VN-2015-001 – “GHOST” – CVE-2015-0235 Extreme Networks Software SUMMARY PRODUCTS POTENTIALLY AFFECTED A serious vulnerability has been discovered in two legacy functions that are related to DNS resolution in glibc. Due to the fact that glibc is a fundamental OS component used by many pieces of userland software, this vulnerability is a high priority for remediation. Here is the vulnerability status of the software products supported by Extreme Networks for this issue: BACKGROUND (From the CVE Project) There is a heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18. This allows contextdependent attackers to execute arbitrary code via vectors related to the (1) gethostbyname or (2) gethostbyname2 function, aka "GHOST.” Published: 2015-01-27 CVSS Severity: 10 (from NVD/NIST) The following software, and software supported products by Extreme Networks will be analyzed for this vulnerability: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. ExtremeXOS X-Series Secure Core Router N, K, SSA, and S Modular Switches A, B, C, D, G, I & 800 Series Fixed Switches NetSight / NAC (IA) / Purview Ridgeline IDS/IPS Security Information & Event Manager IdentiFi Wireless Wireless Mobility XSR (X-Pedition Security Router) ExtremeWare Note: To our knowledge, no other Extreme products (including the Enterasys-branded products) have been determined to be vulnerable at this time. IMPACT DETAILS The Impact Details will be listed using the following format: a. Vulnerable – Yes / No / Investigating b. Vulnerable Component c. Conditions when component vulnerability occurs d. Product version affected e. Workaround f. Target Fix Release g. Target Fix Timeframe ExtremeXOS (all products): a. IMPACT Because DNS resolution is an extremely common function performed by many pieces of software, and because glibc is commonly involved to perform these resolutions, this vulnerability has a high impact across all systems and software the leverage a vulnerable version of glibc. Successfully exploitation would give an attacker full remote code execution with the context of the exploited process. NOTE: Information in RED, denotes new updated information since the last revision of this notice. ExtremeXOS – Investigating X-Series Secure Core Router – Investigating N, K, SSA, and S Modular Switches – Investigating A, B, C, D, G, I & 800 Series Fixed Switches – No NetSight/NAC(IA)/ Purview – Yes Ridgeline – No IDS/IPS – Yes Security Information & Event Manager – Investigating IdentiFi Wireless – Yes (See product list) Wireless Mobility versions WM 5.5.X – Investigating XSR (X-Pedition Security Router) – No ExtremeWare – No Vulnerable: Investigating X-Series Secure Core Router a. Vulnerable: Investigating N, K, SSA, and S Modular Switches a) Vulnerable: Investigating A, B, C, D, G, I & 800 Series Fixed Switches a. Vulnerable: No All A,B,C,D,G,I Series Devices do not use Linux NetSight /NAC (IA)/ Purview: a. Vulnerable: Yes b. Vulnerable Component: glibc library on 32-bit and 64-bit NetSight appliances c. Describe conditions when component Vulnerability occurs (why/when/how): Some components of NetSight make a call to the vulnerable function of the glibc library. It is not known how a compromise could be achieve, or if it could be achieved, but it is at least possible in theory. d. Product version(s) affected: All NetSight Appliances e. Workaround: There is not one currently. f. Target Fix Release: TBD g. Target Month for Fix Release: TBD ©2015 Extreme Networks, Inc. All rights reserved. Extreme Networks, the Extreme Networks logo, and other trademarks listed in this document, marked with an asterisk (*), are trademarks or registered trademarks of Extreme Networks, Inc. in the United States and/or other countries. All other names are the property of their respective owners. For additional information on Extreme Networks Trademarks, please see http://www.extremenetworks.com/company/legal/trademarks. Specifications and product availability are subject to change without notice. Document No. / Revision: VN-2015-001 / Rev 01 Effective Date: 1/29/2015 / Owner: Serviceability VN-2015-001 – “GHOST” – CVE-2015-0235 Extreme Networks Software IMPACT DETAILS – Continued Ridgeline: Vulnerable: No - The OS is not provided with Ridgeline, it’s a software only solution. IDS / IPS: a. Vulnerable: Yes b. Vulnerable Component: glibc library on 32-bit and 64-bit Dragon appliances c. Describe conditions when component Vulnerability occurs (why/when/how): Some components of Dragon make a call to the vulnerable function of the glibc library. d. It is not known how a compromise could be achieve, or if it could be achieved, but it is at least possible in theory. e. Product version(s) affected: All Dragon Appliances f. Workaround: There is not one currently. g. Target Fix Release: TBD h. Target Month for Fix Release: TBD Security Information & Event Manager: a. Vulnerable: No (Product does not use any version of glibc) b. Vulnerable Component: None c. Describe conditions when component Vulnerability occurs(why/when/how): None d. Product version(s) affected: None e. Workaround: NA f. Target Fix Release: None g. Target Month for Fix Release: NA IdentiFi Wireless: IdentiFi controller: a. Vulnerable: Yes b. Vulnerable Component: glibc based components including Python c. Product version(s) affected: all releases between 3.0 and 9.15.0 inclusive d. Workaround: Risk of successful exploit is low. The controller only accepts hostnames and FQDNs in a limited number of commands and GUI options and the input is checked to enforce length limits and valid characters for host names. Qualys has provided a list of applications that are not vulnerable when running on versions of Linux with the vulnerable glibc version. The list includes most of the third party Open source software used for remote access to the controller and APs. In addition the controller has few places where a host name or FQDN can be entered or used. So risk of a successful exploit is likely low. e. Target Fix Release: 9.21 f. Target Month for Fix Release: June 2015 (optional) Wireless Mobility: Controller & Access Points: a. Vulnerable: Investigating XSR (X-Pedition Security Router): a. Vulnerable: No ExtremeWare (all products): a. Vulnerable: No - Extremeware (VxWorks based) doesn't use glibc ©2015 Extreme Networks, Inc. All rights reserved. Extreme Networks, the Extreme Networks logo, and other trademarks listed in this document, marked with an asterisk (*), are trademarks or registered trademarks of Extreme Networks, Inc. in the United States and/or other countries. All other names are the property of their respective owners. For additional information on Extreme Networks Trademarks, please see http://www.extremenetworks.com/company/legal/trademarks. Specifications and product availability are subject to change without notice. Document No. / Revision: VN-2015-001 / Rev 01 Effective Date: 1/29/2015 / Owner: Serviceability VN-2015-001 – “GHOST” – CVE-2015-0235 Extreme Networks Software Threat Details CVE Name Impact Vulnerable Versions Client Server CVE-2015-0235 Glibc “GHOST” vulnerability High All versions prior to glibc-2.18 High High Vulnerability Mitigation TBD Repair Recommendations The resolution to any threat or issue is dependent upon a number of things, including the set-up of the computer network and how the local IT team wants to address the situation. Accordingly, in addition to updating the software as recommended in this document, the local IT team will need to analyze and address the situation in a manner that it determines will best address the set-up of its computer network. Update the software, identified in this Notice, in your Extreme Networks’ products by replacing it with the latest releases from Extreme Networks including the following version (or above): 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. ExtremeXOS – Investigating X-Series Secure Core Router – Investigating N, K, SSA, and S Modular Switches – Investigating A, B, C, D, G, I & 800 Series Fixed Switches – No NetSight/NAC(IA)/ Purview – Yes Ridgeline – No IDS/IPS – Yes Security Information & Event Manager – Investigating IdentiFi Wireless – Yes (See product list) Wireless Mobility versions WM 5.5.X – Investigating XSR (X-Pedition Security Router) – No ExtremeWare – No Firmware & Software can be downloaded from - http://www.extremenetworks.com/support/ Further Information NIST release: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0235 CVE Project: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235 Red Hat: https://access.redhat.com/articles/1332213 Qualys Analysis: http://www.openwall.com/lists/oss-security/2015/01/27/9 Legal Notice THIS ADVISORY NOTICE IS PROVIDED ON AN "AS IS" BASIS AND EXTREME NETWORKS MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND, EXPRESSLY DISCLAIMING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. USE OF THE INFORMATION PROVIDED HEREIN OR MATERIALS LINKED FROM THIS ADVISORY NOTICE IS AT YOUR OWN RISK. EXTREME NETWORKS RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME, AND EXPECTS TO UPDATE THIS DOCUMENT AS NEW INFORMATION BECOMES AVAILABLE. THE INFORMATION PROVIDED HEREIN IS APPLICABLE TO CURRENT EXTREME NETWORKS’ PRODUCTS IDENTIFIED HEREIN AND IS NOT INTENDED TO BE ANY REPRESENTATION OF FUTURE FUNCTIONALITY OR COMPATIBILITY WITH ANY 3RD PARTY TECHNOLOGIES REFERENCED HEREIN. THIS NOTICE SHALL NOT CHANGE ANY CONTRACT OR AGREEMENT THAT YOU HAVE ENTERED INTO WITH EXTREME NETWORKS. ©2015 Extreme Networks, Inc. All rights reserved. Extreme Networks, the Extreme Networks logo, and other trademarks listed in this document, marked with an asterisk (*), are trademarks or registered trademarks of Extreme Networks, Inc. in the United States and/or other countries. All other names are the property of their respective owners. For additional information on Extreme Networks Trademarks, please see http://www.extremenetworks.com/company/legal/trademarks. Specifications and product availability are subject to change without notice. Document No. / Revision: VN-2015-001 / Rev 01 Effective Date: 1/29/2015 / Owner: Serviceability
© Copyright 2024