The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of OpenSSL: predictable random via ssl3_client_hello

Synthesis of the vulnerability 

An attacker can potentially guess the random used by the TLS client of OpenSSL, in order to read sensitive information.
Vulnerable products: ProxySG par Blue Coat, SGOS by Blue Coat, FabricOS, Brocade Network Advisor, Unisphere EMC, FortiAnalyzer, FortiAnalyzer Virtual Appliance, FortiClient, FortiManager, FortiManager Virtual Appliance, IRAD, Juniper J-Series, Junos OS, Junos Space, Junos Space Network Management Platform, NSM Central Manager, NSMXpress, Juniper SBR, Data ONTAP 7-Mode, NetScreen Firewall, ScreenOS, OpenSSL, Oracle Communications, Base SAS Software, SAS SAS/CONNECT.
Severity of this weakness: 2/4.
Creation date: 18/03/2015.
Références of this bulletin: 1701334, 55767, 9010031, CERTFR-2015-AVI-117, CERTFR-2015-AVI-146, CERTFR-2015-AVI-259, cpuoct2017, CVE-2015-0285, DSA-2020-062, FG-IR-15-008, JSA10680, NTAP-20150323-0002, SA40001, VIGILANCE-VUL-16410.

Description of the vulnerability 

The OpenSSL library implements a TLS client.

Usually, a PRNG random generator is seeded by the TLS client. However, the ssl3_client_hello() function does not seed the PRNG in some cases (if a specific version of the protocol was not requested, and an algorithm such as PSK-RC4-SHA is chosen).

An attacker can therefore potentially guess the random used by the TLS client of OpenSSL, in order to read sensitive information.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This threat alert impacts software or systems such as ProxySG par Blue Coat, SGOS by Blue Coat, FabricOS, Brocade Network Advisor, Unisphere EMC, FortiAnalyzer, FortiAnalyzer Virtual Appliance, FortiClient, FortiManager, FortiManager Virtual Appliance, IRAD, Juniper J-Series, Junos OS, Junos Space, Junos Space Network Management Platform, NSM Central Manager, NSMXpress, Juniper SBR, Data ONTAP 7-Mode, NetScreen Firewall, ScreenOS, OpenSSL, Oracle Communications, Base SAS Software, SAS SAS/CONNECT.

Our Vigil@nce team determined that the severity of this computer vulnerability bulletin is medium.

The trust level is of type confirmed by the editor, with an origin of internet server.

An attacker with a expert ability can exploit this weakness note.

Solutions for this threat 

OpenSSL: version 1.0.2a.
The version 1.0.2a is fixed:
  https://www.openssl.org/

OpenSSL: patch for ssl3_client_hello.
A patch is available in information sources.

Blue Coat ProxySG: version 6.2.16.4.
The version 6.2.16.4 is fixed.

Blue Coat ProxySG: version 6.5.7.5.
The version 6.5.7.5 is fixed.

Brocade: solution for OpenSSL (12/05/2015).
The solution is indicated in information sources.

Dell EMC Unisphere for PowerMax: solution.
The solution is indicated in information sources.

Fortinet: fixed versions for OpenSSL.
Fixed versions are indicated in information sources.

IBM Rational Application Developer: solution for OpenSSL.
The solution is indicated in information sources.

Juniper: fixed versions for OpenSSL-19/03/2015.
Fixed versions are indicated in information sources.

NetApp Data ONTAP: patch for OpenSSL 03/2015.
A patch is available:
  Data ONTAP Edge: http://mysupport.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=899856
  Data ONTAP operating in 7-Mode: http://mysupport.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=899855
  Data ONTAP SMI-S Agent: http://mysupport.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=899852

Oracle Communications: CPU of October 2017.
A Critical Patch Update is available.

SAS: solution for OpenSSL.
The solution is indicated in information sources.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides application vulnerability analysis. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system.