SA163: OpenSSH Vulnerability October 2017
SUMMARY
Symantec Network Protection products using affected versions of OpenSSH are susceptible to a security vulnerability. A remote attacker with read-only access to an SFTP server can create a large number of zero-length files and deplete the target's hard disk space.
AFFECTED PRODUCTS
The following products are vulnerable:
| Director | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2017-15906 | 6.1 | Upgrade to a version of MC with the fixes. |
| Malware Analysis (MA) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2017-15906 | 4.2 | Upgrade to 4.2.12. |
| Norman Shark Industrial Control System Protection (ICSP) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2017-15906 | 6.0 | Not vulnerable, fixed in 6.0.1 |
| Security Analytics | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2017-15906 | 8.1 and later | Not vulnerable, fixed in 8.1.1 |
| 7.2, 7.3, 8.0 | Upgrade to later version with fixes. | |
| 7.1 | Not vulnerable | |
The following products have a vulnerable version of OpenSSH, but are not vulnerable to known vectors of attack:
| SSL Visibility (SSLV) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2017-15906 | 4.0 and later | Not vulnerable |
| 3.12 (has vulnerable code, but not vulnerable to known vectors of attack) | Upgrade to later release with fixes. | |
| 3.11 (has vulnerable code, but not vulnerable to known vectors of attack) | Upgrade to later release with fixes. | |
| 3.10 (has vulnerable code, but not vulnerable to known vectors of attack) | Upgrade to later release with fixes. | |
| 3.8.4FC (has vulnerable code, but not vulnerable to known vectors of attack) | Upgrade to later release with fixes. | |
ADDITIONAL PRODUCT INFORMATION
Some Symantec Network Protection products do not enable or use all functionality within OpenSSH. The products listed below do not provide an SFTP server and are thus not known to be vulnerable to CVE-2017-15906. However, a fixes will be included in the patches that are provided:
- SSLV 3.x
The following products are not vulnerable:
Advanced Secure Gateway
Android Mobile Agent
AuthConnector
BCAAA
Blue Coat HSM Agent for the Luna SP
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Content Analysis
General Auth Connector Login Application
IntelligenceCenter
IntelligenceCenter Data Collector
K9
Mail Threat Defense
Management Center
PacketShaper
PacketShaper S-Series
PolicyCenter
PolicyCenter S-Series
ProxyAV
ProxyAV ConLog and ConLogXP
ProxyClient
ProxySG
Reporter
Unified Agent
Web Isolation
X-Series XOS
ISSUES
| CVE-2017-15906 | |
|---|---|
| Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N) |
| References | SecurityFocus: BID 101552 / NVD: CVE-2017-15906 |
| Impact | Denial of service |
| Description | An unauthorized access flaw in sftp-server read-only mode allows remote attackers to create zero-length files and deplete the target's hard disk space. |
MITIGATION
By default, Director and Security Analytics do not provide an SFTP server. Customers who leave this behavior unchanged prevent attacks against these products using CVE-2017-15906.
By default, Malware Analysis does not provide an SFTP server in read-only mode. Customers who leave this behavior unchanged prevent attacks again MA using CVE-2017-15906.
REFERENCES
OpenSSH Security - https://www.openssh.com/security.html
REVISION
2021-07-15 A fix for Security Analytics 7.2 will not be provided. Please upgrade to a later version with the vulnerability fixes. ICSP 6.0 is not vulnerable because a fix is available in 6.0.1. Moving Advisory Status to Closed.
2021-01-12 A fix for SSLV 3.10 and SSLV 3.12 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2020-11-18 A fix for SA 7.3 and 8.0 will not be provided. Please upgrade to a later version with the vulnerability fixes. A fix for Director 6.1 will not be provided. Please upgrade to a version of MC with the vulnerability fixes.
2020-04-17 Security Analytics 8.1 is not vulnerable because a fix is available in 8.1.1.
2019-10-02 Web Isolation is not vulnerable.
2019-01-21 Security Analytics 8.0 is vulnerable.
2018-07-27 A fix for MA 4.2 is available in 4.2.12.
2018-06-25 A fix for SSLV 3.11 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-01-30 initial public release