SA108 : Transcript Collision Attacks Against TLS 1.2 (SLOTH)
- Status: Open
- Severity: Medium
- CVSS Base Score: CVSS v2: 4.3
Blue Coat products that support the TLS 1.2 protocol are vulnerable to transcript collision attacks that exploit weak MD5 hashes. A man-in-the-middle may exploit these attacks to break TLS 1.2 client authentication, TLS 1.2 server authentication, and the TLS channel bindings used for application-level authentication protocols over TLS.
|Advanced Secure Gateway (ASG)|
||6.7 and later||Not vulnerable, fixed in 220.127.116.11|
|6.6||Upgrade to 18.104.22.168.|
|Content Analysis System (CAS)|
||2.1 and later||Not vulnerable, fixed in 22.214.171.124|
|1.3||Upgrade to 126.96.36.199.|
|1.1, 1.2||Upgrade to later release with fixes.|
|CVE-2015-7575||6.1||Not available at this time|
|Mail Threat Defense (MTD)|
|CVE-2015-7575||1.1||Upgrade to 188.8.131.52.|
|Malware Analysis Appliance (MAA)|
|CVE-2015-7575||4.2||Upgrade to 4.2.8.|
|Management Center (MC)|
|CVE-2015-7575||1.6 and later||Not vulnerable, fixed in 184.108.40.206|
|1.5||Upgrade to 220.127.116.11.|
|1.4||Upgrade to later release with fixes.|
|Norman Shark Industrial Control System Protection (ICSP)|
|CVE-2015-7575||5.3||Upgrade to 5.3.6.|
|Norman Shark Network Protection (NNP)|
|CVE-2015-7575||5.3||Upgrade to 5.3.6.|
|Norman Shark SCADA Protection (NSP)|
|CVE-2015-7575||5.3||Upgrade to 5.3.6.|
|PacketShaper (PS) S-Series|
|CVE-2015-7575||11.6 and later||Not vulnerable, fixed in 18.104.22.168|
|11.2, 11.3, 11.4, 11.5||Upgrade to later release with fixes.|
|PolicyCenter (PC) S-Series|
|CVE-2015-7575||1.1||Upgrade to 22.214.171.124.|
|CVE-2015-7575||6.7||Not vulnerable, fixed in 126.96.36.199|
|6.6||Upgrade to 188.8.131.52.|
|6.5||Upgrade to 184.108.40.206.|
|CVE-2015-7575||10.2 and later||Not vulnerable, fixed in 10.2.1.1.|
|10.1||Upgrade to 10.1.4.1.|
|Security Analytics (SA)|
|CVE-2015-7575||7.2 and later||Not vulnerable, fixed in 7.2.1|
|7.1||Upgrade to 7.1.11.|
|7.0||Upgrade to later release with fixes.|
|6.6||Upgrade to 6.6.12.|
|SSL Visibility (SSLV)|
|CVE-2015-7575||3.10 and later||Not vulnerable, fixed in 220.127.116.11|
|3.9||Upgrade to 18.104.22.168.|
|3.8.4FC||Upgrade to 3.8.4FC-55.|
|3.8||Upgrade to later release with fixes.|
|Unified Agent (UA)|
|CVE-2015-7575||4.6 and later||Not vulnerable, fixed in 4.6.1|
|4.1||Upgrade to later release with fixes.|
Blue Coat products marked as vulnerable in this security advisory are vulnerable to the impersonation attacks against TLS 1.2 client and server authentication. Blue Coat products do not use tls-unique channel bindings and are not vulnerable to the application-level authentication credential forwarding attack. This security advisory does not address the SLOTH attacks against TLS 1.3, SSH, and IKE v1/v2.
Blue Coat products that use a native installation of a TLS library, but do not install or maintain that implementation, are not vulnerable to SLOTH. However, the underlying platform or application that installs and maintains the TLS library may be vulnerable. Blue Coat urges our customers to update the versions of OpenSSL that are natively installed for Client Connector for MacOSX, ProxyClient for MacOSX, and Reporter 9.x for Linux.
The following products are not vulnerable:
Android Mobile Agent
Blue Coat HSM Agent for the Luna SP
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
IntelligenceCenter Data Collector
ProxyAV ConLog and ConLogXP
The following products are under investigation:
Blue Coat no longer provides vulnerability information for the following products:
Please, contact Digital Guardian technical support regarding vulnerability information for DLP.
Network security protocols, such as TLS, use message transcripts that allow communicating parties to keep track of the protocol messages they have observed. The parties exchange and verify authenticated hashes of their transcripts to ensure that both parties have observed the same set of messages and that the messages have not been tampered with by a man-in-the-middle (MITM).
Transcript collision attacks are a class of attacks where a MITM, given a legitimate message transcript, can find a different transcript of malicious messages that has the same transcript hash. The attacker can thus modify the legitimate messages with malicious content without being detected by the communicating parties. SLOTH (Security Losses from Obsolete and Truncated Transcript Hashes) is a set of practical transcript collision attacks against TLS 1.2 and other protocols. The SLOTH attacks exploit the use of weak MD5 hashes for digital signatures and other weak hashing constructs.
This security advisory addresses the following SLOTH transcript collision attacks:
|Severity / CVSSv2||Medium / 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)|
|References||SecurityFocus: BID 79684 / NVD: CVE-2015-7575|
|Impact||Information disclosure, unauthorized modification of data|
|Description||Products that support the TLS 1.2 protocol are vulnerable to transcript collision attacks that exploit weak MD5 hashes.|
SLOTH - https://www.mitls.org/pages/attacks/SLOTH
SLOTH technical paper - https://www.mitls.org/downloads/transcript-collisions.pdf
2018-08-29 Reporter 10.2 and later releases are not vulnerable because a fix is available in 10.2.1.1.
2018-04-22 PacketShaper S-Series 11.9 and 11.10 are not vulnerable.
2017-11-06 ASG 6.7 is not vulnerable.
2017-08-02 SSLV 4.1 is not vulnerable.
2017-07-20 MC 1.10 is not vulnerable.
2017-06-22 Security Analytics 7.3 is not vulnerable.
2017-06-05 PacketShaper S-Series 11.8 is not vulnerable.
2017-05-17 CAS 2.1 is not vulnerable.
2017-03-30 MC 1.9 is not vulnerable.
2017-03-08 A fix for PolicyCenter S-Series 1.1 is available in 22.214.171.124.
2017-03-06 MC 1.8 is not vulnerable. ProxySG 6.7 is not vulnerable. SSLV 4.0 is not vulnerable. Vulnerability inquiries for DLP should be addressed to Digital Guardian technical support.
2016-12-04 PacketShaper S-Series 11.7 is not vulnerable. SSLV 3.11 is not vulnerable.
2016-11-17 Cloud Data Protection for Oracle Field Service Cloud is not vulnerable.
2016-11-11 SSLV 3.10 is not vulnerable.
2016-09-22 MC 1.6 and 1.7 are not vulnerable.
2016-09-01 A fix for SSLV 3.8.4FC is available in 3.8.4FC-55.
2016-08-12 Security Analytics 7.2 is not vulnerable.
2016-06-30 A fix for PacketShaper 11.x is available in 126.96.36.199.
2016-06-23 A fix is available in ASG 188.8.131.52.
2016-06-13 Fixes for ICSP, NNP, and NSP are available in 5.3.6.
2016-05-26 A fix for Reporter 10.1 is available in 10.1.4.1.
2016-05-19 Fixes are available in Security Analytics 6.6.12 and 7.1.11.
2016-05-11 No Cloud Data Protection products are vulnerable.
2016-04-27 MTD 1.1 is vulnerable and a fix is available in 184.108.40.206.
2016-04-20 PS S-Series 11.2, 11.3, 11.4, and 11.5 are vulnerable. PC S-Series 1.1 is vulnerable.
2016-03-17 Clarified that SSLV 3.9 prior to 220.127.116.11 is vulnerable and that UA 4.6 is not vulnerable.
2016-03-14 A fix for CAS 1.3 is available in 18.104.22.168. A fix for MC 1.5 is available in 22.214.171.124.
2016-03-10 A fix for MAA 4.2 is available in 4.2.8.
2016-02-19 A fix for MC 1.4 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2016-02-16 A fix for ProxySG 6.5 is available in 126.96.36.199.
2016-02-12 Fixes for CAS 1.1 and 1.2 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2016-02-04 ProxySG 6.6 prior to 188.8.131.52 is vulnerable
2016-01-29 initial public release
Subscribing will provide email updates when this Article is updated. Login is required.
11.5, 11.4, 11.3, 11.2
Mobile Agent for Android, Cloud Unified Agent
Thanks for your feedback. Let us know if you have additional comments below. (requires login)
This will clear the history and restart the chat.