Security Advisories

September 15, 2011 - Multiple SSH vulnerabilities in Director

Security Advisories ID:    SA63
Version:    3.0
Status:    Published
Published date:    09/08/2011
Updated:    01/17/2012
 

Advisory Status

Interim

Advisory Severity

Low, CVSS v2 base score 3.3 (AV:A/AC:L/Au:N/C:P/I:N/A:N)

CVE Number

CVE-2003-0190 - CVSS v2 base score: 3.3 (AV:A/AC:L/Au:N/C:P/I:N/A:N)
CVE-2005-2666 - CVSS v2 base score: 1.2 (AV:L/AC:H/Au:N/C:P/I:N/A:N)

Summary

Director uses a version of OpenSSH that allows an attacker to more easily guess valid user names and to obtain the plaintext SSH keys for other hosts.

Affected Products

All versions of Director prior to 5.5.2.3 are vulnerable.

Details

Director installs and uses a patched version of OpenSSH that is based on version 3.6.1p1.  Blue Coat has applied security and stability patches to version 3.6.1p1 as necessary. This patched version of OpenSSH has several publicly documented vulnerabilities.

The most severe vulnerability, CVE-2003-0190, allows an attacker to more easily determine valid user names.  The version of OpenSSH immediately sends an error message when the user name does not exist.  An attacker can use the amount of time it takes to return a response when logging in to identify valid user names that have been presented with an invalid password.

The least severe vulnerability, CVE-2005-2666, allows an attacker who has compromised the Director appliance to view the known_hosts file.  The known_hosts file contains a list of SSH host names, IP address, and SSH keys in clear text.  An attacker can use this information to attack other SSH hosts.

When Director is deployed behind a firewall, as is recommended, an attacker must gain access from the internal network in order to mount an attack. The CVSS base scores included in this advisory are based on this deployment scenario.

If Director is deployed outside of the firewall, the CVSS base score for all CVEs listed would be higher. The CVSS base score for this security advisory would be a 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N).

Workarounds

Blue Coat recommends that Director be deployed behind a firewall. Additional constraints on what IP addresses can be used to connect to Director will greatly limit the ability to attack a Director installation.

Patches

Director 5.5 - an interim fix is available in 5.5.2.3.  The fix is available to customers with a valid BlueTouch Online login from bto.bluecoat.com/download/patch/90138905913689859042842687478968.

Director 5.4 - a fix for CVE-2005-2666 is available in 5.4.2.4.  The fix is available to customers with a valid BlueTouch Online login from bto.bluecoat.com/download/product/39.  For all other fixes, please upgrade to a later version.

Director 5.3 and earlier - please upgrade to a later version.

Advisory History

2012-01-17 Adjusted formatting
2012-01-11 Additional clarifications added.
2011-09-15 Initial public release


Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question