SA112: Linux Kernel Keyring Privilege Escalation

Back to all Security AdvisoriesFollow
Security Advisories ID: 
SA112
Published Date: 
February 25, 2016
Advisory Status: 
Interim
Advisory Severity: 
High
CVSS v2 base score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
CVE Number: 
CVE-2016-0728 - 7.2 (HIGH) (AV:L/AC:L/Au:N/C:C/I:C/A:C)

Blue Coat products that include affected versions of the Linux kernel and provide means for executing arbitrary code are susceptible to a privilege escalation vulnerability.  A malicious local unprivileged user can exploit this vulnerability to escalate their privileges on the system or cause denial of service.

Affected Products: 

The following products are vulnerable:

Malware Analysis Appliance
MAA 4.2 prior to 4.2.9 is vulnerable.

Norman Shark Industrial Control System Protection
ICSP 5.3 prior to 5.3.6 is vulnerable.

Norman Shark Network Protection
NNP 5.3 prior to 5.3.6 is vulnerable.

Norman Shark SCADA Protection
NSP 5.3 prior to 5.3.6 is vulnerable.

The following products have a vulnerable version of the Linux kernel, but are not vulnerable to known vectors of attack:

Advanced Secure Gateway
ASG 6.6 prior to 6.6.5.1 has a vulnerable version of the Linux kernel.

Content Analysis System
CAS 1.2 and 1.3 prior to 1.3.7.1 have a vulnerable version of the Linux kernel.

Mail Threat Defense
MTD 1.1 has a vulnerable version of the Linux kernel.

Management Center
MC 1.5 and 1.6 have a vulnerable version of the Linux kernel.  MC 1.7, 1.8, and 1.9 are not vulnerable.

Reporter
Reporter 10.1 prior to 10.1.4.2 has a vulnerable version of the Linux kernel.

SSL Visibility
SSLV 3.8, 3.8.4FC, and 3.9 prior to 3.9.4.1 have a vulnerable version of the Linux kernel.  SSLV 3.10, 3.11, and 4.0 are not vulnerable.

The following products are not vulnerable:
Android Mobile Agent
AuthConnector
BCAAA
Blue Coat HSM Agent for the Luna SP
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
Director
General Auth Connector Login Application
IntelligenceCenter
IntelligenceCenter Data Collector
K9
PacketShaper
PacketShaper S-Series
PolicyCenter
PolicyCenter S-Series
ProxyAV
ProxyAV ConLog and ConLogXP
ProxyClient
ProxySG
Security Analytics
Unified Agent
X-Series XOS

Blue Coat no longer provides vulnerability information for the following products:

DLP
Please, contact Digital Guardian technical support regarding vulnerability information for DLP.

Advisory Details: 

This Security Advisory addresses a privilege escalation vulnerability in the Linux kernel (CVE-2016-0728).  A malicious local unprivileged user can exploit a reference leak and use-after-free flaw in the Linux kernel keyring facility.  The malicious user can exploit the leaked keyring reference to cause the Linux kernel to execute arbitrary code, resulting in privilege escalation or denial of service.

The Linux kernel keyring facility is a mechanism for Linux drivers to cache authentication keys, encryption keys, and other security-related objects in the Linux kernel.  Linux provides a system call interface, including a keyctl() system call, for userspace applications to manage the kernel objects and also use the keyring facility for their own purposes.  A Blue Coat product does not need to use the Linux keyring facility in order to be vulnerable.  A malicious local unprivileged user can execute arbitrary code that uses the keyctl() system call to exploit the vulnerability and gain escalated privileges on the system or cause denial of service.  A remote attacker has to either have shell access on the target system, or force the target system to execute arbitrary code to exploit this vulnerability.

Blue Coat products that use a native installation of the Linux kernel but do not install or maintain the kernel are not vulnerable to this attack.  However, the underlying platform that installs and maintains the Linux kernel may be vulnerable.  Blue Coat urges our customers to update the versions of the Linux kernel that are natively installed for Client Connector, ProxyClient, and Reporter 9.x for Linux.

Blue Coat products that do not provide Linux shell access and do not execute arbitrary code from untrusted sources are not known to be vulnerable to this attack.  However, vulnerability fixes will be included in the patches that are provided.  The following products include vulnerable versions of the Linux kernel, but do not provide Linux shell access, do not execute arbitrary code from untrusted sources, and are not known to be vulnerable:

  • ASG
  • CAS
  • MTD
  • MC
  • Reporter 10.1
  • SSLV
Workarounds: 

There are no known workarounds.

Patches: 

Advanced Secure Gateway
ASG 6.6 - a fix is available in 6.6.5.1.

Content Analysis System
CAS 1.3 - a fix is available in 1.3.7.1.
CAS 1.2 - a fix will not be provided.  Please upgrade to a later version with the vulnerability fixes.

Mail Threat Defense
MTD 1.1 - a fix is not available at this time.

Malware Analysis Appliance
MAA 4.2 - a fix is available in 4.2.9.

Management Center
MC 1.7 - a fix is available in 1.7.1.2.
MC 1.6 - a fix will not be provided.  Please upgrade to a later version with the vulnerability fixes.
MC 1.5 - a fix will not be provided.  Please upgrade to a later version with the vulnerability fixes.

Norman Shark Industrial Control System Protection
ICSP 5.3 - a fix is available in 5.3.6.

Norman Shark Network Protection
NNP 5.3 - a fix is available in 5.3.6.

Norman Shark SCADA Protection
NSP 5.3 - a fix is available in 5.3.6.

Reporter
Reporter 10.1 - a fix is available in 10.1.4.2.

SSL Visibility
SSLV 3.9 - a fix is available in 3.9.4.1.
SSLV 3.8.4FC - a fix is not available at this time.
SSLV 3.8 - a fix will not be provided.  Please upgrade to a later version with the vulnerability fixes.

References: 
Advisory History: 

2017-03-30 MC 1.9 is not vulnerable.
2017-03-06 MC 1.8 is not vulnerable.  ProxySG 6.7 is not vulnerable.  SSLV 4.0 is not vulnerable.  Vulnerability inquiries for DLP should be addressed to Digital Guardian technical support.
2016-12-04 SSLV 3.11 is not vulnerable.
2016-11-17 Cloud Data Protection for Oracle Field Service Cloud is not vulnerable.
2016-11-11 SSLV 3.10 is not vulnerable.
2016-11-04 A fix for ASG is available in 6.6.5.1.  A fix for Reporter 10.1 is available in 10.1.4.2.
2016-10-25 MC 1.6 has a vulnerable version of the Linux kernel, but is not vulnerable to known vectors of attack.  MC 1.7 is not vulnerable because it contains the vulnerability fix.
2016-08-12 A fix for CAS 1.3 is available in 1.3.7.1.
2016-08-10 A fix for SSLV 3.9 is available in 3.9.4.1.
2016-06-13 Fixes for ICSP, NNP, and NSP are available in 5.3.6.
2016-06-03 A fix for MAA is available in 4.2.9.
2016-05-12 A fix for SSLV 3.8 will not be provided.  Please upgrade to a later version with the vulnerability fixes.
2016-05-11 No Cloud Data Protection products are vulnerable.
2016-04-25 MTD 1.1 has a vulnerable version of the Linux kernel, but is not vulnerable to known vectors of attack.
2016-04-15 A fix will not be provided for CAS 1.2.  Please upgrade to a later version with the vulnerability fixes.
2016-02-25 initial public release

Feedback