SUMMARY

AFFECTED PRODUCTS 

ADDITIONAL PRODUCT INFORMATION

Blue Coat products marked as vulnerable in this security advisory are vulnerable to the impersonation attacks against TLS 1.2 client and server authentication.  Blue Coat products do not use tls-unique channel bindings and are not vulnerable to the application-level authentication credential forwarding attack.  This security advisory does not address the SLOTH attacks against TLS 1.3, SSH, and IKE v1/v2.

Blue Coat products that use a native installation of a TLS library, but do not install or maintain that implementation, are not vulnerable to SLOTH.  However, the underlying platform or application that installs and maintains the TLS library may be vulnerable.  Blue Coat urges our customers to update the versions of OpenSSL that are natively installed for Client Connector for MacOSX, ProxyClient for MacOSX, and Reporter 9.x for Linux.

The following products are not vulnerable:
Android Mobile Agent
AuthConnector
BCAAA
Blue Coat HSM Agent for the Luna SP
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
IntelligenceCenter
IntelligenceCenter Data Collector
K9
PacketShaper
PolicyCenter
ProxyAV
ProxyAV ConLog and ConLogXP
ProxyClient
Web Isolation

Blue Coat no longer provides vulnerability information for the following products:

DLP
Please, contact Digital Guardian technical support regarding vulnerability information for DLP.

ISSUES

Network security protocols, such as TLS, use message transcripts that allow communicating parties to keep track of the protocol messages they have observed.  The parties exchange and verify authenticated hashes of their transcripts to ensure that both parties have observed the same set of messages and that the messages have not been tampered with by a man-in-the-middle (MITM).

Transcript collision attacks are a class of attacks where a MITM, given a legitimate message transcript, can find a different transcript of malicious messages that has the same transcript hash.  The attacker can thus modify the legitimate messages with malicious content without being detected by the communicating parties.  SLOTH (Security Losses from Obsolete and Truncated Transcript Hashes) is a set of practical transcript collision attacks against TLS 1.2 and other protocols.  The SLOTH attacks exploit the use of weak MD5 hashes for digital signatures and other weak hashing constructs.

This security advisory addresses the following SLOTH transcript collision attacks:

• Breaking TLS 1.2 Client Authentication using a Chosen-Prefix Transcript Collision: A MITM can break TLS 1.2 client authentication to impersonate a client and obtain the TLS master secret and session keys.  The attacker can force the client use a DHE cipher suite and sign a weak MD5 hash of the TLS handshake transcript in the ClientCertificateVerify TLS handshake message.  The attacker uses a chosen-prefix transcript collision to find a set of modified handshake messages with the same transcript hash.  The client receives the malicious messages and signs the message transcript with its private key.  The attacker then forwards the signed transcript to the server.  The server does not detect a discrepancy because the malicious message transcript hash matches its own transcript hash.  The MITM also modifies the client's ClientKeyExchange messages to obtain the TLS master secret and session keys.
• Breaking TLS 1.2 Server Authentication using a Generic Transcript Collision: A MITM can break TLS 1.2 server authentication to impersonate a server and obtain the TLS master secret and session keys.  To prepare for the attack, the attacker must collect a large number of MD5 hashes and respective RSA-MD5 signatures produced by the server.  The MITM then intercepts the TLS handshake and produces a modified ServerKeyExchange message with the same hash as one of the pre-collected hashes.  The attacker sends the malicious ServerKeyExchange message to the server with the pre-collected RSA-MD5 signature.  Having control over the key exchange allows the attacker to obtain the TLS master secret and session keys.
• Breaking the tls-unique Channel Binding using a Generic Transcript Collisions: A MITM can break tls-unique channel bindings to perform a credential forwarding attack on application-level authentication protocols.  This attack exploits the loss of security caused by the truncation of the TLS handshake transcript hashes used to compute the TLS channel binding.  The attacker intercepts the TLS handshake messages and chooses malicious ClientKeyExchange, ServerKeyExchange and NextProtocolNegotiation messages that produce a generic transcript collision on the truncated handshake transcript hashes.  Controlling the key exchange messages allows the attacker to obtain the TLS master secret and session keys.  The MITM then exploits the transcript collision to forward the client's application-level authentication credentials to the server.

REFERENCES

SLOTH - https://www.mitls.org/pages/attacks/SLOTH
SLOTH technical paper - https://www.mitls.org/downloads/transcript-collisions.pdf

REVISION

2020-04-20 XOS 10.0 and 11.0 are vulnerable. Advisory status changed to Closed.
2019-10-02 Web Isolation is not vulnerable.
2018-08-29 Reporter 10.2 and later releases are not vulnerable because a fix is available in 10.2.1.1.
2018-04-22 PacketShaper S-Series 11.9 and 11.10 are not vulnerable.
2017-11-06 ASG 6.7 is not vulnerable.
2017-08-02 SSLV 4.1 is not vulnerable.
2017-07-20 MC 1.10 is not vulnerable.
2017-06-22 Security Analytics 7.3 is not vulnerable.
2017-06-05 PacketShaper S-Series 11.8 is not vulnerable.
2017-05-17 CAS 2.1 is not vulnerable.
2017-03-30 MC 1.9 is not vulnerable.
2017-03-08 A fix for PolicyCenter S-Series 1.1 is available in 1.1.3.1.
2017-03-06 MC 1.8 is not vulnerable.  ProxySG 6.7 is not vulnerable.  SSLV 4.0 is not vulnerable.  Vulnerability inquiries for DLP should be addressed to Digital Guardian technical support.
2016-12-04 PacketShaper S-Series 11.7 is not vulnerable.  SSLV 3.11 is not vulnerable.
2016-11-17 Cloud Data Protection for Oracle Field Service Cloud is not vulnerable.
2016-11-11 SSLV 3.10 is not vulnerable.
2016-09-22 MC 1.6 and 1.7 are not vulnerable.
2016-09-01 A fix for SSLV 3.8.4FC is available in 3.8.4FC-55.
2016-08-12 Security Analytics 7.2 is not vulnerable.
2016-06-30 A fix for PacketShaper 11.x is available in 11.6.1.1.
2016-06-23 A fix is available in ASG 6.6.4.1.
2016-06-13 Fixes for ICSP, NNP, and NSP are available in 5.3.6.
2016-05-26 A fix for Reporter 10.1 is available in 10.1.4.1.
2016-05-19 Fixes are available in Security Analytics 6.6.12 and 7.1.11.
2016-05-11 No Cloud Data Protection products are vulnerable.
2016-04-27 MTD 1.1 is vulnerable and a fix is available in 1.1.2.1.
2016-04-20 PS S-Series 11.2, 11.3, 11.4, and 11.5 are vulnerable.  PC S-Series 1.1 is vulnerable.
2016-03-17 Clarified that SSLV 3.9 prior to 3.9.3.1 is vulnerable and that UA 4.6 is not vulnerable.
2016-03-14 A fix for CAS 1.3 is available in 1.3.6.1.  A fix for MC 1.5 is available in 1.5.3.1.
2016-03-10 A fix for MAA 4.2 is available in 4.2.8.
2016-02-19 A fix for MC 1.4 will not be provided.  Please upgrade to a later version with the vulnerability fixes.
2016-02-16 A fix for ProxySG 6.5 is available in 6.5.9.3.
2016-02-12 Fixes for CAS 1.1 and 1.2 will not be provided.  Please upgrade to a later version with the vulnerability fixes.
2016-02-04 ProxySG 6.6 prior to 6.6.2.1 is vulnerable
2016-01-29 initial public release