OpenSSL Vulnerabilities 16-Apr-2018 and 12-Jun-2018
SUMMARY
Symantec Network Protection products using affected versions of OpenSSL are susceptible to several vulnerabilities. A malicious SSL/TLS server can send large DH parameters during connections using DH/DHE cipher suites and cause denial-of-service in the SSL/TLS client. A local attacker can perform cache timing attacks against an application generating an RSA key and obtain the generated private key.
AFFECTED PRODUCTS
The following products are vulnerable:
| Advanced Secure Gateway (ASG) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2018-0732 | 6.6, 7.1 | Upgrade to later release with fixes. |
| 6.7, 7.2, 7.3 | Not available at this time | |
| BCAAA | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2018-0732 | 6.1 (only when Novell SSO realm is used) | Not available at this time |
| CacheFlow | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2018-0732 | 3.4 | A fix will not be provided. Please switch to a version ProxySG MACH5 Edition with fixes. |
| Content Analysis (CA) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2018-0732 | 1.3, 2.1, 2.2, 2.3 | Upgrade to later version with fixes. |
| 2.4, 3.0 | Not available at this time | |
| 3.1 | Not vulnerable, fixed in 3.1.0.0. | |
| Director | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2018-0732, CVE-2018-0737 | 6.1 | Upgrade to a version of MC with the fixes. |
| IntelligenceCenter (IC) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2018-0732 | 3.3 | Upgrade to a version of NetDialog NetX with fixes. |
| IntelligenceCenter Data Collector (DC) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2018-0732 | 3.3 | Upgrade to a version of NetDialog NetX with fixes. |
| Mail Threat Defense (MTD) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2018-0732 | 3.3 | Upgrade to a version of CAS and SMG with the fixes. |
| Malware Appliance (MA) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2018-0732, CVE-2018-0737 | 4.2 | Upgrade to a version of CA with fixes. |
| Management Center (MC) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2018-0732 | 2.4 and earlier | Upgrade to later version with fixes. |
| 3.0 | Not vulnerable, fixed in 3.0.1.1 | |
| PacketShaper (PS) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2018-0732 | 9.2 | A fix will not be provided. Allot Secure Services Gateway (SSG) is a replacement product for PacketShaper. Switch to a version of SSG with the vulnerability fixes. |
| PacketShaper (PS) S-Series | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2018-0732 | 11.6, 11.9, 11.10 | A fix will not be provided. Allot Secure Services Gateway (SSG) is a replacement product for PS S-Series. Switch to a version of SSG with the vulnerability fixes. |
| PolicyCenter (PC) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2018-0732 | 9.2 | A fix will not be provided. Allot NetXplorer is a replacement product for PolicyCenter. Switch to a version of NetXplorer with the vulnerability fixes. |
| PolicyCenter (PC) S-Series | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2018-0732 | 1.1 | A fix will not be provided. Allot NetXplorer is a replacement product for PC S-Series. Switch to a version of NetXplorer with the vulnerability fixes. |
| ProxyAV | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2018-0732 | 3.5 | Upgrade to a version of CA with fixes. |
| ProxySG | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2018-0732 | 6.5, 6.6 | Upgrade to later release with fixes. |
| 6.7 | Upgrade to 6.7.4.141. | |
| 7.1 and later | Not vulnerable, fixed in 7.1.1.1. | |
| Reporter | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2018-0732 | 9.5, 10.1, 10.2, 10.3, 10.4 | Upgrade to later release with fixes. |
| 10.5 | Not vulnerable, fixed in 10.5.1.1 | |
| CVE-2018-0737 | 9.5 | Upgrade to later release with fixes. |
| Security Analytics (SA) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2018-0732, CVE-2018-0737 | 7.1, 7.2, 7.3, 8.0 | Upgrade to later version with fixes. |
| 8.1, 8.2 | Not available at this time | |
| SSL Visibility (SSLV) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2018-0732 | 3.10 | Upgrade to later release with fixes. |
| 3.12 | Upgrade to later release with fixes. | |
| 4.2, 4.3 | Upgrade to later release with fixes. | |
| 4.4 and later | Not vulnerable, fixed in 4.4.1.1 | |
| Unified Agent (UA) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2018-0732 | 4.10 | Upgrade to a version of WSS Agent with fixes. |
| WSS Mobile Agent | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2018-0732 | 2.0 | A fix will not be provided. Please switch to a version of SEP Mobile with fixes. |
| X-Series XOS | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2018-0732, CVE-2018-0737 | 10.0, 11.0 | A fix will not be provided. |
ADDITIONAL PRODUCT INFORMATION
The following products are not vulnerable:
AuthConnector
Auth Connector Login Application
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM on Demand
Cloud Data Protection Communication Server
Cloud Data Protection Integration Server
HSM Agent for the Luna SP
ProxyAV ConLog and ConLogXP
Web Isolation
WSS Agent
ISSUES
| CVE-2018-0732 | |
|---|---|
| Severity / CVSSv3 | High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) |
| References | SecurityFocus: BID 104442 / NVD: CVE-2018-0732 |
| Impact | Denial of service |
| Description | A flaw in the SSL client implementation allows malicious servers to send large DH parameters during connections using DH(E) cipher suites and cause denial of service. |
| CVE-2018-0737 | |
|---|---|
| Severity / CVSSv3 | Medium / 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) |
| References | SecurityFocus: BID 103766 / NVD: CVE-2018-0737 |
| Impact | Information disclosure |
| Description | A cache timing side channel flaw in RSA key generation allows local attackers to mount cache timing attacks during RSA key generation and recover the generated private key. |
MITIGATION
CVE-2018-0732 can be mitigated in ProxySG by disabling all DH and DHE cipher suites for all SSL device profiles.
REFERENCES
OpenSSL Security Advisory [16-Apr-2018] - https://www.openssl.org/news/secadv/20180416.txt
OpenSSL Security Advisory [12-Jun-2018] - https://www.openssl.org/news/secadv/20180612.txt
REVISION
2021-08-27 Unified Agent is not vulnerable.
2021-08-18 WSS Agent is not vulnerable.
2021-07-19 A fix for WSS Mobile Agent 2.0 will not be provided. Please switch to a version of SEP Mobile with the vulnerability fixes.
2021-07-15 A fix for Security Analytics 7.2 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2021-04-01 A fix for Unified Agent 4.10 will not be provided. Please upgrade to a version of WSS Agent with the vulnerability fixes.
2021-02-18 A fix for CA 2.3 and MC 2.4 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2021-01-12 A fix for SSLV 3.10 and SSLV 3.12 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2020-12-09 A fix for ASG 7.1 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2020-11-19 A fix for MTD 1.1 will not be provided. Please upgrade to a version of CAS and SMG with the vulnerability fixes. A fix for SA 7.3 and 8.0 will not be provided. Please upgrade to a later version with the vulnerability fixes. A fix for XOS 9.7, 10.0, and 11.0 will not be provided. A fix for Director 6.1 will not be provided. Please upgrade to a version of MC with the vulnerability fixes. A fix for Reporter 10.4 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2020-11-12 Content Analysis 3.1 is not vulnerable because a fix is available in 3.1.0.0.
2020-08-19 MC 3.0 is not vulnerable because a fix is available in 3.0.1.1. A fix for MC 2.3 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2020-06-01 A fix will not be provided for CacheFlow. Please switch to a version of ProxySG MACH5 Edition with the vulnerability fixes.
2020-04-30 A fix will not be provided for ProxySG 6.5. Please upgrade to a later version with the vulnerability fixes. ProxySG 7.1 and later versions are not vulnerable because a fix is available in 7.1.1.1. Advanced Secure Gateway (ASG) 7.1 and 7.2 are vulnerable to CVE-2018-0732.
2020-04-08 Content Analysis 2.4 and 3.0 are vulnerable to CVE-2018-0732. Security Analytics 8.1 is vulnerable to CVE-2018-0732 and CVE-2018-0737. Reporter 10.5 is not vulnerable because a fix is available in 10.5.1.1. Fixes will not be provided for Management Center 2.2 and Reporter 10.3. Please upgrade to later versions with the vulnerability fixes.
2020-04-04 A fix for PacketShaper S-Series will not be provided. Allot Secure Services Gateway (SSG) is a replacement product for PacketShaper S-Series. Switch to a version of SSG with the vulnerability fixes. A fix for PolicyCenter S-Series will not be provided. Allot NetXplorer is a replacement product for PolicyCenter S-Series. Switch to a version of NetXplorer with the vulnerability fixes.
2020-01-19 A fix for Malware Analysis will not be provided. Please upgrade to a version of Content Analysis with the vulnerability fixes.
2020-01-15 A fix for ProxyAV will not be provided. Please upgrade to a version of Content Analysis with the vulnerability fixes.
2019-10-10 A fix for PacketShaper 9.2 will not be provided. Please upgrade to a version of PacketShaper S-Series with the vulnerability fixes. A fix for PolicyCenter 9.2 will not be provided. Please upgrade to a version of PolicyCenter S-Series with the vulnerability fixes.
2019-10-02 Web Isolation is not vulnerable.
2019-09-05 A fix for MC 2.1 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-08-30 Reporter 10.4 is vulnerable to CVE-2018-0732.
2019-08-22 A fix for IntelligenceCenter (IC) 3.3 and IntelligenceCenter Data Collector (DC) 3.3 will not be provided. NetDialog NetX is a replacement product for IntelligenceCenter. Please switch to a version of NetX with the vulnerability fixes.
2019-08-12 MC 2.2 and MC 2.3 are vulnerable to CVE-2018-0732. A fix for MC 2.0 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-08-07 A fix for ASG 6.6 and ProxySG 6.6 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-08-06 A fix for Reporter 10.1 and 10.2 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-08-05 A fix for Reporter 9.5 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-08-05 A fix for SSLV 4.3 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-06-25 ASG 6.7 is vulnerable to CVE-2018-0732.
2019-02-27 Added mitigation for CVE-2018-0732 in ProxySG.
2019-02-04 A fix for CA 2.2 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-01-21 Security Analytics 8.0 is vulnerable to all CVEs.
2019-01-14 MC 2.1 and Reporter 10.3 are vulnerable to CVE-2018-0732. A fix for MC 1.11 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-01-12 A fix for Security Analytics 7.1 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-01-11 A fix for CA 2.1 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-10-10 initial public release