OpenSSL Vulnerabilities Sep 2019 – Apr 2020

ASG-S200

28 more products

1768

09 June 2022

19 May 2020

OPEN

HIGH

7.5

Summary

Symantec Web Security Group (WSG) products using affected versions of OpenSSL may be susceptible to multiple vulnerabilities. A local or remote attacker can obtain private key or other secret key information. A remote attacker can also cause denial of service.

Affected Product(s)

The following products and product versions are vulnerable to the CVEs listed. If a CVE is not listed, the product or version is not known to be vulnerable to it.

Advanced Secure Gateway (ASG)
CVE Supported Version(s) Remediation
CVE-2019-1551 6.7 Upgrade to 6.7.5.13.
7.1 Remediation will not be provided.
7.2 Upgrade to 7.2.8.1.
7.3 Upgrade to 7.3.4.1.

 

BCAAA
CVE Supported Version(s) Remediation
CVE-2019-1563 6.1 (only when Novell SSO realm is used) A fix will not be provided. The vulnerable OpenSSL library is in the Novell SSO SDK and an updated Novell SSO SDK is no longer available. Please contact Novell for more information.

 

Content Analysis (CA)
CVE Supported Version(s) Remediation
CVE-2019-1551 2.3, 2.4 Not vulnerable
3.0 Remediation is not available at this time.
3.1 Upgrade to 3.1.4.0.

 

Management Center (MC)
CVE Supported Version(s) Remediation
CVE-2019-1551 3.0, 3.1 Upgrade to later release with fixes.
3.2 Remediation is not available at this time.
3.3 Not vulnerable, fixed in 3.3.1.1

 

ProxySG
CVE Supported Version(s) Remediation
CVE-2019-1551 6.7 Upgrade to 6.7.5.13.
7.1 Remediation will not be provided.
7.2 Upgrade to 7.2.8.1.
7.3 Upgrade to 7.3.4.1.

 

Reporter
CVE Supported Version(s) Remediation
CVE-2019-1551 10.4, 10.5, 10.6 Remediation will not be provided.
11.0 Not vulnerable, fixed in 11.0.1.1

 

SSL Visibility (SSLV)
CVE Supported Version(s) Remediation
CVE-2019-1551 4.5, 5.2, 5.3 Remediation is not available at this time.
5.0 Upgrade to later release with fixes.
5.4 Not vulnerable, fixed in 5.4.1.1


Additional Product Information

CVE-2019-1551 is exploitable in ASG, CA, ProxySG, Reporter, and SSLV only when customers configure the products’ SSL/TLS interfaces with 1024-bit RSA keys. The default key/certificate pairs shipped with the products have 2048-bit or larger RSA keys. Symantec recommends configuring all SSL/TLS interfaces with 2048-bit or larger RSA keys for protection against multiple attacks, including attacks using CVE-2019-1551.

The following products are not vulnerable:
AuthConnector
General Auth Connector Login Application
HSM Agent for the Luna SP
Integrated Secure Gateway (ISG)
PacketShaper (PS) S-Series
PolicyCenter (PC) S-Series
Security Analytics (SA)
Symantec Messaging Gateway (SMG)
Unified Agent
WSS Agent
WSS Mobile Agent

The following products are under investigation:
Web Isolation (WI)

Issue Details

CVE-2019-1547
Severity / CVSS v3.1: Medium / 4.7 (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N)
References: NVD: CVE-2019-1547
Impact: Information disclosure
Description: A side channel flaw in ECDSA signature generation allows a local attacker to recover ECDSA private key information.

 

CVE-2019-1549
Severity / CVSS v3.1: Medium / 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
References: NVD: CVE-2019-1549
Impact: Information disclosure
Description: An RNG state management flaw in random number generation may cause an application to generate insufficiently random data. An attacker with access to the memory of a process on the target host may be able to guess private/secret encryption keys and other random secrets in the memory of a parent or child process.

 

CVE-2019-1551
Severity / CVSS v3.1: Medium / 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
References: NVD: CVE-2019-1551
Impact: Information disclosure
Description: An overflow flaw in the 64-bit Montgomery squaring arithmetic operation implementation allows an attacker to obtain private key information.

 

CVE-2019-1563
Severity / CVSS v3.1: Low / 3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
References: NVD: CVE-2019-1563
Impact: Information disclosure
Description: A padding oracle flaw in CMS/PKCS7 decryption allows a remote attacker to recover a CMS/PKCS7 transported encryption key or decrypt an RSA encrypted message.

 

CVE-2020-1967
Severity / CVSS v3.1: High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
References: NVD: CVE-2020-1967
Impact: Denial of service
Description: A memory handling flaw in the TLS 1.3 handshake implementation allows a remote attacker to send a crafted handshake message and cause denial of service through application crashes.


References

Revisions

2022-06-09 MC 3.3 is not vulnerable because a fix is available in 3.3.1.1. A fix will not be provided for Reporter 10.6. Please upgrade to a later version with the vulnerability fixes. Integrated Secure Gateway (ISG) is not vulnerable.
2022-03-03 A fix for Content Analysis 3.1 for CVE-2019-1551 is available in 3.1.4.0.
2022-03-02 SSLV 5.4 is not vulnerable because a fix is available in 5.4.1.1.
2022-02-16 A fix for Reporter 10.5 will not be provided.  Please upgrade to a later version with the vulnerability fixes.
2022-02-09 Reporter 11.0 is not vulnerable because a fix is available in 11.0.1.1.
2021-10-14 A fix for ASG 6.7 and ProxySG 6.7 is available in 6.7.5.13. A fix for ASG 7.2 and ProxySG 7.2 is available in 7.2.8.1.
2021-09-10 A fix for ASG 7.3 and ProxySG 7.3 is available in 7.3.4.1.
2021-08-12 MC 3.2 is vulnerable to CVE-2019-1551.
2021-07-02 MC 3.0 and 3.1 are vulnerable to CVE-2019-1551.
2021-06-07 A fix for SSLV 5.0 will not be provided.  Please upgrade to a later version with the vulnerability fixes. 
2021-04-26 PacketShaper (PS) S-Series and PolicyCenter (PC) S-Series are not vulnerable.
2021-04-19 BCAAA 6.1 is vulnerable to CVE-2019-1563.
2020-11-19 A fix for Reporter 10.4 will not be provided.  Please upgrade to a later version with the vulnerability fixes. 
2020-11-12 Content Analysis 3.1 is vulnerable to CVE-2019-1551. 
2020-05-19 initial public release