Resolved vulnerabilities in SNS 4.2.1

Intel processors

Intel processor microcodes used on SN510, SN710, SN910, SN2000, SN3000, SN2100, SN3100 and SN6100 firewall models have been updated to fix vulnerabilities CVE-2020-0543, CVE-2020-0548 and CVE-2020-0549.

Web administration interface/Block pages

To address a possible XSS vulnerability, the HTML preview display of HTTP block pages is no longer available. Only the raw text of the HTML code on block pages is displayed.

Web administration interface/Authentication portal

An additional protection feature against code injection has been added to responses sent by the firewall’s web administration interface and authentication portal.

OpenSSL

A vulnerability with an overall CVSS score of 3.0 was fixed after the OpenSSL component was upgraded.

Details on this vulnerability can be found on our website https://advisories.stormshield.eu.

NDP requests

When NDP requests (IPv6) without replies were accumulated up to a certain threshold, the protection mechanism would be activated in the firewall’s NDP table. In an exchange with an unknown host, this would cause the first few packets to be dropped until NDP requests were resolved.

Details on this vulnerability can be found on our website https://advisories.stormshield.eu.

Authentication – SSO Agent

SNS firewalls will now reject negotiations with SSO agents that use AES_CBC encryption suites.
The SSO agent v3 must therefore be used with SNS firewalls in version 4.2.

ClamAV

A vulnerability with an overall CVSS score of 5.8 was fixed in ClamAV.

Details on this vulnerability can be found on our website https://advisories.stormshield.eu.

SNMP

Support reference 80471

A vulnerability with an overall CVSS score of 5.5 in the SNMP protocol analysis protection mechanism has been fixed.

Details on this vulnerability can be found on our website https://advisories.stormshield.eu.