SA115 : Multiple nginx DNS resolver vulnerabilities

SUMMARY

Blue Coat products that include affected versions of nginx and enable the nginx DNS resolver are susceptible to multiple vulnerabilities. A remote attacker, with access to the management interface, can exploit these vulnerabilities to cause denial of service. In some cases, the attacker may also cause nginx to execute arbitrary code.

AFFECTED PRODUCTS

The following products are vulnerable:

Norman Shark Industrial Control System Protection (ICSP)

CVE |Affected Version(s)|Remediation
All CVEs | 5.4 | Not vulnerable, fixed in 5.4.1.
5.3 | Upgrade to later release with fixes.

Norman Shark Network Protection (NNP)

CVE |Affected Version(s)|Remediation
All CVEs | 5.3 | A fix will not be provided.

Norman Shark SCADA Protection (NSP)

CVE |Affected Version(s)|Remediation
All CVEs | 5.3 | A fix will not be provided. Customers who use NSP for USB cleaning can switch to a version of ICSP with fixes.

The following products have a vulnerable version of nginx, but are not vulnerable to known vectors of attack:

SSL Visibility (SSLV)

CVE |Affected Version(s)|Remediation
All CVEs | 3.11 and later | Not vulnerable, fixed in 3.11.1.1
3.10 | Upgrade to 3.10.2.1.
3.9 | Upgrade to 3.9.7.1.
3.8, 3.8.4FC | Upgrade to later release with fixes.

ADDITIONAL PRODUCT INFORMATION

Blue Coat products do not enable or use all functionality within nginx. The product listed below include a vulnerable version of nginx, but do not enable the DNS resolver, and are not known to be vulnerable to the CVEs in this Security Advisory. However, fixes for those CVEs will be included in the patches that are provided.

• SSLV

The following products are not vulnerable:
Advanced Secure Gateway
Android Mobile Agent
AuthConnector
BCAAA
Blue Coat HSM Agent for the Luna SP
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
Content Analysis System
Director
General Auth Connector Login Application
IntelligenceCenter
IntelligenceCenter Data Collector
K9
Mail Threat Defense
Malware Analysis Appliance
Management Center
PacketShaper
PacketShaper S-Series
PolicyCenter
PolicyCenter S-Series
ProxyAV
ProxyAV ConLog and ConLogXP
ProxyClient
ProxySG
Reporter
Security Analytics
Unified Agent
Web Isolation
X-Series XOS

Blue Coat no longer provides vulnerability information for the following products:

DLP
Please, contact Digital Guardian technical support regarding vulnerability information for DLP.

ISSUES

CVE-2016-0742

Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) References| SecurityFocus: BID 82230 / NVD: CVE-2016-0742 Impact| Denial of service Description | A flaw in the nginx DNS resolver allows a remote attacker to send crafted DNS responses to nginx and cause it to perform an out of bounds read or dereference an invalid pointer. This can cause nginx to crash, resulting in denial of service.

CVE-2016-0746

Severity / CVSSv2 | Medium / 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P) References| SecurityFocus: BID 82230 / NVD: CVE-2016-0746 Impact| Denial of service, code execution Description | A use-after-free flaw in the nginx DNS resolver allows a remote attacker, who can trigger DNS resolution on the target, to send crafted DNS responses to nginx. This attack can cause an nginx worker process to crash or execute arbitrary code.

CVE-2016-0747

Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) References| SecurityFocus: BID 82230 / NVD: CVE-2016-0747 Impact| Denial of service Description | A flaw in the nginx DNS resolver allows a remote attacker, who can trigger DNS resolution on the target, to send crafted DNS responses to nginx. This attack can cause an nginx worker processes to consume excessive resources, resulting in denial of service.

REFERENCES

nginx security advisory - <https://mailman.nginx.org/pipermail/nginx-announce/2016/000169.html?_ga=1.39922274.1787485893.1455026502&gt;

REVISION

2020-04-21 A fix will not be provided for Industrical Control System Protection (ICSP) 5.3. Please upgrade to a later version with the vulnerability fixes. Advisory status changed to Closed.
2019-10-02 Web Isolation is not vulnerable.
2018-09-21 ICSP 5.4 is not vulnerable because a fix is available in 5.4.1.
2018-08-03 Customers who use NSP for USB cleaning can switch to a version of Industrial Control System Protection (ICSP) with fixes.
2018-06-29 A fix for Norman Shark Network Protection (NNP) 5.3 and Norman Shark SCADA Protection (NSP) 5.3 will not be provided.
2017-08-02 SSLV 4.1 is not vulnerable.
2017-03-16 PacketShaper S-Series is not vulnerable.
2017-03-16 A fix for SSLV 3.10 is available in 3.10.2.1.
2017-03-06 SSLV 4.0 is not vulnerable. Vulnerability inquiries for DLP should be addressed to Digital Guardian technical support.
2017-01-13 A fix for SSLV 3.9 is available in 3.9.7.1.
2016-12-04 A fix is available in SSLV 3.11.1.1.
2016-11-17 Cloud Data Protection for Oracle Field Service Cloud is not vulnerable.
2016-11-11 SSLV 3.10 has a vulnerable version of nginx, but is not vulnerable to known vectors of attack. A fix is not available at this time.
2016-06-11 PolicyCenter S-Series is not vulnerable.
2016-05-11 No Cloud Data Protection products are vulnerable.
2016-04-25 Mail Threat Defense is not vulnerable.
2016-03-11 initial public release