|Security Advisory ID SYMSA1291|
Initial Publication Date:
9 Apr 2014
Blue Coat products using affected versions of OpenSSL 1.0.1 that support TLS/DTLS heartbeats are vulnerable to a buffer over-read that discloses information kept in process memory. A remote attacker may exploit this vulnerability to obtain keys, passwords, and other sensitive data kept in memory.
The following products are vulnerable:
Content Analysis System
CAS 18.104.22.168 through 22.214.171.124 (inclusive) are vulnerable.
Malware Analysis Appliance
MAA 1.1 is vulnerable.
ProxyAV 126.96.36.199 through 188.8.131.52 (inclusive) are vulnerable. Previous versions do not use versions of OpenSSL that are affected and are therefore not vulnerable.
ProxySG from 184.108.40.206 through 220.127.116.11 (inclusive) are vulnerable. Reverse and forward proxy are vulnerable, as are management interfaces. Previous versions do not use versions of OpenSSL that are affected and are therefore not vulnerable.
SSL Visibility version 3.7.0 is vulnerable. Previous versions do not use versions of OpenSSL that are affected and are therefore not vulnerable. Only TLS connections to the management plane are vulnerable; TLS connections to the data plane do not use OpenSSL and are therefore not affected.
After installing a patch, customers are urged to employ recovery procedures including revoking certificates for private keys that may have been compromised, changing passwords that may have been compromised, and notifying users of possible data leakage.
Content Analysis System
CAS 1.1 – a fix is available in patch release 18.104.22.168 and later.
Malware Analysis System
MAA 1.1 – a fix is availalbe in patch release 1.1.1 and later.
ProxyAV 3.5 – a fix is available in patch release 22.214.171.124 and later..
ProxySG 6.5.3 – a fix is available in patch release 126.96.36.199 and later.
ProxySG 6.5.2 – a fix is available in patch release 188.8.131.52 and later.
ProxySG 6.5.1 – a fix is available in patch release 184.108.40.206 and later.
SSL Visibility 3.7 – a workaround fix is available in patch 3.7.0-69 to disable heartbeat. A fix is availble in maintenance release 3.7.1. Blue Coat recommends that customers update to 3.7.1.
Fixes are available to customers with a valid Blue Touch Online login.
Additional Product Information
Content Analysis System is vulnerable only on the secure ICAP interface. The severity is Medium with a CVSS v2 base score of 4.8 (AV:A/AC:L/Au:N/C:P/I:P/A:N).
Malware Analysis Appliance is vulnerable only on the web based administrative interface. The severity is High with a CVSS v2 base score of 8.3 (AV:A/AC:L/Au:N/C:C/I:C/A:C).
ProxyAV is vulnerable on the ICAP and web based administrative interfaces. The severity is High with a CVSS v2 base score of 8.3 (AV:A/AC:L/Au:N/C:C/I:C/A:C).
ProxySG is vulnerable on the forward and reverse proxy interfaces, and the web based administrative interface. The severity of the administrative and forward proxy interfaces is High with a CVSS v2 base score of 8.3 (AV:A/AC:L/Au:N/C:C/I:C/A:C). The severity of the reverse proxy interface is Medium with a CVSS v2 base score of 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N).
SSL Visibility is vulnerable only on the web based administrative interface. The severity is High with a CVSS v2 base score of 8.3 (AV:A/AC:L/Au:N/C:C/I:C/A:C).
The following products are not vulnerable:
Security Analytics Platform
CVE-2014-0160 – CVSS v2 base score: 9.4 (AV:N/AC:L/Au:N/C:C/I:C/A:N)
CVE-2014-0160 (VU#720951) is a buffer over-read flaw in the OpenSSL implementation of the TLS/DTLS heartbeat functionality. The vulnerability is addressed in OpenSSL 1.0.1g. OpenSSL 1.0.1 through 1.0.1f are vulnerable. Vulnerable versions do not handle the heartbeat extension packets properly and will return additional information from the server’s adjacent process memory to the requester.
Blue Coat products using a vulnerable version of OpenSSL with the heartbeat option enabled are vulnerable. This vulnerability only applies to products acting as a server in the TLS session.
An attacker may exploit this flaw to download up to 64 kB of private memory from a server. The attacker cannot specify the location of the memory to read. The exploit can be employed repeatedly to obtain as much information as desired. There is no way to detect that an attacker has exploited this vulnerability or to know what portions of memory may be provided.
Memory may contain private keys, symmetric keys, user names, passwords, data used by the service, and data from TLS connections. An attacker could use this information to become a man-in-the-middle for other connections and decrypt traffic previously intercepted. An attacker may also use the passwords to impersonate a user or a client.
Until patches are made available, the following workarounds may be applied:
- Downgrade to a previous version that is not vulnerable. Select the latest patch release available for ProxyAV 3.4, ProxySG 6.4, and SSL Visibility 3.6.
- Restrict access to vulnerable products, especially to administrative functionality.
CVE-2014-0160 - https://nvd.nist.gov/vuln/detail/CVE-2014-0160
Vulnerability Note VU#720951 - https://www.kb.cert.org/vuls/id/720951
OpenSSL advisory - https://www.openssl.org/news/secadv/20140407.txt
Heartbleed website - http://heartbleed.com/
2014-08-14 Added fixes for ProxySG 6.5.2 and 6.5.1. Changed status to "Final".
2014-05-09 Added fix for ProxyAV
2014-04-16 Removed fix for ProxyAV.
2014-04-16 Added fixes for CAS adn SSL Visibility.
2014-04-14 Added fix for ProxyAV.
2014-04-11 Added fix for MAA.
2014-04-10 Increased severity to High from Medium, and provided vulnerable interfaces and individual CVSS scores for each product in Details.
2014-04-09 Added PacketShaper S500 as not vulnerable.
2014-04-09 Further refinement on exact versions of ProxyAV that are vulnerable.
2014-04-09 Further refinement on exact versions of CAS and MAA that are vulnerable.
2014-04-09 Minor clarification on restricting access as a workaround.
2014-04-09 Minor update to specify exact version of SSL Visibility that is vulnerable.
2014-04-09 Initial public release