SA115: Multiple nginx DNS resolver vulnerabilities

Back to all Security AdvisoriesFollow
Security Advisories ID: 
SA115
Published Date: 
March 11, 2016
Advisory Status: 
Interim
Advisory Severity: 
Medium
CVSS v2 base score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
CVE Number: 
CVE-2016-0742 - 5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-2016-0746 - 5.1 (MEDIUM) (AV:N/AC:H/Au:N/C:P/I:P/A:P)
CVE-2016-0747 - 5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Blue Coat products that include affected versions of nginx and enable the nginx DNS resolver are susceptible to multiple vulnerabilities.  A remote attacker, with access to the management interface, can exploit these vulnerabilities to cause denial of service.  In some cases, the attacker may also cause nginx to execute arbitrary code.

Affected Products: 

The following products are vulnerable:

Norman Shark Industrial Control System Protection
ICSP 5.3 is vulnerable.

Norman Shark Network Protection
NNP 5.3 is vulnerable.

Norman Shark SCADA Protection
NSP 5.3 is vulnerable.

The following products have a vulnerable version of nginx, but are not vulnerable to known vectors of attack:

SSL Visibility
SSLV 3.8, 3.8.4FC, 3.9 prior to 3.9.7.1, and 3.10 have a vulnerable version of nginx. SSLV 3.11 is not vulnerable.

The following products are not vulnerable:
Advanced Secure Gateway
Android Mobile Agent
AuthConnector
BCAAA
Blue Coat HSM Agent for the Luna SP
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
Content Analysis System
Director
General Auth Connector Login Application
IntelligenceCenter
IntelligenceCenter Data Collector
K9
Mail Threat Defense
Malware Analysis Appliance
Management Center
PacketShaper
PolicyCenter
PolicyCenter S-Series
ProxyAV
ProxyAV ConLog and ConLogXP
ProxyClient
ProxySG
Reporter
Security Analytics
Unified Agent
X-Series XOS

The following products are under investigation:
DLP
PacketShaper S-Series

Advisory Details: 

This Security Advisory addresses vulnerabilities in the nginx DNS resolver component that were reported in January 2016.

  • CVE-2016-0742 is a flaw in the nginx DNS resolver that allows a remote attacker to send crafted DNS responses to nginx and cause it to perform an out of bounds read or dereference an invalid pointer. This can cause nginx to crash, resulting in denial of service.
  • CVE-2016-0746 is a use-after-free flaw in the nginx DNS resolver that allows a remote attacker, who can trigger DNS resolution on the target, to send crafted DNS responses to nginx. This attack can cause an nginx worker process to crash or execute arbitrary code.
  • CVE-2016-0747 is a flaw in the nginx DNS resolver that allows a remote attacker, who can trigger DNS resolution on the target, to send crafted DNS responses to nginx. This attack can cause an nginx worker processes to consume excessive resources, resulting in denial of service.

Blue Coat products do not enable or use all functionality within nginx.  The product listed below include a vulnerable version of nginx, but do not enable the DNS resolver, and are not known to be vulnerable to the CVEs in this Security Advisory.  However, fixes for those CVEs will be included in the patches that are provided.

  • SSLV
Workarounds: 

These vulnerabilities can be exploited only through the management interfaces for all vulnerable products.  Allowing only machines, IP addresses and subnets from a trusted network to access the management interface reduces the threat of exploiting the vulnerabilities.

ICSP, NNP, and NSP by default do not enable the nginx DNS resolver.  Customers who leave the nginx DNS resolver disabled prevents attacks against these products using CVE-2016-0742, CVE-2016-0746, and CVE-2016-0747.

Patches: 

Norman Shark Industrial Control System Protection
ICSP 5.3 - a fix is not available at this time.

Norman Shark Network Protection
NNP 5.3 - a fix is not available at this time.

Norman Shark SCADA Protection
NSP 5.3 - a fix is not available at this time.

SSL Visibility
SSLV 3.11 - a fix is available in 3.11.1.1.
SSLV 3.10 - a fix is not available at this time.
SSLV 3.9 - a fix is available in 3.9.7.1.

Advisory History: 

2017-01-13 A fix for SSLV 3.9 is available in 3.9.7.1.
2016-12-04 A fix is available in SSLV 3.11.1.1.
2016-11-17 Cloud Data Protection for Oracle Field Service Cloud is not vulnerable.
2016-11-11 SSLV 3.10 has a vulnerable version of nginx, but is not vulnerable to known vectors of attack.  A fix is not available at this time.
2016-06-11 PolicyCenter S-Series is not vulnerable.
2016-05-11 No Cloud Data Protection products are vulnerable.
2016-04-25 Mail Threat Defense is not vulnerable.
2016-03-11 initial public release

Feedback