OpenSSL Vulnerabilities Sep 2020 - Feb 2021
Summary
Symantec Network and Information Security (NIS) products using affected versions of OpenSSL may be susceptible to multiple vulnerabilities. A remote attacker may be able to decrypt encrypted communication from an SSL/TLS connection, downgrade a newly established SSL/TLS connection to SSLv2, or cause denial of service through application crashes.
Affected Product(s)
The following products and product versions are vulnerable to the CVEs listed. If a CVE is not listed, the product or version is not known to be vulnerable to it.
| Advanced Secure Gateway (ASG) | ||
| CVE | Supported Version(s) | Remediation |
| CVE-2020-1971 | 6.7 | Upgrade to 6.7.5.9. |
| 7.2 | Upgrade to 7.2.5.1. | |
| 7.3 | Upgrade to 7.3.2.1. | |
| CVE-2021-23840, CVE-2021-23841 | 6.7, 7.2, 7.3 | Remediation is not available at this time. |
| BCAAA | ||
| CVE | Supported Version(s) | Remediation |
| All CVEs | 6.1 (only when Novell SSO realm is used) | A fix will not be provided. The vulnerable OpenSSL library is in the Novell SSO SDK and an updated Novell SSO SDK is no longer available. Please contact Novell for more information. |
| Content Analysis (CA) | ||
| CVE | Supported Version(s) | Remediation |
| CVE-2021-23840, CVE-2021-23841 | 2.4, 3.0 | Remediation is not available at this time. |
| 3.1 | Upgrade to 3.1.4.0. | |
| Integrated Secure Gateway (ISG) | ||
| CVE | Supported Version(s) | Remediation |
| CVE-2021-23840, CVE-2021-23841 | 2.1, 2.2, 2.3 | Upgrade to later release with fixes. |
| 2.4 | Not vulnerable, fixed in 2.4.1.1. |
| Management Center (MC) | ||
| CVE | Supported Version(s) | Remediation |
| CVE-2020-1971, CVE-2021-23840, CVE-2021-23841 | 3.0, 3.1 | Upgrade to later release with fixes. |
| 3.2 | Remediation is not available at this time. | |
| 3.3 | Not vulnerable, fixed in 3.3.1.1. | |
| PacketShaper (PS) S-Series | ||
| CVE | Supported Version(s) | Remediation |
| CVE-2020-1968, CVE-2021-23841 | 11.10 | Remediation is not available at this time. |
| PolicyCenter (PC) S-Series | ||
| CVE | Supported Version(s) | Remediation |
| CVE-2020-1968, CVE-2021-23841 | 1.1 | Remediation is not available at this time. |
| ProxySG | ||
| CVE | Supported Version(s) | Remediation |
| CVE-2020-1971 | 6.7 | Upgrade to 6.7.5.9. |
| 7.2 | Upgrade to 7.2.5.1. | |
| 7.3 | Upgrade to 7.3.2.1. | |
| CVE-2021-23840 | 6.7 | Upgrade to 6.7.5.14. |
| 7.2 | Upgrade to later release with fixes. | |
| 7.3 | Upgrade to 7.3.4.1. | |
| Reporter | ||
| CVE | Supported Version(s) | Remediation |
| CVE-2021-23840, CVE-2021-23841 | 10.5, 10.6 | Upgrade to later release with fixes. |
| 11.0 | Not vulnerable, fixed in 11.0.1.1. | |
| Security Analytics (SA) | ||
| CVE | Supported Version(s) | Remediation |
| CVE-2020-1968, CVE-2020-1971, CVE-2021-23840, CVE-2021-23841 | 7.2 | Upgrade to later release with fixes. |
| 8.1 | Remediation is not available at this time. | |
| 8.2 | Upgrade to 8.2.4. | |
| SSL Visibility (SSLV) | ||
| CVE | Supported Version(s) | Remediation |
| CVE-2020-1971, CVE-2021-23840, CVE-2021-23841 | 4.5 | Upgrade to 4.5.6.1. |
| 5.2 | Not vulnerable, fixed in 5.2.1.1. | |
| Symantec Messaging Gateway (SMG) | ||
| CVE | Supported Version(s) | Remediation |
| CVE-2020-1968, CVE-2021-23840, CVE-2021-23841 | 10.7 | Remediation is not available at this time. |
| Unified Agent (UA) | ||
| CVE | Supported Version(s) | Remediation |
| CVE-2021-23840, CVE-2021-23841 | 4.10 | Upgrade to a version of WSS Agent with fixes. |
| Web Isolation (WI) | ||
| CVE | Supported Version(s) | Remediation |
| CVE-2021-23840, CVE-2021-23841 | 1.14, 1.15 | Remediation is not available at this time. |
| WSS Agent | ||
| CVE | Supported Version(s) | Remediation |
| CVE-2021-23840, CVE-2021-23841 | 7.2 | Upgrade to later release with fixes. |
| 7.3 | Not vulnerable, fixed in 7.3.1 | |
| WSS Mobile Agent | ||
| CVE | Supported Version(s) | Remediation |
| CVE-2021-23840, CVE-2021-23841 | 2.0 | A fix will not be provided. Please switch to a version of SEP Mobile with fixes. |
Additional Product Information
The following products are not vulnerable:
AuthConnector
General Auth Connector Login Application
HSM Agent
Issue Details
| CVE-2020-1968 | |
| Severity / CVSS v3.1: | Low / 3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) |
| References: | NVD: CVE-2020-1968 |
| Impact: | Information disclosure |
| Description: | A flaw in Diffie-Hellman (DH) cipher suite handling allows a remote attacker to compute a pre-master secret for a TLS connection and decrypt all encrypted communication sent over that TLS connection. |
| CVE-2020-1971 | |
| Severity / CVSS v3.1: | Medium / 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) |
| References: | NVD: CVE-2020-1971 |
| Impact: | Denial of service |
| Description: | A flaw in X.509 name comparison allows a remote attacker to trigger a NULL pointer dereference and cause denial of service through an application crash. |
| CVE-2021-23839 | |
| Severity / CVSS v3.1: | High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) |
| References: | NVD: CVE-2021-23839 |
| Impact: | Protocol downgrade |
| Description: | A version rollback vulnerability in SSL version handling allows a remote man-in-the-middle attacker to downgrade a newly established SSL/TLS connection to SSLv2. |
| CVE-2021-23840 | |
| Severity / CVSS v3.1: | High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) |
| References: | NVD: CVE-2021-23840 |
| Impact: | Denial of service |
| Description: | An overflow flaw in symmetric encryption allows an attacker to cause incorrect program behavior or denial of service through an application crash. |
| CVE-2021-23841 | |
| Severity / CVSS v3.1: | High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) |
| References: | NVD: CVE-2021-23841 |
| Impact: | Denial of service |
| Description: | An input validation flaw in X.509 certificate handling allows an attacker to cause denial of service through an application crash. |
Mitigations
CVE-2020-1968 is exploitable in CA, Security Analytics, and SMG only when customers enable cipher suites using static DH key exchange for SSL/TLS server connections. Cipher suites using ephemeral DH key exchange are not impacted by this CVE, offer better security otherwise, and should be used instead. Static DH cipher suites have names that start with "DH-" or "TLS_DH_", but not "TLS_DH_anon_". Ephemeral DH cipher suites have names that start with "DHE-" or "TLS_DHE_".
CVE-2020-1971 is exploitable in ASG, MC, ProxySG, Security Analytics, and SSLV only when an authenticated administrator user installs a malicious certificate revocation list (CRL) and configures the product to communicate with a malicious SSL/TLS server. Symantec recommends using trusted SSL/TLS servers and CRLs from trusted certificate authorities.
References
- OpenSSL Security Advisory [09 September 2020] - https://www.openssl.org/news/secadv/20200909.txt
OpenSSL Security Advisory [08 December 2020] - https://www.openssl.org/news/secadv/20201208.txt
OpenSSL Security Advisory [16 February 2021] - https://www.openssl.org/news/secadv/20210216.txt
Revisions
2022-06-09 ISG 2.4 is not vulnerable because a fix is available in 2.4.1.1. Fixes for ISG 2.1, ISG 2.2, ISG 2.3, MC 3.1, ProxySG 7.2, and Reporter 10.6 will not be provided. Please upgrade to later versions with the vulnerability fixes.
2022-03-03 A fix for Content Analysis 3.1 is available in 3.1.4.0.
2022-02-16 MC 3.3 is not vulnerable because a fix is available in 3.3.1.1. A fix for Reporter 10.5 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2022-02-09 Reporter 11.0 is not vulnerable because a fix is available in 11.0.1.1.
2021-09-28 A fix for CVE-2021-23840 in ProxySG 6.7 is available in 6.7.5.14.
2021-09-20 A fix for Security Analytics 8.2 is available in 8.2.4.
2021-08-27 A fix for CVE-2021-23840 in ProxySG 7.3 is available in 7.3.4.1.
2021-08-12 MC 3.2 is vulnerable to CVE-2020-1971, CVE-2021-23840, and CVE-2021-23841.
2021-07-26 WI 1.14 and 1.15 are vulnerable to CVE-2021-23840 and CVE-2021-23841.
2021-07-19 A fix for WSS Mobile Agent 2.0 will not be provided. Please switch to a version of SEP Mobile with the vulnerability fixes.
2021-07-15 A fix for Security Analytics 7.2 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2021-07-02 A fix for SSLV 4.5 is available in 4.5.6.1.
2021-06-07 SSLV 5.2 is not vulnerable because a fix is available in 5.2.1.1.
2021-06-01 A fix for MC 3.0 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2021-05-11 PacketShaper (PS) S-Series 11.10 and PolicyCenter (PC) S-Series 1.1 are vulnerable to CVE-2020-1968 and CVE-2021-23841.
2021-05-03 ISG 2.1, 2.2, and 2.3 are vulnerable to CVE-2021-23840 and CVE-2021-23841.
2021-04-01 WSSA 7.3 is not vulnerable because a fix is available in 7.3.1. A fix for WSSA 7.2 will not be provided. Please upgrade to a later version with the vulnerability fixes. A fix for Unified Agent 4.10 will not be provided. Please upgrade to a version of WSS Agent with the vulnerability fixes.
2021-03-09 initial public release