ProxySG 6.5 and 6.6 are vulnerable to CVE-2017-3731

David_York · November 14, 2017, 3:11am

ProxySG 6.5 prior to 6.5.10.4, 6.6 prior to 6.6.5.8, and 6.7 prior to 6.7.1.2 are vulnerable to CVE-2017-3731. All SSL interfaces are affected.

The CVE-2017-3731 vulnerability has been fixed for the following versions:

ProxySG 6.7 - a fix is available in 6.7.1.2.
ProxySG 6.6 - a fix is available in 6.6.5.8.
ProxySG 6.5 - a fix is available in 6.5.10.4.

Ulrica_de_Fort-Menar · November 14, 2017, 3:29am

Thank you for the info!

Liz_Salemi · November 15, 2017, 5:34pm

This is a great share David. Any information on how to check for the vulnerability versus just looking at the version? For example CLI command or API call? It would be a nice value-add to our suite of in-development proxysg Knowledge bits.

OpenSSL Security Advisory [26 Jan 2017]

Truncated packet could crash via OOB read (CVE-2017-3731)

Severity: Moderate

If an SSL/TLS server or client is running on a 32-bit host, and a specific
cipher is being used, then a truncated packet can cause that server or client
to perform an out-of-bounds read, usually resulting in a crash.

For OpenSSL 1.1.0, the crash can be triggered when using CHACHA20/POLY1305;
users should upgrade to 1.1.0d

For Openssl 1.0.2, the crash can be triggered when using RC4-MD5; users who have
not disabled that algorithm should update to 1.0.2k