenter. Please switch to a version of NetX with the vulnerability fixes.
2019-08-12 MC 2.2 and MC 2.3 are vulnerable to CVE-2018-0739. A fix for MC 2.0 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-08-09 A fix for ProxySG 6.5 is available in 6.5.10.15.
2019-08-07 A fix for ASG 6.6 and ProxySG 6.6 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-08-06 A fix for Reporter 9.5, 10.1 and 10.2 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-05-28 A fix for ProxySG 6.7 is available in 6.7.4.4.
2019-02-04 A fix for CA 2.2 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-01-21 Security Analytics 8.0 is vulnerable to CVE-2018-0739.
2019-01-18 A fix for SSLV 3.8.4FC and 4.2 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-01-14 MC 2.1 and Reporter 10.3 are vulnerable to CVE-2018-0739. A fix for MC 1.11 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-01-12 A fix for Security Analytics 7.1 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-01-11 A fix for CA 2.1 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-08-16 A fix for SSLV 3.12 is available in 3.12.3.1.
2018-07-27 UA 4.10 is not vulnerable because a fix is available in 4.10.1. A fix for MA 4.2 is available in 4.2.12.
2018-07-26 A fix for CacheFlow is available in 3.4.2.9. MC 2.0 is vulnerable to CVE-2018-0739.
2018-07-01 A fix for SSLV 4.3 is available in 4.3.1.1.
2018-05-22 initial public release