OpenSSL Vulnerabilities Oct 2018 - Jul 2019
SUMMARY
Symantec Network Protection products using affected versions of OpenSSL are susceptible to multiple vulnerabilities. An attacker can recover DSA, ECDH, and ECDSA private keys through timing side-channel attacks. A remote attacker can also decrypt encrypted ciphertext and modify OpenSSL configuration and executable engine modules.
AFFECTED PRODUCTS
| BCAAA | ||
|---|---|---|
| CVE | Supported Version(s) | Remediation |
| CVE-2018-0734, CVE-2019-1552, CVE-2019-1559 |
6.1 (only when Novell SSO realm is used) | A fix will not be provided. The vulnerable OpenSSL library is in the Novell SSO SDK and an updated Novell SSO SDK is no longer available. Please contact Novell for more information. |
| Content Analysis (CA) | ||
|---|---|---|
| CVE | Supported Version(s) | Remediation |
| CVE-2018-0735, CVE-2018-5407 | 2.3 | Upgrade to a later version with fixes. |
| 2.4, 3.0 | Not available at this time | |
| 3.1 | Not vulnerable, fixed in 3.1.0.0. | |
| CVE-2019-1559 | 3.1 | Upgrade to 3.1.4.0. |
| Director | ||
|---|---|---|
| CVE | Supported Version(s) | Remediation |
| CVE-2018-0734, CVE-2018-5407, CVE-2019-1552 |
6.1 | Upgrade to a version of MC with the fixes. |
| Mail Threat Defense (MTD) | ||
|---|---|---|
| CVE | Supported Version(s) | Remediation |
| CVE-2018-0735, CVE-2018-5407, CVE-2019-1559 |
1.1 | Upgrade to a version of CA and SMG with the fixes. |
| Malware Analysis (MA) | ||
|---|---|---|
| CVE | Supported Version(s) | Remediation |
| CVE-2018-5407, CVE-2019-1559 | 4.2 | Upgrade to a version of Content Analysis with fixes. |
| Management Center (MC) | ||
|---|---|---|
| CVE | Supported Version(s) | Remediation |
| CVE-2019-1559 | 2.2 | Upgrade to a later version with fixes. |
| 2.3 | Upgrade to 2.3.3.1. | |
| 2.4 and later | Not vulnerable, fixed in 2.4.1.1. | |
| PacketShaper (PS) | ||
|---|---|---|
| CVE | Supported Version(s) | Remediation |
| CVE-2018-0734, CVE-2019-1559 | 9.2 | Upgrade to a version of PacketShaper S-Series with fixes. |
| PacketShaper (PS) S-Series | ||
|---|---|---|
| CVE | Supported Version(s) | Remediation |
| CVE-2018-0734, CVE-2018-0735, CVE-2018-5407, CVE-2019-1559 |
11.6, 11.9, 11.10 | A fix will not be provided. Allot Secure Services Gateway (SSG) is a replacement product for PS S-Series. Switch to a version of SSG with the vulnerability fixes. |
| PolicyCenter (PC) | ||
|---|---|---|
| CVE | Supported Version(s) | Remediation |
| CVE-2018-0734, CVE-2019-1559 | 9.2 | Upgrade to a version of PolicyCenter S-Series with fixes. |
| PolicyCenter (PC) S-Series | ||
|---|---|---|
| CVE | Supported Version(s) | Remediation |
| CVE-2018-0734, CVE-2018-0735, CVE-2018-5407, CVE-2019-1559 |
1.1 | A fix will not be provided. Allot NetXplorer is a replacement product for PC S-Series. Switch to a version of NetXplorer with the vulnerability fixes. |
| Reporter | ||
|---|---|---|
| CVE | Supported Version(s) | Remediation |
| CVE-2019-1559 | 10.3, 10.4, 10.5 | Upgrade to a later version with fixes. |
| 10.6 | Not vulnerable, fixed in 10.6.1.1 | |
| Security Analytics (SA) | ||
|---|---|---|
| CVE | Supported Version(s) | Remediation |
| CVE-2018-0734, CVE-2018-5407, CVE-2019-1559 |
7.2, 7.3, 8.0 | Upgrade to later version with fixes. |
| 8.1 | Not available at this time | |
| CVE-2018-5407 | 8.2 | Upgrade to 8.2.4. |
| CVE-2018-0734, CVE-2019-1559 | 8.2 | Not vulnerable, fixed in 8.2.1 |
| SSL Visibility (SSLV) | ||
|---|---|---|
| CVE | Supported Version(s) | Remediation |
| CVE-2019-1559 | 4.4 | Upgrade to later version with fixes. |
| 4.5 and later | Not vulnerable, fixed in 4.5.1.1 | |
| Web Isolation (WI) | ||
|---|---|---|
| CVE | Supported Version(s) | Remediation |
| CVE-2018-0734, CVE-2018-0735, CVE-2018-5407 |
1.12 | Upgrade to 1.12.13+250. |
| 1.13 and later | Not vulnerable, fixed. | |
ADDITIONAL PRODUCT INFORMATION
The following products are not vulnerable:
AuthConnector
CDP for Salesforce
CDP for ServiceNow
CDP for Oracle CRM on Demand
CDP Communication Server
CDP Integration Server
General Auth Connector Login Application
Integrated Secure Gateway (ISG)
ProxyAV
ProxyAV ConLog and ConLogXP
ProxySG
Symantec HSM Agent for the Luna SP
Unified Agent
WSS Agent
WSS Mobile Agent
The following products are under investigation:
Advanced Secure Gateway
CacheFlow
X-Series XOS
ISSUES
| CVE-2018-0734 | |
|---|---|
| Severity / CVSSv3 | Medium / 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) |
| References | SecurityFocus: BID 105758 / NVD: CVE-2018-0734 |
| Impact | Information disclosure |
| Description | A timing side channel flaw in the DSA signature algorithm implementation allows an attacker to recover DSA private keys. |
| CVE-2018-0735 | |
|---|---|
| Severity / CVSSv3 | Medium / 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) |
| References | SecurityFocus: BID 105750 / NVD: CVE-2018-0735 |
| Impact | Information disclosure |
| Description | A timing side channel flaw in the ECDSA signature algorithm implementation allows an attacker to recover ECDSA private keys. |
| CVE-2018-5407 | |
|---|---|
| Severity / CVSSv3 | Medium / 4.7 (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N) |
| References | SecurityFocus: BID 105897 / NVD: CVE-2018-5407 |
| Impact | Information disclosure |
| Description | A timing side channel flaw in ECC scalar multiplication, used in ECDSA and ECDH signatures, allows a local attacker to recover ECDSA or ECDH private keys. |
| CVE-2019-1543 | |
|---|---|
| Severity / CVSSv3 | High / 7.4 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) |
| References | SecurityFocus: BID 107349 / NVD: CVE-2019-1543 |
| Impact | Unspecified |
| Description | An insufficient cryptographic parameter validation fault in the ChaCha20-Poly1305 cipher implementation allows an attacker to compromise data confidentiality and integrity through unspecified vectors. |
| CVE-2019-1552 | |
|---|---|
| Severity / CVSSv3 | Low / 3.3 (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) |
| References | SecurityFocus: BID 109443 / NVD: CVE-2019-1552 |
| Impact | Unauthorized modification of configuration and executable code |
| Description | A fault in configuration file specification allows a local attacker to insert malicious CA certificates and modify OpenSSL configuration and executable engine modules. |
| CVE-2019-1559 | |
|---|---|
| Severity / CVSSv3 | Medium / 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) |
| References | SecurityFocus: BID 107174 / NVD: CVE-2019-1559 |
| Impact | Information disclosure |
| Description | A padding oracle fault in the SSL library allows a remote attacker to decrypt data encrypted inside the SSL tunnel. |
REFERENCES
OpenSSL Security Advisory [29 October 2018] - https://www.openssl.org/news/secadv/20181029.txt
OpenSSL Security Advisory [30 October 2018] - https://www.openssl.org/news/secadv/20181030.txt
OpenSSL Security Advisory [12 November 2018] - https://www.openssl.org/news/secadv/20181112.txt
OpenSSL Security Advisory [26 February 2019] - https://www.openssl.org/news/secadv/20190226.txt
OpenSSL Security Advisory [6 March 2019] - https://www.openssl.org/news/secadv/20190306.txt
OpenSSL Security Advisory [30 July 2019] - https://www.openssl.org/news/secadv/20190730.txt
REVISION
2022-06-09 Integrated Secure Gateway (ISG) is not vulnerable.
2022-03-03 A fix for Content Analysis 3.1 for CVE-2018-0735, CVE-2018-5407, and CVE-2019-1559 is available in 3.1.4.0.
2022-02-16 A fix for Reporter 10.5 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2021-09-20 A fix for CVE-2018-5407 in Security Analytics 8.2 is available in 8.2.4.
2021-09-14 It was previously reported that Reporter 10.5 is not vulnerable because a fix is available in 10.5.1.1. Reporter 10.5 is vulnerable. Reporter 10.6 is not vulnerable because a fix is available in 10.6.1.1.
2021-08-05 Content Analysis 3.1 is not vulnerable to CVE-2018-0735 because a fix is available in 3.1.0.0.
2021-08-02 Security Analytics 8.2 is not vulnerable to CVE-2018-0734 and CVE-2019-1559 because a fix is available in 8.2.1.
2021-07-20 A fix for SSLV 4.4 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2021-07-15 A fix for Security Analytics 7.2 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2021-05-03 SSLV 4.4 is vulnerable to CVE-2019-1559. SSLV 4.5 is not vulnerable because a fix is available in 4.5.1.1.
2021-04-28 Reporter 10.5 is not vulnerable because a fix is available in 10.5.1.1.
2021-02-18 A fix for CA 2.3 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2020-11-19 A fix for MTD 1.1 will not be provided. Please upgrade to a version of CAS and SMG with the vulnerability fixes. A fix for SA 7.3 and 8.0 will not be provided. Please upgrade to a later version with the vulnerability fixes. A fix for Director 6.1 will not be provided. Please upgrade to a version of MC with the vulnerability fixes. A fix for Reporter 10.4 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2020-11-12 Content Analysis 3.1 is vulnerable to CVE-2018-0735 and CVE-2019-1559. Content Analysis 3.1 is not vulnerable to CVE-2018-5407 because a fix is available in 3.1.0.0.
2020-04-05 Content Analysis 3.0 is vulnerable to CVE-2018-0735, CVE-2018-5407, and CVE-2019-1559. Reporter 10.5 is vulnerable to CVE-2019-1559. Fixes will not be provided for Management Center 2.2 and Reporter 10.3. Please upgrade to a later version with the vulnerability fixes. Security Analytics 8.1 is vulnerable to CVE-2018-0734, CVE-2018-5407, and CVE-2019-1559.
2020-04-04 PacketShaper S-Series and PolicyCenter S-Series are vulnerable to CVE-2018-0734, CVE-2018-0735, CVE-2018-5407, and CVE-2019-1559. A fix for PacketShaper S-Series will not be provided. Allot Secure Services Gateway (SSG) is a replacement product for PacketShaper S-Series. Switch to a version of SSG with the vulnerability fixes. A fix for PolicyCenter S-Series will not be provided. Allot NetXplorer is a replacement product for PolicyCenter S-Series. Switch to a version of NetXplorer with the vulnerability fixes.
2020-01-26 MC 2.4 is not vulnerable because a fix is available in 2.4.1.1.
2020-01-19 A fix for Malware Analysis will not be provided. Please upgrade to a version of Content Analysis with the vulnerability fixes.
2019-10-10 A fix for PacketShaper 9.2 will not be provided. Please upgrade to a version of PacketShaper S-Series with the vulnerability fixes. A fix for PolicyCenter 9.2 will not be provided. Please upgrade to a version of PolicyCenter S-Series with the vulnerability fixes.
2019-10-07 WI 1.13 is not vulnerable.
2019-10-04 A fix for MC 2.3 is available in 2.3.3.1.
2019-09-09 Added SecurityFocus BID for CVE-2019-1552.
2019-09-05 initial public release