Reset Search
 

 

Article

VN 2016 007 (CVE-2016-2108) Negative Zero

« Go Back

Vulnerability Notice

 
Vulnerability Summary
The ASN.1 implementation in OpenSSL before 1.0.1o and 1.0.2 before 1.0.2c allows remote attackers to execute arbitrary code or cause a denial of service (buffer underflow and memory corruption) via an ANY field in crafted serialized data, aka the "negative zero" issue.

Background (From CVE Project)
CVE-2016-2108  Negative Zero
   Release Date:  May 4, 2016
   CVSS v3 base score:  9.8  Critical

Impact 
Allows unauthorized disclosure of information, unauthorized modification, or disruption of service
Products Potentially Affected
The following is the vulnerability status of the software products supported by Extreme Networks for this issue:
 
ExtremeXOS (all products)Yes 
A, B, C, D, G, I and 800 Series Fixed SwitchesYes
IDS/IPS No
Extreme Wireless (IdentiFi)Yes - Fixed
N, K, SSA, and S Modular SwitchesYes
Extreme Management (NetSight)Yes
Extreme Control (NAC)Yes
Extreme Analytics (Purview)Yes
Ridgeline Investigating
Security Information & Event ManagerInvestigating 
Summit WM3000 SeriesYes
X-Series Secure Core Router Investigating 
XSR (X-Pedition Security Router)No
Impact Details
ExtremeXOS (all products)
  • Vulnerable Yes / No: Yes
  • Vulnerable Component:  HTTPD
  • Describe conditions when component Vulnerability occurs(why/when/how):  Applications that parse and re-encode X509 certificates are vulnerable. Applications that verify RSA signatures on X509 certificates may also be vulnerable; however, only certificates with valid signatures trigger ASN.1 re-encoding and hence the bug.
  • Product version(s) affected:  All EXOS
  • Workaround: No Workaround Available
  • Target Fix Release:  EXOS 22.1, 21.1.2, 16.2.1,  and patch releases for 16.1.3, 15.7.3, 15.6.5, 15.5.5, 15.3.5
  • Target Month for Fix Release: various, through Oct 2016
A, B, C, D, G, I and 800 Series Fixed Switches
  • Vulnerable Yes / No: Yes
  • Vulnerable Component:  Open SSL
  • Describe conditions when component Vulnerability occurs(why/when/how):  Managing platform via Web interface while using SSL
  • Product version(s) affected: All versions
  • Workaround:  Do not manage via Web using SSL. (disabled by default) 
  • Target Fix Release: 6.81.09
  • Target Month for Fix Release:
IDS/IPS
  • Vulnerable Yes / No: No
  • Vulnerable Component:
  • Describe conditions when component Vulnerability occurs(why/when/how):
  • Product version(s) affected:
  • Workaround:
  • Target Fix Release:
  • Target Month for Fix Release: ( optional)
Extreme Wireless (IdentiFi)​
Extreme Networks Wireless Controllers:
  • Vulnerable Yes / No: Yes - Fixed
  • Vulnerable Component: NA
  • Describe conditions when component Vulnerability occurs(why/when/how):
  • Product version(s) affected: V7R0 - v10.01
  • Workaround: NA
  • Target Fix Release: v10.11.01, v9.21.12
  • Target Month for Fix Release: June, 2016
Extreme Networks Wireless 26xx and 36xx series APs
  • Vulnerable Yes/ No: No
  • Vulnerable Component: NA
  • Describe conditions when component Vulnerability occurs(why/when/how): NA
  • Product version(s) affected: NA
  • Workaround: NA
  • Target Fix Release: NA
  • Target Month for Fix Release:
Extreme Networks Wireless 37xx, 38xx and 39xx series APs
  • Vulnerable Yes/ No: Yes
  • Vulnerable Component: NA
  • Describe conditions when component Vulnerability occurs(why/when/how):
  • Product version(s) affected: since v10.01
  • Workaround: NA
  • Target Fix Release: v10.21.01, v10.11.02
  • Target Month for Fix Release: tbd
N, K, SSA, and S Modular Switches
  • Vulnerable Yes / No: Yes
  • Vulnerable Component: SSH Server
  • Describe conditions when component Vulnerability occurs(why/when/how):  The condition will occur if SSH pubkey authentication is enabled, and if PKI/X.509 certificates are used for authentication, and if one of the configured CA certificates or a certificate presented by an SSH client contain an ASN.1 negative zero value
  • Product version(s) affected: EOS 7.91.01 and higher
  • Workaround: Do not configure or use X.509 certificates that contain ASN.1 negative values.
  • Target Fix Release:  EOS 8.61.01
  • Target Month for Fix Release:  May 2016
Extreme Management (NetSight)
  • Vulnerable Yes / No: Yes
  • Vulnerable Component: NetSight appliance / virtual appliance
  • Describe conditions when component Vulnerability occurs(why/when/how):  Attacker could use vulnerability in ASN.1 decoding to form a message that would cause openSSL to crash.
  • Product version(s) affected: NetSight 6.3
  • Workaround: None
  • Target Fix Release: v7.0
  • Target Month for Fix Release: June 2016
Extreme Control (NAC)
  • Vulnerable Yes / No: Yes
  • Vulnerable Component: NAC appliance / virtual appliance
  • Describe conditions when component Vulnerability occurs(why/when/how): Attacker could use vulnerability in ASN.1 decoding to form a message that would cause openSSL to crash.
  • Product version(s) affected: NetSight 6.3
  • Workaround: None
  • Target Fix Release: v 7.0
  • Target Month for Fix Release: June 2016
Extreme Analytics (Purview)
  • Vulnerable Yes / No: Yes
  • Vulnerable Component: Purview appliance / virtual appliance
  • Describe conditions when component Vulnerability occurs(why/when/how): Attacker could use vulnerability in ASN.1 decoding to form a message that would cause openSSL to crash.
  • Product version(s) affected: NetSight 6.3
  • Workaround: None
  • Target Fix Release:  v 7.0
  • Target Month for Fix Release:  June, 2016
Ridgeline
  • Vulnerable Yes / No: Investigating
  • Vulnerable Component:
  • Describe conditions when component Vulnerability occurs(why/when/how):
  • Product version(s) affected:
  • Workaround:
  • Target Fix Release:
  • Target Month for Fix Release: ( optional)
Security Information & Event Manager
  • Vulnerable Yes / No: Investigating
  • Vulnerable Component:
  • Describe conditions when component Vulnerability occurs(why/when/how):
  • Product version(s) affected:
  • Workaround:
  • Target Fix Release:
  • Target Month for Fix Release: ( optional)
Summit WM3000 Series
  • Vulnerable Yes / No: Yes
  • Vulnerable Component:  Openssl
  • Describe conditions when component Vulnerability occurs(why/when/how):
  • Product version(s) affected:  Release v5.5.5 uses openssl 0.9.8za
  • Workaround:  tbd
  • Target Fix Release:  tbd
  • Target Month for Fix Release: ( optional)
X-Series Secure Core Router
  • Vulnerable Yes / No: Investigating
  • Vulnerable Component:
  • Describe conditions when component Vulnerability occurs(why/when/how):
  • Product version(s) affected:
  • Workaround:
  • Target Fix Release:
  • Target Month for Fix Release: ( optional)
XSR (X-Pedition Security Router)
  • Vulnerable Yes / No: No  (product does not use Open SSL)
  • Vulnerable Component:
  • Describe conditions when component Vulnerability occurs(why/when/how):
  • Product version(s) affected:
  • Workaround:
  • Target Fix Release:
  • Target Month for Fix Release: ( optional)
Repair Recommendations
The resolution to any threat or issue is dependent upon a number of things, including the setup of the computer network and how the local IT team wants to address the situation. Accordingly, in addition to updating the software as recommended in this document, the local IT team will need to analyze and address the situation in a manner that it determines will best address the set-up of its computer network. Update the software, identified in this Notice, in your Extreme Networks products by replacing it with the latest releases from Extreme Networks including those listed above.

Firmware and software can be downloaded from www.extremenetworks.com/support.
Legal Notice
This advisory notice is provided on an “as is” basis and Extreme Networks makes no representations or warranties of any kind, expressly disclaiming the warranties of merchantability or fitness for a particular use. Use of the information provided herein or materials linked from this advisory notice is at your own risk. Extreme Networks reserves the right to change or update this document at any time, and expects to update this document as new information becomes available. The information provided herein is applicable to current Extreme Networks products identified herein and is not intended to be any representation of future functionality or compatibility with any third-party technologies referenced herein. This notice shall not change any contract or agreement that you have entered into with Extreme Networks.

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255