Stormshield Network Security

CVSS v2 Overall Score: 3.2      

Analysis

Impacted version

This vulnerability could allow an attacker to read SSL/TLS encrypted network traffic, such as communication between administration console and UTM, or traffic in VPN. Please note that only SNS embedding Intel CPU with AES-NI extensions are impacted. They are: SN510, SN710, SN910, SN2000, SN3000, SN6000

• SNS 1.0.0 to 1.5.0
• SNS 2.0.0 to 2.2.5
• SNS 2.3.0 to 2.4.1
• SMC 1.1.0

Workaround solution

Solution

You can disable crypto hardware extension. Connect to the appliance with ssh, and edit the file ~/System/global. You will find a [crypto] section. Give a 0 value for the Hardware token

Ex:

[Crypto]
Engine=padlock
Hardware=0
NoCryptodev=1

You have to reboot to make this parameter effective.

Please note that this setting can lower the overall performance of your UTM.

• Upgrade SNS to 2.2.6
• Upgrade SNS to 2.4.2
• Upgrade SMC to 1.1.1

Stormshield Endpoint Security

CVSS v2 Overall Score: 6.5      

Analysis

Impacted version

This vulnerability could allow an attacker to read SSL/TLS encrypted network traffic used to communicate between the SES agents and servers.

An attacker could then read the security policy and the generated security logs.

This vulnerability applies to SES servers only if they are running on a computer with an AES-NI capable Intel® processor. You can check if this is the case by checking the “Intel(R) AES New Instructions” value on the “CPU Technologies” tab of the “Intel® Processor Identification Utility” available at https://www.intel.com/content/www/us/en/support/processors/000005651.html.

• SES 6.0.22
• SES 7.1.09
• SES 7.2.07

Workaround solution

Solution

You can disable AES-NI crypto hardware extension by specifying a global environment variable on each SES server that supports the AES-NI instruction set.

• In the Control Panel, open the System option (alternately, you can right-click on My Computer and select Properties). Select the “Advanced system settings” link.
• In the System Properties dialog, click “Environment Variables”.
• In the Environment Variables dialog, click the New button underneath the “System variables” section.
• Create a variable named OPENSSL_ia32cap with value ~0x200000200000000 (please note the leading tilde – ‘~’ – character) and click OK.
• You should now see your new variable listed under the “System variables” section. Click OK to apply the changes.
• Restart the service “Stormshield Endpoint Security Server” to take these changes into account.

Please note that these changes can lower the overall performance of your SES server. It may also affect the performance of other software using the OpenSSL library running on the same computer.

The 6.0.23, 7.1.10 and 7.2.08 updates fix this vulnerability.

Netasq

CVSS v2 Overall Score: 3.5      

Analysis

Impacted version

This vulnerability could allow an attacker to read SSL/TLS encrypted network traffic, such as communication between administration console and UTM, or traffic in VPN. Please note that only Netasq embedding Intel CPU with AES-NI extensions are impacted. They are: NG1K, NG5K

• Netasq 9.1.0 to 9.1.8

Workaround solution

Solution

You can disable crypto hardware extension. Connect to the appliance with ssh, and edit the file ~/System/global. You will find a [crypto] section. Give a 0 value for the Hardware token

Ex:

[Crypto]
Engine=padlock
Hardware=0
NoCryptodev=1

You have to reboot to make this parameter effective.

Please not that this setting can lower the overall performance of your UTM.

The 9.1.9 update will fix this vulnerability.