Avis de sécurité de Netskope

NSKPSA-2020-005

Netskope Client Stack Buffer Overflow

Avis de sécurité ID : NSKPSA2020-005

Version: 1.0

Status: Unpublished

Last Modified: 15th December, 2020

Who should read this document	Technical and Security Personnel
Impact of Vulnerability	Buffer overflow leading to dos and potential code execution
CVE Number	TBD
Severity Rating	Critical
Overall CVSS Score	CVSS 7.5
Recommandations	Verification of update to the latest release of the Netskope Windows and OS X.
Security Advisory Replacement	None
Caveats	None
Affected Software	Netskope Windows and OS X Client Release 80 and before.
Updated Software Version	Netskope Client for Windows and OS X Release 81.
Special Notes and Acknowledgements	Optiv Application Security Team found this as part of a paid engagement for threat modeling and exploitation of the Netskope client update.
CWE Reference	CWE-121: Stack-based Buffer Overflow - https://cwe.mitre.org/data/definitions/121.html

Description
This update resolves an issue within the Netskope Client where a stack-based buffer overflow was identified.

This Release/patch remediates the following issues: CVE-TBD

Affected Components
Netskope Client for Windows and OS X Release 80 and before are deployed and being used.

Remediation
This vulnerability was triaged, validated, and fixed by Netskope. Customers should review the criticality of the vulnerability against their patch and maintenance processes and evaluate Release 81 of the client.

Workaround
None

Special Notes and Acknowledgement
Netskope credits the Optiv Application Security Team for finding this defect as part of a paid engagement for threat modeling and exploitation of the Netskope client update.

This security Advisory was written by the Product Security Incident Response Team, Netskope, Inc.

FAQs

What is affected by this security vulnerability?
Netskope Client pour Windows et OS X version 80 et antérieures.

Do I need to Update Immediately?
Yes, Netskope recommends that all customers run the latest version of software and evaluate this notification with other existing controls to make a determination. Netskope also recommends that customers use the CVSS v3.1 extended scoring or OWASP vulnerability criticality scoring tools to support their decision.

Affected Versions
Any Netskope Client deployment on Windows and OS X before Release 81.

Protected Versions
Netskope Client Release 81 or later. Netskope recommends that all customers verify that they have applied the latest updates.

What issues does this release and/or patch address?
The release includes the fix for the reported issue as well as other items which can be found within our release notes: Netskope Support Release Notes Link

How do I know if my Netskope WebUI is vulnerable or not?
The product and version can be found by navigating to the Netskope Client, Right-click, and seeing the “About”. An example is below:

What has Netskope done to resolve the issue?
Netskope has released a new release to address this security flaw.

Where do I download the fix?
Please visit the release notes on support.netskope.com.

How does Netskope respond to this and any other security flaws?
Netskope has a private bug bounty program as well as the following public guidance for reporting concerns and issues from the research community which can be found at https://www.netskope.com/vulnerability-disclosure-policy. In addition, Netskope follows a documented triage, remediation, and testing process for any reported items.

How do I find out about security vulnerabilities with your products?
Please review the release notes and security advisories on support.netskope.com.

How was this found?
Netskope credits the Optiv Application Security Team for finding this defect as part of a paid engagement for threat modeling and exploitation of the Netskope client update.

Resources:
Support Website: https://www.netskope.com/services#support

Contacts: [email protected], [email protected]