SA154: Apache httpd Vulnerabilities June 2017

CAS-S200

4 more products

1410

13 July 2021

20 July 2017

CLOSED

High

CVSS v2: 7.5

SUMMARY

Symantec Network Protection products using affected versions of Apache httpd are susceptible to multiple security vulnerabilities.  A remote attacker, with access to the management interface, can cause denial of service through application crashes or bypass required authentication.

AFFECTED PRODUCTS

The following products are vulnerable:

Content Analysis (CA)
CVE Affected Version(s) Remediation
CVE-2017-3169
CVE-2017-7679
2.3 and later Not vulnerable, fixed in 2.3.1.1
2.2 Upgrade to later release with fixes.
1.3, 2.1 Not vulnerable

 

Director
CVE Affected Version(s) Remediation
CVE-2017-3167, CVE-2017-3169
CVE-2017-7679
6.1 Upgrade to a version of MC with the fixes.

 

Malware Analysis (MA)
CVE Affected Version(s) Remediation
CVE-2017-3167, CVE-2017-3169
CVE-2017-7668, CVE-2017-7679
4.2 Upgrade to 4.2.12.

 

Security Analytics
CVE Affected Version(s) Remediation
CVE-2017-3167, CVE-2017-3169
CVE-2017-7679
8.0 and later Not vulnerable, fixed in 8.0.1.
7.3 Upgrade to 7.3.2.
7.2 Upgrade to 7.2.5.
7.1 Upgrade to later release with fixes.


ADDITIONAL PRODUCT INFORMATION

The following products are not vulnerable:
Advanced Secure Gateway
Android Mobile Agent
AuthConnector
BCAAA

Blue Coat HSM Agent for the Luna SP
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application

IntelligenceCenter
IntelligenceCenter Data Collector
K9
Mail Threat Defense
Management Center
Norman Shark Industrial Control System Protection
PacketShaper
PacketShaper S-Series
PolicyCenter
PolicyCenter S-Series

ProxyAV
ProxyAV ConLog and ConLogXP

ProxyClient
ProxySG
Reporter
SSL Visibility

Unified Agent
Web Isolation
WSS Agent
X-Series XOS

ISSUES

CVE-2017-3167
Severity / CVSSv2 High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
References SecurityFocus: BID 99135 / NVD: CVE-2017-3167
Impact Authentication bypass
Description A flaw in third-party Apache httpd modules allows a remote attacker to bypass required authentication.

 

CVE-2017-3169
Severity / CVSSv2 High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
References SecurityFocus: BID 99134 / NVD: CVE-2017-3169
Impact Denial of service
Description A flaw in third-party Apache httpd modules allows a remote attacker to send HTTP requests to an HTTPS port and cause denial of service through application crashes.

 

CVE-2017-7659
Severity / CVSSv2 Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
References SecurityFocus: BID 99132 / NVD: CVE-2017-7659
Impact Denial of service
Description A flaw in HTTP/2 request parsing allows a remote attacker to send crafted HTTP/2 requests and cause denial of service through application crashes.

 

CVE-2017-7668
Severity / CVSSv2 High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
References SecurityFocus: BID 99137 / NVD: CVE-2017-7668
Impact Denial of service
Description A buffer overread flaw in HTTP request parsing allows a remote attacker to send crafted HTTP requests and cause denial of service through application crashes or have unspecified other impact.

 

CVE-2017-7679
Severity / CVSSv2 High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
References SecurityFocus: BID 99170 / NVD: CVE-2017-7679
Impact Denial of service
Description A buffer overread flaw in HTTP response generation allows a remote attacker to send crafted HTTP requests and cause denial of service through application crashes.


MITIGATION

These vulnerabilities can be exploited only through the management interfaces for all vulnerable products.  Allowing only machines, IP addresses and subnets from a trusted network to access the management interface reduces the threat of exploiting the vulnerabilities.

By default, Director and MA do not use HTTP Basic Access Authentication in Apache httpd.  Customers who leave this behavior unchanged prevent attacks against these products using CVE-2017-3167.

REFERENCES

Apache httpd 2.2 vulnerabilities - https://httpd.apache.org/security/vulnerabilities_22.html
Apache httpd 2.4 vulnerabilities - https://httpd.apache.org/security/vulnerabilities_24.html

REVISION

2021-05-19 A fix for Security Analytics 7.2 is available in 7.2.5. WSS Agent is not vulnerable. Moving Advisory Status to Closed.
2020-11-18 A fix for Director 6.1 will not be provided.  Please upgrade to a version of MC with the vulnerability fixes. 
2019-10-03 Web Isolation is not vulnerable.
2019-09-05 A fix for Security Analytics 7.3 is available in 7.3.2.  Fixes will not be provided for Security Analytics 7.1 and CA 2.2.  Please upgrade to a later release with the vulnerabilities fixes.  IntelligenceCenter and IntelligenceCenter Data Collector are not vulnerable.
2019-01-21 A fix for Security Analytics 7.3 is available in 7.3.4.  Security Analytics 8.0 is not vulnerable because a fix is available in 8.0.1.
2018-07-23 A fix for MA is available in 4.2.12.
2018-04-22 Previously it was reported that Content Analysis is not vulnerable.  Further investigation indicates that CA 2.2 is vulnerable to CVE-2017-3169 and CVE-2017-7679.  CA 2.3 is not vulnerable because a fix is available in 2.3.1.1.
2017-08-30 Added remaining CVSS v2 scores.
2017-07-20 initial public release