|Security Advisory ID SYMSA1343|
Initial Publication Date:
29 Jan 2016
Blue Coat products that support the TLS 1.2 protocol are vulnerable to transcript collision attacks that exploit weak MD5 hashes. A man-in-the-middle may exploit these attacks to break TLS 1.2 client authentication, TLS 1.2 server authentication, and the TLS channel bindings used for application-level authentication protocols over TLS.
|Advanced Secure Gateway (ASG)|
||6.7 and later||Not vulnerable, fixed in 126.96.36.199|
|6.6||Upgrade to 188.8.131.52.|
|Content Analysis System (CAS)|
||2.1 and later||Not vulnerable, fixed in 184.108.40.206|
|1.3||Upgrade to 220.127.116.11.|
|1.1, 1.2||Upgrade to later release with fixes.|
|CVE-2015-7575||6.1||Not available at this time|
|Mail Threat Defense (MTD)|
|CVE-2015-7575||1.1||Upgrade to 18.104.22.168.|
|Malware Analysis Appliance (MAA)|
|CVE-2015-7575||4.2||Upgrade to 4.2.8.|
|Management Center (MC)|
|CVE-2015-7575||1.6 and later||Not vulnerable, fixed in 22.214.171.124|
|1.5||Upgrade to 126.96.36.199.|
|1.4||Upgrade to later release with fixes.|
|Norman Shark Industrial Control System Protection (ICSP)|
|CVE-2015-7575||5.3||Upgrade to 5.3.6.|
|Norman Shark Network Protection (NNP)|
|CVE-2015-7575||5.3||Upgrade to 5.3.6.|
|Norman Shark SCADA Protection (NSP)|
|CVE-2015-7575||5.3||Upgrade to 5.3.6.|
|PacketShaper (PS) S-Series|
|CVE-2015-7575||11.6 and later||Not vulnerable, fixed in 188.8.131.52|
|11.2, 11.3, 11.4, 11.5||Upgrade to later release with fixes.|
|PolicyCenter (PC) S-Series|
|CVE-2015-7575||1.1||Upgrade to 184.108.40.206.|
|CVE-2015-7575||6.7||Not vulnerable, fixed in 220.127.116.11|
|6.6||Upgrade to 18.104.22.168.|
|6.5||Upgrade to 22.214.171.124.|
|CVE-2015-7575||10.1||Upgrade to 10.1.4.1.|
|Security Analytics (SA)|
|CVE-2015-7575||7.2 and later||Not vulnerable, fixed in 7.2.1|
|7.1||Upgrade to 7.1.11.|
|7.0||Upgrade to later release with fixes.|
|6.6||Upgrade to 6.6.12.|
|SSL Visibility (SSLV)|
|CVE-2015-7575||3.10 and later||Not vulnerable, fixed in 126.96.36.199|
|3.9||Upgrade to 188.8.131.52.|
|3.8.4FC||Upgrade to 3.8.4FC-55.|
|3.8||Upgrade to later release with fixes.|
|Unified Agent (UA)|
|CVE-2015-7575||4.6 and later||Not vulnerable, fixed in 4.6.1|
|4.1||Upgrade to later release with fixes.|
Additional Product Information
Blue Coat products marked as vulnerable in this security advisory are vulnerable to the impersonation attacks against TLS 1.2 client and server authentication. Blue Coat products do not use tls-unique channel bindings and are not vulnerable to the application-level authentication credential forwarding attack. This security advisory does not address the SLOTH attacks against TLS 1.3, SSH, and IKE v1/v2.
Blue Coat products that use a native installation of a TLS library, but do not install or maintain that implementation, are not vulnerable to SLOTH. However, the underlying platform or application that installs and maintains the TLS library may be vulnerable. Blue Coat urges our customers to update the versions of OpenSSL that are natively installed for Client Connector for MacOSX, ProxyClient for MacOSX, and Reporter 9.x for Linux.
The following products are not vulnerable:
Android Mobile Agent
Blue Coat HSM Agent for the Luna SP
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
IntelligenceCenter Data Collector
ProxyAV ConLog and ConLogXP
The following products are under investigation:
Blue Coat no longer provides vulnerability information for the following products:
Please, contact Digital Guardian technical support regarding vulnerability information for DLP.
Network security protocols, such as TLS, use message transcripts that allow communicating parties to keep track of the protocol messages they have observed. The parties exchange and verify authenticated hashes of their transcripts to ensure that both parties have observed the same set of messages and that the messages have not been tampered with by a man-in-the-middle (MITM).
Transcript collision attacks are a class of attacks where a MITM, given a legitimate message transcript, can find a different transcript of malicious messages that has the same transcript hash. The attacker can thus modify the legitimate messages with malicious content without being detected by the communicating parties. SLOTH (Security Losses from Obsolete and Truncated Transcript Hashes) is a set of practical transcript collision attacks against TLS 1.2 and other protocols. The SLOTH attacks exploit the use of weak MD5 hashes for digital signatures and other weak hashing constructs.
This security advisory addresses the following SLOTH transcript collision attacks:
- Breaking TLS 1.2 Client Authentication using a Chosen-Prefix Transcript Collision: A MITM can break TLS 1.2 client authentication to impersonate a client and obtain the TLS master secret and session keys. The attacker can force the client use a DHE cipher suite and sign a weak MD5 hash of the TLS handshake transcript in the ClientCertificateVerify TLS handshake message. The attacker uses a chosen-prefix transcript collision to find a set of modified handshake messages with the same transcript hash. The client receives the malicious messages and signs the message transcript with its private key. The attacker then forwards the signed transcript to the server. The server does not detect a discrepancy because the malicious message transcript hash matches its own transcript hash. The MITM also modifies the client's ClientKeyExchange messages to obtain the TLS master secret and session keys.
- Breaking TLS 1.2 Server Authentication using a Generic Transcript Collision: A MITM can break TLS 1.2 server authentication to impersonate a server and obtain the TLS master secret and session keys. To prepare for the attack, the attacker must collect a large number of MD5 hashes and respective RSA-MD5 signatures produced by the server. The MITM then intercepts the TLS handshake and produces a modified ServerKeyExchange message with the same hash as one of the pre-collected hashes. The attacker sends the malicious ServerKeyExchange message to the server with the pre-collected RSA-MD5 signature. Having control over the key exchange allows the attacker to obtain the TLS master secret and session keys.
- Breaking the tls-unique Channel Binding using a Generic Transcript Collisions: A MITM can break tls-unique channel bindings to perform a credential forwarding attack on application-level authentication protocols. This attack exploits the loss of security caused by the truncation of the TLS handshake transcript hashes used to compute the TLS channel binding. The attacker intercepts the TLS handshake messages and chooses malicious ClientKeyExchange, ServerKeyExchange and NextProtocolNegotiation messages that produce a generic transcript collision on the truncated handshake transcript hashes. Controlling the key exchange messages allows the attacker to obtain the TLS master secret and session keys. The MITM then exploits the transcript collision to forward the client's application-level authentication credentials to the server.
|Severity / CVSSv2||Medium / 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)|
|References||SecurityFocus: BID 79684 / NVD: CVE-2015-7575|
|Impact||Information disclosure, unauthorized modification of data|
|Description||Products that support the TLS 1.2 protocol are vulnerable to transcript collision attacks that exploit weak MD5 hashes.|
SLOTH - https://www.mitls.org/pages/attacks/SLOTH
SLOTH technical paper - https://www.mitls.org/downloads/transcript-collisions.pdf
2018-04-22 PacketShaper S-Series 11.9 and 11.10 are not vulnerable.
2017-11-06 ASG 6.7 is not vulnerable.
2017-08-02 SSLV 4.1 is not vulnerable.
2017-07-20 MC 1.10 is not vulnerable.
2017-06-22 Security Analytics 7.3 is not vulnerable.
2017-06-05 PacketShaper S-Series 11.8 is not vulnerable.
2017-05-17 CAS 2.1 is not vulnerable.
2017-03-30 MC 1.9 is not vulnerable.
2017-03-08 A fix for PolicyCenter S-Series 1.1 is available in 184.108.40.206.
2017-03-06 MC 1.8 is not vulnerable. ProxySG 6.7 is not vulnerable. SSLV 4.0 is not vulnerable. Vulnerability inquiries for DLP should be addressed to Digital Guardian technical support.
2016-12-04 PacketShaper S-Series 11.7 is not vulnerable. SSLV 3.11 is not vulnerable.
2016-11-17 Cloud Data Protection for Oracle Field Service Cloud is not vulnerable.
2016-11-11 SSLV 3.10 is not vulnerable.
2016-09-22 MC 1.6 and 1.7 are not vulnerable.
2016-09-01 A fix for SSLV 3.8.4FC is available in 3.8.4FC-55.
2016-08-12 Security Analytics 7.2 is not vulnerable.
2016-06-30 A fix for PacketShaper 11.x is available in 220.127.116.11.
2016-06-23 A fix is available in ASG 18.104.22.168.
2016-06-13 Fixes for ICSP, NNP, and NSP are available in 5.3.6.
2016-05-26 A fix for Reporter 10.1 is available in 10.1.4.1.
2016-05-19 Fixes are available in Security Analytics 6.6.12 and 7.1.11.
2016-05-11 No Cloud Data Protection products are vulnerable.
2016-04-27 MTD 1.1 is vulnerable and a fix is available in 22.214.171.124.
2016-04-20 PS S-Series 11.2, 11.3, 11.4, and 11.5 are vulnerable. PC S-Series 1.1 is vulnerable.
2016-03-17 Clarified that SSLV 3.9 prior to 126.96.36.199 is vulnerable and that UA 4.6 is not vulnerable.
2016-03-14 A fix for CAS 1.3 is available in 188.8.131.52. A fix for MC 1.5 is available in 184.108.40.206.
2016-03-10 A fix for MAA 4.2 is available in 4.2.8.
2016-02-19 A fix for MC 1.4 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2016-02-16 A fix for ProxySG 6.5 is available in 220.127.116.11.
2016-02-12 Fixes for CAS 1.1 and 1.2 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2016-02-04 ProxySG 6.6 prior to 18.104.22.168 is vulnerable
2016-01-29 initial public release