Palo Alto Networks Security Advisories / PAN-SA-2016-0023

PAN-SA-2016-0023 OpenSSL Vulnerabilities

047910
Severity 8.2 · HIGH
Attack Vector NETWORK
Attack Complexity LOW
Privileges Required NONE
User Interaction NONE
Scope UNCHANGED
Confidentiality Impact LOW
Integrity Impact NONE
Availability Impact HIGH

Description

The OpenSSL library embedded in the GlobalProtect™ agent, TerminalServer™ agent and UserID™ agent is affected by the following public vulnerabilities: CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2109, and CVE-2016-2176 (Ref # 100669, 100133, PAN-60833).

At the time of this advisory and in the context of GlobalProtect, TerminalServer and UserID, no public exploitation of these vulnerabilities are known.

This issue affects GlobalProtect agent 3.1.0 and earlier; TerminalServer agent 7.0.5 and earlier; UserID agent 7.0.5 and earlier

CVECVSSSummary
CVE-2016-21057.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)Integer overflow in the EVP_EncodeUpdate function in crypto/evp/encode.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of binary data.
CVE-2016-21067.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)Integer overflow in the EVP_EncryptUpdate function in crypto/evp/evp_enc.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of data.
CVE-2016-21075.9 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a certain padding check, which allows remote attackers to obtain sensitive cleartext information via a padding-oracle attack against an AES CBC session. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-0169.
CVE-2016-21097.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in the ASN.1 BIO implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (memory consumption) via a short invalid encoding.
CVE-2016-21768.2 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H)The X509_NAME_oneline function in crypto/x509/x509_obj.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to obtain sensitive information from process stack memory or cause a denial of service (buffer over-read) via crafted EBCDIC ASN.1 data.

Product Status

VersionsAffectedUnaffected
UserID Agent 7.0<= 7.0.5>= 7.0.6
TerminalServer Agent 7.0<= 7.0.5>= 7.0.6
GlobalProtect Agent 3.1<= 3.1.0>= 3.1.1

Severity: HIGH

CVSSv3.1 Base Score: 8.2 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H)

Weakness Type

CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

Solution

GlobalProtect agent 3.1.1 and later; TerminalServer agent 7.0.6 and later; UserID agent 7.0.6 and later

Workarounds and Mitigations

N/A

© 2020 Palo Alto Networks, Inc. All rights reserved.