OpenSSL Security Advisory 05-Jun-2014

Back to all Security AdvisoriesFollow
Security Advisories ID: 
SA80
Published Date: 
June 6, 2014
Advisory Status: 
Interim
Advisory Severity: 
Medium
CVSS v2 base score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVE Number: 
CVE-2010-5298 – CVSS base score: 4.0 (AV:N/AC:H/Au:N/C:N/I:P/A:P)
CVE-2014-0195 – CVSS base score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVE-2014-0198 – CVSS base score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVE-2014-0221 – CVSS base score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVE-2014-0224 – CVSS base score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVE-2014-3470 – CVSS base score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)

Blue Coat products using affected versions of OpenSSL 0.9.8, 1.0.0, and 1.0.1 are vulnerable to one or more vulnerabilities in OpenSSL. A remote attacker may exploit these vulnerabilities on clients or servers to become a man-in-the-middle, execute arbitrary code, inject data into sessions, or cause a denial-of-service.

Affected Products: 

The following products are vulnerable to one or more of these vulnerabilities:

BCAAA
BCAAA 5.5 and 6.1 may be vulnerable to all CVEs when configured to use the CoreID or the Novell SSO.

CacheFlow
CacheFlow 2.x, 3.x prior to 3.2.2.6, and 3.3 are vulnerable.  CacheFlow 3.4 is not vulnerable.

Content Analysis System
CAS 1.1.x prior to 1.1.5.5 are vulnerable.  CAS 1.2 and 1.3 are not vulnerable.

Director
Director 5.x and 6.x prior to 6.1.13.1 are vulnerable.

DLP
All versions are vulnerable.

IntelligenceCenter
IC 3.2 is vulnerable.  IC 3.3 is not vulnerable.

Malware Analysis Appliance
All versions of MAA 1.1 are vulnerable.  MAA 4.1.x prior to 4.1.2, and 4.2 prior to 4.2.3 are vulnerable.

Malware Analyzer G2
All versions of MAG2 are vulnerable.

Management Center
MC 1.x prior to 1.2.1.1 is vulnerable to CVE-2014-0224, CVE-2014-0195, CVE-2014-0198, and CVE-2010-5298.  MC 1.3, 1.4, 1.5, 1.6, 1.7, and 1.8 are not vulnerable.

Norman Shark Industrial Control System Protection
ICSP 5.x prior to 5.3.1 is vulnerable.

Norman Shark Network Protection
NNP 5.x prior to 5.3.1 is vulnerable.

Norman Shark SCADA Protection
NSP 5.x prior to 5.3.1 is vulnerable.

ProxyAV
AVOS 3.4 prior to 3.4.2.7, and 3.5 prior to 3.5.2.1 are vulnerable.

ProxySG
SGOS 4.x, SGOS 5.5, and SGOS 6.2 prior to 6.2.15.6 are vulnerable to CVE-2014-0224.  SGOS 6.5 prior to 6.5.4.4 is vulnerable to CVE-2014-0224, CVE-2014-0198, and CVE-2010-5298.  SGOS 6.6 and 6.7 are not vulnerable.

Security Analytics Platform
SA 6.x prior to 6.6.10, 7.0, and 7.1 prior to 7.1.3 are vulnerable.  SA 7.2 is not vulnerable.

SSL Visibility
SSLV 3.6 and 3.7 prior to 3.7.3 are vulnerable to CVE-2010-5298, CVE-2014-0198, CVE-2014-0224, and CVE-2014-3470.  SSLV 3.8, 3.8.2F, 3.8.4FC, 3.9, 3.10, 3.11, and 4.0 are not vulnerable.

Unified Agent / Client Connector
UA 4.1 for Windows, OSX, Linux, and IBM are vulnerable.  UA 4.6 and 4.7 are not vulnerable.
Client Connector 1.x is vulnerable.

The following products are not vulnerable:
Advanced Secure Gateway
Android Mobile Agent
Auth Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
K9
Mail Threat Defense
PacketShaper
PacketShaper S-Series
PolicyCenter
PolicyCenter S-Series
ProxyAV ConLog and ConLogXP
ProxyClient
Reporter
X-Series XOS

Advisory Details: 

Six vulnerability fixes were announced in an OpenSSL Security Advisory June 5, 2014.

  • CVE-2014-0224 is a flaw in the handshake that allows an attacker to force the use of weak keying material in clients and servers. Using this flaw, an attacker can become a man-in-the-middle. Both the client and server must be using vulnerable versions of OpenSSL.
  • CVE-2014-0221 is a recursion flaw in DTLS that an attacker can exploit to create a denial of service attack on a client.
  • CVE-2014-0195 is a buffer overflow flaw in DTLS that an attacker can exploit to run arbitrary code on a vulnerable client or server.
  • CVE-2014-0198 is a NULL pointer flaw that an attacker can exploit when SSL_MODE_RELEASE_BUFFERS is enabled to create a denial of service attack.
  • CVE-2010-5298 is a race condition flaw when SSL_MODE_RELEASE_BUFFERS is enabled and when the application is multi-threaded. An attacker can exploit this vulnerability to inject data across sessions or create a denial of service.
  • CVE-2014-3470 is a flaw in the ECDH ciphersuite implementation. An attacker can exploit this vulnerability to create a denial of service attack for a client that is vulnerable.

Blue Coat products act as both client and server. Blue Coat hosts services such as WebPulse and licensing services that Blue Coat products may connect with as a client.

Some Blue Coat products that can be installed on client or on non-Blue Coat hardware use the version of OpenSSL that is already installed. Blue Coat urges our customers to update the versions of OpenSSL that are installed for Reporter on Linux, Unified Agent on Linux, and ProxyClient.

The products listed below are vulnerable to one or more of the OpenSSL vulnerabilities:

CacheFlow
CacheFlow 2.x and 3.x prior to 3.2.2.6 and 3.4.1.1 are vulnerable to CVE-2014-0224 when CacheFlow acts as a client or as a server for management connections.

Content Analysis System
CAS 1.1.x prior to 1.1.5.5 are vulnerable to CVE-2014-0224. All interfaces are vulnerable.

Director
Director 6.x prior to 6.1.13.1 is vulnerable to CVE-2014-0195 and CVE-2014-0224. Director 5.x is vulnerable to CVE-2014-0224.

DLP
All versions of DLP are vulnerable.  SSL/TLS secured sessions when acting as a client or server for any protocol, including HTTPS and LDAPS, are vulnerable.

IntelligenceCenter
IC 3.2.x is vulnerable to CVE-2014-0224, CVE-2014-0221, CVE-2014-0195, and CVE-2014-3470.

Malware Analysis Appliance
MAA 1.1.x and 4.1.1 are vulnerable to CVE-2014-0195 and 2014-0224. 

Malware Analyzer G2
All versions of MAG2, including version 3.5.x, are vulnerable to CVE-2014-0195 and 2014-0224.

ProxyAV
AVOS 3.4 and 3.5 are vulnerable to CVE-2014-0224.

ProxySG
SGOS 6.5.x prior to 6.5.4.4 are vulnerable to CVE-2014-0224, CVE-2014-0198, and CVE-2010-5298.
SGOS 6.4.x prior to 6.4.6.4 are vulnerable to CVE-2014-0224.
SGOS 6.3.x are vulnerable to CVE-2014-0224.
SGOS 6.2.x prior to 6.2.15.6 are vulnerable to CVE-2014-0224.
SGOS 6.1.x are vulnerable to CVE-2014-0224.
SGOS 5.5.x are vulnerable to CVE-2014-0224.
SGOS 5.4.x are vulnerable to CVE-2014-0224.
SGOS 4.x is vulnerable to CVE-2014-0224.
In all cases, the vulnerabilities affect management, forward and reverse proxy when SSL/TLS are proxied, and HTTPS connections to Blue Coat.

Security Analytics Platform
SA 6.x and 7.x are vulnerable to CVE-2014-0224 and CVE-2014-3470. Only HTTPS connections over the management plane are vulnerable.

SSL Visibility
SSLV 3.7 (prior to 3.7.3) and 3.6 are vulnerable to CVE-2010-5298, CVE-2014-0198, CVE-2014-0224, and CVE-2014-3470.  Only HTTPS connections to the management plane are vulnerable.

Unified Agent / Client Connector
UA for Windows and OSX 4.1, UA for Linux and IBM 1.1, and Client Connector 1.x are vulnerable to CVE-2014-0224.  The vulnerability can only be exploited if the ProxySG the UA is connecting to is also vulnerable to CVE-2014-0224.

Workarounds: 

To prevent an attack against Unified Agent, upgrade ProxySG to a version that is not vulnerable to CVE-2014-0224.

Limit devices that can be used attack vulnerable products by restricting access, especially to administrative functionality. Update the version of OpenSSL on clients that connect to management interfaces.

Patches: 

BCAAA
BCAAA 6.1 - a fix will not be provided. CoreID is no longer supported and an updated Novell SDK is not available.
BCAAA 5.5 - a fix will not be provided. CoreID is no longer supported and an updated Novell SDK is not available.

CacheFlow
CacheFlow 3.x – a fix is available in 3.2.2.6 and 3.4.1.1
CacheFlow 2.x – a fix will not be provided.  Please upgrade to a later release with the vulnerability fixes.

Content Analysis System
CAS 1.1.x – a fix is available in 1.1.5.5 and later.

Director
Director 6.x – a fix is available in 6.1.13.1.
Director 5.x – a fix will not be provided.  Please upgrade to a later release with the vulnerability fixes.

DLP
DLP 9.x – a fix is not yet available.
DLP 8.x – please upgrade to a later release with the vulnerability fixes.
DLP 7.x – please upgrade to a later release with the vulnerability fixes.

IntelligenceCenter
IC 3.3 – a fix is available in 3.3.1.1.
IC 3.2 – please upgrade to a later release with the vulnerability fixes.

Malware Analysis Appliance
MAA 1.1 – please upgrade to a later release with the vulnerability fixes.
MAA 4.1 – a fix is available in patch release 4.1.2 and later versions.
MAA 4.2 - a fix is available in patch release 4.2.3 and later versions.

Malware Analyzer G2
MAG2 4.1 and prior – please upgrade to MAA 4.1.2 or later.

Management Center
MC 1.x - a fix is availble in 1.2.1.1.

Norman Shark Industrial Control System Protection
ICSP 5.x - a fix is available in 5.3.1.

Norman Shark Network Protection
NNP 5.x - a fix is available in 5.3.1.

Norman Shark SCADA Protection
NSP 5.x - a fix is available in 5.3.1.

ProxyAV
AVOS 3.5 – a fix is available in 3.5.2.1 and later.
AVOS 3.4 – a fix is available in 3.4.2.7 and later.

ProxySG
SGOS 6.5.4 – a fix is available in patch release 6.5.4.4 and later versions. 
SGOS 6.5.3 – please upgrade to a later release with the vulnerability fixes.
SGOS 6.5.2 – a fix is available in patch release 6.5.2.9 and later versions.
SGOS 6.5.1 – please upgrade to a later release with the vulnerability fixes.
SGOS 6.4 – a fix is available in patch release 6.4.6.4 and later versions.
SGOS 6.3 – please upgrade to a later release with the vulnerability fixes.
SGOS 6.2 – a fix is available in patch release 6.2.15.6 and later versions..
SGOS 6.1 – please upgrade to a later version with the vulnerability fixes.
SGOS 5.5 –please upgrade to a later version with the vulnerability fixes.
SGOS 5.4 – please upgrade to a later version with the vulnerability fixes.
SGOS 4.3 – please upgrade to a later version with the vulnerability fixes.

Security Analytics Platform
SA 7.1 – a fix is available in 7.1.3.
SA 7.0 – a patch RPM to update the version of OpenSSL is available through Blue Coat Support.
SA 6.6 – a fix is available in 6.6.10.
SA 6.0 – please upgrade to a later release with the vulnerability fixes.

SSL Visibility
SSL Visibility 3.7 – a fix is available in 3.7.3.
SSL Visibility 3.6 – please upgrade to a later release with the vulnerability fixes.

Unified Agent / Client Connector
Upgrade the ProxySG that the UA connects to such that it is not vulnerable to CVE-2014-0224.
UA 4.1 (Windows and OSX) – a fix will not be provided.  Please upgrade to UA 4.6 or later release with the vulnerability fixes.
UA 1.1 (Linux and IBM) – a fix will not be provided.  Please upgrade to UA 4.6 or later release with the vulnerability fixes.
Client Connector 1.x – a fix will not be provided.  Please upgrade to UA 4.6 or a later release with the vulnerability fixes.

Fixes for all products except Malware Analysis Appliance (MAA) are available to customers with a valid Blue Touch Online login. Please visit the Downloads section of BTO at https://bto.bluecoat.com/flexera.  Fixes for MAA are available only through the MAA update system.

Advisory History: 

2017-03-06 MC 1.8 is not vulnerable.  SGOS 6.7 is not vulnerable.  SSLV 3.11 and 4.0 are not vulnerable.
2016-11-17 Cloud Data Protection for Oracle Field Service Cloud is not vulnerable.
2016-11-14 MC 1.6 and 1.7 are not vulnerable.
2016-11-11 SSLV 3.10 is not vulnerable.
2016-09-15 Advanced Secure Gateway is not vulnerable.
2016-08-11 Security Analytics 7.2 is not vulnerable.
2016-08-10 Unified Agent 4.6 and 4.7 are not vulnerable.
2016-07-24 SGOS 6.6 is not vulnerable.
2016-05-26 ICSP, NNP, and NSP 5.x are vulnerable. Fixes are available in ICSP, NNP, and NSP 5.3.1.
2016-05-24 PolicyCenter S-Series is not vulnerable.
2016-05-21 MC 1.3, 1.4, and 1.5 are not vulnerable.
2016-05-12 General Auth Connector Login Application and K9 are not vulnerable.
2016-05-11 No Cloud Data Protection products are vulnerable.
2016-04-25 CacheFlow 3.4, CAS 1.2, CAS 1.3, IC 3.3, SSLV 3.8, SSLV 3.8.2F, SSLV 3.8.4FC, and SSLV 3.9 are not vulnerable.
2016-04-22 Mail Threat Defense is not vulnerable.
2016-03-09 ProxyAV ConLog and ConLogXP are not vulnerable.
2016-01-22 ClientConnector 1.x, UA 1.1 and UA 4.1 customers should upgrade to UA 4.6 or a later release with the vulnerability fixes.
2016-01-21 A fix for Director 5.x will not be provided. Please upgrade to a later release with the vulnerability fixes.
2015-12-02 Fixes for Security Analytics Platform are available
2015-10-02 All interfaces for ProxyAV are vulnerable in 3.4 and 3.5
2015-10-01 Corrected list of CVEs SSLV is vulnerable to
2015-09-30 Corrected CAS entry to show all interfaces were vulnerable
2015-07-26 Fixes for CacheFlow are available
2015-03-11 Clarified CVEs SGOS is vulnerable to; no fix will be provided for SGOS 5.5; Unified Agent will not be fixed
2014-03-03 Fixes for SA are available; fix for MAA 4.2 is available; MC is vulnerable and a fix is available
2014-02-20 Auth Connector is not vulnerable; BCAAA may be vulnerable but fixes will not be provided
2014-02-19 Fixes for SGOS 5.4, 6.1, and 6.3 will not be provided
2015-01-21 Fix for ProxyAV 3.4 added, fix for CAS added.
2014-09-10 Added fix for SGOS 6.5.2.9 and clarified fixes for other 6.5.x releases.
2014-09-04 Clarification on versions of ProxyAV that are vulnerable.
2014-07-23 Fixes for ProxyAV and SSLV are available.
2014-07-22 Fix fir Director is available.
2014-07-21 Fix for CacheFlow is available, BCAAA is listed as not being vulnerable, IC 3.3 release added, IC 3.2 will not be fixed
2014-07-09 Clarification that fixes are available in later versions than the patch version mentioned.
2014-06-24 Fix for ProxySG 6.4 patch release added, DLP information added
2014-06-18 ProxyAV 3.4 will not be fixed
2014-06-17 Made terminology consistent using HTTPS connections instead of SSL/TLS connections
2014-06-16 Added fix for MAA and instructions on download, clarified versions for SGOS, added clarification for ProxyAV vulnerable interfaces
2014-06-10 Added fix for ProxySG 6.2 and information about MAG2; clarified that Reporter is not vulnerable
2014-06-06 Added Client Connector and Unified Agent versions
2014-06-06 Initial public release

 

Feedback