SA134: Linux Kernel Vulnerabilities Oct/Nov 2016

Back to all Security AdvisoriesFollow
Security Advisories ID: 
SA134
Published Date: 
December 8, 2016
Advisory Status: 
Interim
Advisory Severity: 
High
CVSS v2 base score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVE Number: 
CVE-2016-5195 - 7.2 (HIGH) (AV:L/AC:L/Au:N/C:C/I:C/A:C)
CVE-2016-7039 - 7.8 (HIGH) (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CVE-2016-8666 - 7.8 (HIGH) (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CVE-2016-9555 - 10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C)

Blue Coat products that include a vulnerable version of the Linux kernel are susceptible to several vulnerabilities.  A remote attacker, with access to the management interface, can exploit these vulnerabilities to cause denial of service through system crashes or have unspecified other impact.  A local attacker can also escalate their privileges on the system (aka Dirty COW).

Affected Products: 

The following products are vulnerable:

Content Analysis System
CAS 1.3 is vulnerable to CVE-2016-7039 and CVE-2016-8666.

Director
Director 6.1 is vulnerable to CVE-2016-5195 (Dirty COW) and CVE-2016-9555.

Malware Analysis Appliance
MAA 4.2 prior to 4.2.11 is vulnerable to CVE-2016-5195 (Dirty COW).  MAA 4.2 is also vulnerable to CVE-2016-7039, CVE-2016-8666, and CVE-2016-9555.

Mail Threat Defense
MTD 1.1 is vulnerable to CVE-2016-7039 and CVE-2016-8666.

Management Center
MC 1.7 is vulnerable to CVE-2016-7039 and CVE-2016-8666.

Norman Shark Industrial Control System Protection
ICSP 5.3 is vulnerable to CVE-2016-5195 (Dirty COW), CVE-2016-8666, and CVE-2016-9555.

Norman Shark Network Protection
NNP 5.3 is vulnerable to CVE-2016-5195 (Dirty COW), CVE-2016-8666, and CVE-2016-9555.

Norman Shark SCADA Protection
NSP 5.3 is vulnerable to CVE-2016-5195 (Dirty COW), CVE-2016-8666, and CVE-2016-9555.

Reporter
Reporter 10.1 is vulnerable to CVE-2016-7039 and CVE-2016-8666.  Reporter 9.4 and 9.5 are not vulnerable.

Security Analytics
Security Analytics 6.6, 7.1, and 7.2 prior to 7.2.2 are vulnerable to CVE-2016-5195 (Dirty COW).  Security Analytics 6.6, 7.1, and 7.2 are also vulnerable to CVE-2016-7039, CVE-2016-8666, and CVE-2016-9555.

X-Series XOS
XOS 9.7, 10.0, and 11.0 are vulnerable to CVE-2016-5195 (Dirty COW).

The following products have a vulnerable version of the Linux kernel, but are not vulnerable to known vectors of attack:

Advanced Secure Gateway
ASG 6.6 has a vulnerable version of the Linux kernel.

PacketShaper S-Series
PS S-Series 11.5, 11.6, and 11.7 have a vulnerable version of the Linux kernel.

PolicyCenter S-Series
PC S-Series 1.1 has a vulnerable version of the Linux kernel.

SSL Visibility
SSLV 3.8.4FC, 3.9, 3.10, and 3.11 have a vulnerable version of the Linux kernel.

The following products are not vulnerable:
Android Mobile Agent
AuthConnector
BCAAA
Blue Coat HSM Agent for the Luna SP
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
IntelligenceCenter
IntelligenceCenter Data Collector
K9
PacketShaper
PolicyCenter
ProxyClient
ProxyAV
ProxyAV ConLog and ConLogXP
ProxySG
Unified Agent

Blue Coat no longer provides vulnerability information for the following products:

DLP
Please, contact Digital Guardian technical support regarding vulnerability information for DLP.

Advisory Details: 

This Security Advisory addresses several vulnerabilities in the Linux kernel.  Blue Coat products, which include vulnerable versions of the Linux kernel and use the affected functionality, are vulnerable.

  • CVE-2016-5195 (Dirty COW) is a race condition in the memory manager copy-on-write (COW) functionality that allows a local attacker to write to read-only memory mappings and escalate their privileges on the system.
  • CVE-2016-7039 is an unbound recursion flaw in VLAN and Transparent Ethernet Bridging (TEB) Generic Receive Offload (GRO) handling that allows a remote attacker to send large crafted packets and cause a system crash, resulting in denial of service.
  • CVE-2016-8666 is an unbound recursion flaw in Generic Receive Offload (GRO) handling that allows a remote attacker to send crafted packets with tunnel stacking and cause a system crash, resulting in denial of service.
  • CVE-2016-9555 is a buffer overread flaw in SCTP packet handling that allows a remote attacker to send crafted SCTP packets and cause denial or service or have unspecified other impact.

Blue Coat products that use a native installation of the Linux kernel but do not install or maintain the kernel are not vulnerable to the attacks using the CVEs in this Security Advisory.  However, the underlying platform that installs and maintains the Linux kernel may be vulnerable.  Blue Coat urges our customers to update the versions of the Linux kernel that are natively installed for Client Connector, Cloud Data Protection, ProxyClient, and Reporter 9.x for Linux.

Some Blue Coat products do not provide Linux shell access, do not execute arbitrary code from external sources, or do not act as an SCTP server.  The products listed below do not utilize the functionality described in the CVEs below and are thus not known to be vulnerable to them.  However, fixes for these CVEs will be included in the patches that are provided.

  • ASG: CVE-2016-5195 (Dirty COW) and CVE-2016-9555
  • CAS: CVE-2016-5195 (Dirty COW) and CVE-2016-9555
  • MTD: CVE-2016-5195 (Dirty COW) and CVE-2016-9555
  • MC: CVE-2016-5195 (Dirty COW) and CVE-2016-9555
  • PacketShaper S-Series: CVE-2016-5195 (Dirty COW) and CVE-2016-9555
  • PolicyCenter S-Series: CVE-2016-5195 (Dirty COW) and CVE-2016-9555
  • Reporter: CVE-2016-5195 (Dirty COW)
  • SSL Visibility: CVE-2016-5195 (Dirty COW) and CVE-2016-9555
  • XOS: CVE-2016-9555
Workarounds: 

CVE-2016-7039, CVE-2016-8666, and CVE-2016-9555 can be exploited only through the management interfaces for all vulnerable products.  Allowing only machines, IP addresses and subnets from a trusted network to access the management interface reduces the threat of exploiting the vulnerabilities.

By default, Director and Security Analytics do not act as an SCTP server.  Customers who leave this behavior unchanged prevent attacks using CVE-2016-9555 against these products.

Patches: 

Advanced Secure Gateway
ASG 6.6 - a fix is not available at this time.

Content Analysis System
CAS 1.3 - a fix is not available at this time.

Director
Director 6.1 - a fix is not available at this time.

Malware Analysis Appliance
MAA 4.2 - a fix for CVE-2016-5195 (Dirty COW) is available in 4.2.11.  A fix for the remaining CVEs is not available at this time.

Mail Threat Defense
MTD 1.1 - a fix is not available at this time.

Management Center
MC 1.7 - a fix is not available at this time.

Norman Shark Industrial Control System Protection
ICSP 5.3 - a fix is not available at this time.

Norman Shark Network Protection
NNP 5.3 - a fix is not available at this time.

Norman Shark SCADA Protection
NSP 5.3 - a fix is not available at this time.

PacketShaper S-Series
PS S-Series 11.7 - a fix is not available at this time.
PS S-Series 11.6 - a fix is not available at this time.
PS S-Series 11.5 - a fix is not available at this time.

PolicyCenter S-Series
PC S-Series 1.1 - a fix is not available at this time.

Reporter
Reporter 10.1 - a fix is not available at this time.

Security Analytics
Security Analytics 7.2 - a fix for CVE-2016-5195 (Dirty COW) is available in 7.2.2.  Fixes for the remaining CVEs are not available at this time.
Security Analytics 7.1 - a fix for CVE-2016-5195 (Dirty COW) is available through an RPM patch from Blue Coat Support.  Fixes for the remaining CVEs are not available at this time.
Security Analytics 6.6 - a fix for CVE-2016-5195 (Dirty COW) is available through an RPM patch from Blue Coat Support.  Fixes for the remaining CVEs are not available at this time.

SSL Visibility
SSLV 3.11 - a fix for CVE-2016-5195 (Dirty COW) is available in 3.11.1.1.  A fix for CVE-2016-9555 is not available at this time.
SSLV 3.10 - a fix is not available at this time.
SSLV 3.9 - a fix for CVE-2016-5195 is available in 3.9.7.1.
SSLV 3.8.4FC - a fix is not available at this time.

X-Series XOS
XOS 11.0 - a fix is not available at this time.
XOS 10.0 - a fix is not available at this time.
XOS 9.7 - a fix is not available at this time.

Advisory History: 

2017-01-13 A fix for CVE-2016-5195 in SSLV 3.9 is available in 3.9.7.1.
2016-12-19 A fix for CVE-2016-5195 (Dirty COW) in MAA 4.2 is available in 4.2.11.
2016-12-08 initial public release

Feedback