|Security Advisory ID SYMSA1305|
Initial Publication Date:
17 Nov 2014
Blue Coat products using Mozilla Network Security Services (NSS) for certificate validation are vulnerable to certificate validation flaw when validating RSA X.509 certificates. A remote attacker may exploit this vulnerability using a specially crafted X.509 certificate to spoof a legitimate certificate.
The following products are vulnerable:
Content Analysis System
CAS 1.1.x prior to 220.127.116.11 and 1.2.x prior to 18.104.22.168 are vulnerable. CAS 1.3 is not vulnerable.
Director 6.1 prior to 22.214.171.124 is vulnerable. Director uses NSS for update image downloads and connections to Blue Coat.
MC 1.x prior to 126.96.36.199 is vulnerable. MC 1.3, 1.4, 1.5, 1.6, 1.7, and 1.8 are not vulnerable. MC uses NSS for Java, SSH, and LDAPS connections.
SA 6.6 prior to 6.6.10, 7.0, and 7.1 prior to 7.1.5 are vulnerable. SA 7.2 is not vulnerable.
All versions of XOS are vulnerable. XOS uses NSS only for LDAPS connections, however LDAP is not enabled by default.
Content Analysis System
CAS 1.2 - a fix is available in 188.8.131.52.
CAS 1.1 - a fix is available in 184.108.40.206.
Director 6.1 - a fix is available in 220.127.116.11.
MC 1.2 - a fix is available in 18.104.22.168.
MC 1.1 - a fix will not be provided.
SA 7.1 – a fix is available in 7.1.5.
SA 7.0 – a patch RPM to update the version of OpenSSL is available through Blue Coat Support.
SA 6.6 – a fix is available in 6.6.10.
SA 6.0 – an updated release with a fix will not be provided, please upgrade to the latest SA version with a fix.
XOS 11.0.0 – a fix is available in 11.0.0.
XOS 10.0 – a fix is available in 10.0.3.
XOS 9.7 – a fix is available in 9.7.6.
XOS 9.6 – a fix is available in 9.6.10.
XOS prior to 9.6 – a fix will not be provided. Please upgrade to the latest XOS release with the vulnerability fix.
Additional Product Information
The following products are not vulnerable:
Advanced Secure Gateway
Android Mobile Agent
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
IntelligenceCenter Data Collector
Mail Threat Defense
Malware Analysis Appliance
Malware Analyzer G2
Norman Shark Industrial Control System Protection
Norman Shark Network Protection
Norman Shark SCADA Protection
ProxyAV ConLog and ConLogXP
Blue Coat no longer provides vulnerability information for the following products:
Please contact Digital Guardian technical support regarding vulnerability information for DLP.
CVE-2014-1568 - 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P)
The Mozilla Network Security Services (NSS) library incorrectly parses PKCS#1 v1.5 padded signatures. This flaw allows an attacker to forge a digital certificate when an RSA key with a low public exponent is used. This vulnerability is a variant of the Bleichenbacher flaw.
Blue Coat products that use the NSS library for signature validation of a client or server certificate are vulnerable. Certificates are validated most often during the SSL/TLS session establishment. Certificates may also be validated as part of certificate based authentication using other protocols.
CVE-2014-1568 - https://nvd.nist.gov/vuln/detail/CVE-2014-1568
US CERT VU#772676 - https://www.kb.cert.org/vuls/id/772676
Mozilla Foundation Security Advisory 2014-73 - https://www.mozilla.org/en-US/security/advisories/mfsa2014-73/
2017-02-15 MC 1.8 is not vulnerable. Vulnerability inquiries for DLP should be addressed to Digital Guardian technical support. SA status moved to Final.
2016-11-17 Cloud Data Protection for Oracle Field Service Cloud is not vulnerable.
2016-11-14 MC 1.6 and 1.7 are not vulnerable.
2016-09-15 Advanced Secure Gateway is not vulnerable.
2016-08-11 Security Analytics 7.2 is not vulnerable.
2016-06-16 PolicyCenter S-Series is not vulnerable.
2016-05-21 General Auth Connector Login Application and K9 are not vulnerable. MC 1.3, 1.4, and 1.5 are not vulnerable.
2016-05-20 ProxyAV ConLog and ConLogXP is not vulnerable. CAS 1.3 is not vulnerable.
2016-05-11 No Cloud Data Protection products are vulnerable.
2016-04-23 Mail Threat Defense is not vulnerable.
2016-01-21 Director is vulnerable and a fix is available.
2016-01-19 CacheFlow, IntelligenceCenter, and IntelligenceCenter Data Collector are not vulnerable.
2016-01-18 PolicyCenter is not vulnerable
2016-01-14 PacketShaper is not vulnerable
2015-12-02 All fixes are available for Security Analytics Platform
2015-10-01 SSLV is not vulnerable
2015-09-30 Fix is available for CAS 1.1
2015-7-02 Fixes are available for XOS 9.6 and later
2015-03-12 Fixes are available for Security Analytics
2015-03-11 IntelligenceCenter is under investigation
2015-03-04 SSL Visibility is under investigation
2015-03-03 Fix is available for MC
2015-02-20 Norman Shark products, Auth Connector, and BCAAA are not vulnerable
2015-02-19 PacketShaper S-Series is not vulnerable
2015-02-17 Specifically noted products that are not vulnerable - Android Mobile Agent, Client Connector, MAA, MAG2, OPIC, ProxyAV, ProxyClient, ProxySG, Reporter, Unified Agent
2015-01-21 MAA and MAG2 are not vulnerable. ProxyAV is not vulnerable. Fix is available for CAS 1.2.
2015-01-20 Advanced Secure Gateway Limited Availability version is vulnerable
2014-12-22 MC 1.1 will not be fixed
2014-11-17 Initial public release