Symantec Network Protection products using affected versions of OpenSSH are susceptible to several vulnerabilities. A remote attacker, with access to the management interface, can obtain usernames for valid SSH users and cause denial of service through application crashes.
Advanced Secure Gateway (ASG)
CVE
Supported Version(s)
Remediation
CVE-2016-10708, CVE-2018-15473
6.6
Upgrade to 6.6.5.18.
6.7
Upgrade to 6.7.4.2.
CacheFlow (CF)
CVE
Supported Version(s)
Remediation
CVE-2016-10708, CVE-2018-15473
3.4
Not available at this time
Content Analysis (CA)
CVE
Supported Version(s)
Remediation
CVE-2016-10708, CVE-2018-15473
1.3
Upgrade to later version with fixes.
2.1 and later
Not vulnerable
Director
CVE
Supported Version(s)
Remediation
All CVEs
6.1
Not available at this time
Mail Threat Defense (MTD)
CVE
Supported Version(s)
Remediation
CVE-2016-10708, CVE-2018-15473
1.1
Not available at this time
Malware Analysis (MA)
CVE
Supported Version(s)
Remediation
CVE-2016-10708, CVE-2018-15473
4.2
Not available at this time
Management Center (MC)
CVE
Supported Version(s)
Remediation
CVE-2016-10708, CVE-2018-15473
2.0, 2.1
Upgrade to later release with fixes.
2.2, 2.3
Not available at this time
PacketShaper (PS)
CVE
Supported Version(s)
Remediation
CVE-2016-10708
9.2
Not available at this time
PacketShaper (PS) S-Series
CVE
Supported Version(s)
Remediation
CVE-2016-10708, CVE-2018-15473
11.6
Not available at this time
11.9
Not available at this time
11.10
Not available at this time
PolicyCenter (PC) S-Series
CVE
Supported Version(s)
Remediation
CVE-2016-10708, CVE-2018-15473
1.1
Not available at this time
ProxySG
CVE
Supported Version(s)
Remediation
CVE-2016-10708, CVE-2018-15473
6.5
Upgrade to 6.5.10.15.
6.6
Upgrade to 6.6.5.18.
6.7
Upgrade to 6.7.4.2.
Reporter
CVE
Supported Version(s)
Remediation
CVE-2016-10708
9.5
Not vulnerable
10.1, 10.2
Upgrade to later release with fixes.
10.3
No vulnerable, fixed in 10.3.1.1
CVE-2018-15473
9.5
Not vulnerable
10.1, 10.2
Upgrade to later release with fixes.
10.3, 10.4
Not available at this time
Security Analytics (SA)
CVE
Supported Version(s)
Remediation
CVE-2018-15473, CVE-2018-15919
7.2
Not available at this time
7.3
Not available at this time
8.0
Not available at this time
SSL Visibility (SSLV)
CVE
Supported Version(s)
Remediation
All CVEs
3.10
Not avaialble at this time
3.12
Not available at this time
4.2 and later
Not vulnerable
Web Isolation (WI)
CVE
Supported Version(s)
Remediation
CVE-2018-15919
1.12
Not available at this time
1.13
Not available at this time
X-Series XOS
CVE
Supported Version(s)
Remediation
CVE-2016-10708, CVE-2018-15473
10.0
Not available at this time
11.0
Not available at this time
The following products are not vulnerable: AuthConnector
BCAAA
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server General Auth Connector Login Application
HSM Agent for the Luna SP
IntelligenceCenter
IntelligenceCenter Data Collector
PolicyCenter
ProxyAV
ProxyAV ConLog and ConLogXP
Unified Agent
WSS Mobile Agent
A flaw in SSH message handling allows a remote attacker to send out-of-sequence NEWKEYS messages and cause an application crash, resulting in denial of service.
CVE-2018-15473
Severity / CVSSv3
Medium / 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
A flaw in GSS2 handling allows a remote attacker to discover usernames for valid users on the target.
These vulnerabilities can be exploited only through the management interfaces for all vulnerable products. Allowing only machines, IP addresses and subnets from a trusted network to access the management interface reduces the threat of exploiting the vulnerabilities.
2019-10-07 WI 1.12 and 1.3 are vulnerable to CVE-2018-15919. A fix is not available at this time.
2019-09-05 A fix for MC 2.1 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-08-30 It was previously reported that Reporter 10.3 is vulnerable to CVE-2018-15919. Reporter 10.3 is instead vulnerable to CVE-2018-15473. Reporter 10.4 is also vulnerable to CVE-2018-15473.
2019-08-13 MC 2.2 and MC 2.3 are vulnerable to CVE-2016-10708 and CVE-2018-15473. A fix for MC 2.0 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-08-09 A fix for ProxySG 6.5 is available in 6.5.10.15.
2019-08-09 A fix for ASG 6.6 and ProxySG 6.6 is available in 6.6.5.18.
2019-08-06 A fix for Reporter 10.1 and 10.2 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-02-04 A fix for CA 1.3 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-01-15 A fix for ASG 6.7 and ProxySG 6.7 is available in 6.7.4.2.
2019-01-14 Reporter 10.3 is vulnerable to CVE-2018-15919. It is not vulnerable to CVE-2016-10708 because a fix is available in 10.3.1.1.
2018-11-29 initial public release
Subscribing will provide email updates when this Article is updated. Login is required.
Thanks for your feedback. Let us know if you have additional comments below. (requires login)