Loading...

Knowledge Center


What to do after upgrading Web Gateway to address the Heartbleed vulnerability
Technical Articles ID:   KB81669
Last Modified:  4/7/2017

Environment

McAfee Web Gateway (MWG) 7.4.x, 7.3.x

Summary

McAfee released MWG 7.3.2.8 and MWG 7.4.1.3 and recommends that all customers using version 7.3.x or 7.4.x upgrade immediately to address the Heartbleed vulnerability. 

For release notes, see:
  • PD25155 - Web Gateway 7.3.2.8 Release Notes
  • PD25156 - Web Gateway 7.4.1.3 Release Notes
Use this article to make configuration changes after upgrading.

NOTE: After successfully updating Web Gateway, you may notice that the OpenSSL version seems to be not updated if you invoke the command:
 
# openssl version

OpenSSL 1.0.1e-fips 11 Feb 2013 

However, see the output of:
 
 
# yum list | grep openssl

openssl.i686                   1.0.1e-10.mlos2        @mlos-7.3-gen_release-base
openssl.x86_64                 1.0.1e-10.mlos2        @mlos-7.3-gen_release-base

You see that the sub-version has changed from 8 to 10 which contains the patch.

Problem

MWG 7.3.x and 7.4.x used an OpenSSL version that is affected by the Heartbleed vulnerability, CVE 2014-0160.

To attack the MWG system (independent from the hardware) there must be TLS traffic involved, whether MWG is the client or server. There are several processes that perform TLS. If MWG is attacked by a malicious client or server, the attacker can read up to 64 KB of memory in one attack. This can be repeated and is not traceable on the target system. The memory cannot be chosen by the attacker. Only memory of the target process is affected. It is not possible to conclude what information may be leaked by the vulnerability. MWG engineering expects that every MWG instance might theoretically be affected, as TLS will be used at least for:
  • Central Management communication
  • MWG UI or REST interface
  • AV signatures, URL filtering, and other updates
  • SSL Scanning as a forward or reverse proxy
  • Multiple Filters like LDAP, OTP, MATD, URL, and ICAPS client
Although there is no system evidence of an attack, an administrator should consider all secrets (passwords, private keys, and so on) vulnerable, because the configurations are at least temporarily loaded by three processes: MWG UI web server (Tomcat), the main proxy process (mwg-core), and the Central Management process (mwg-coordinator).

Solution

McAfee strongly recommends the following configuration changes after you upgrade.

Change passwords:
Go to the mentioned UI areas to update passwords, as applicable.
  •  Administrator account password (local)
    • Accounts, Administrator AccountsInternal Administrator Accounts
       
  • ePO user account password
    • Accounts, Administrator AccountsInternal Administrator Accounts
    • Configuration, ePolicy Orchestrator
      • After updating the MWG ePO user account password, the same password should be updated on the ePO server Web Gateway configuration.
      • Within ePO, go to Menu, Configuration, Registered Servers.
        • Edit each existing McAfee Web Gateway 7 server type.
          • For the Console Credentials password, specify the password from the Web Gateway Accounts section above.
          • For the Communication Credentials password, specify the password from the Web Gateway Configuration section above.
             
  • Central Management (Only applicable if using an upstream update proxy that enforces authentication)
    • Update the password on the upstream proxy first (use the next step to identify upstream proxy).
    • Configuration, Central Management, Update Proxies
    • Update the MWG configuration to reflect the new upstream proxy password by saving the changes.
       
  • WCCP authentication keys
    • Configuration, Proxies (HTTP(S), FTP, ...), WCCP
      • Edit each configured service and exchange the authentication key here and in the router's configuration.
         
  • SaaS Administrator Account passwords (Only applicable for Web Hybrid customers)
    • Update the SaaS Administrator password using the SaaS Console: https://console.mcafeesaas.com.
    • Configuration, Web Hybrid
      • Update the MWG SaaS configuration to reflect the new SaaS password.
         
  • SNMP community strings and SNMPv3 passwords
    • Configuration, SNMP
      • SNMP v1, v2c--Update the Community string
      • SNMP v3--Update the SNMPv3 User's password
      • SNMP Trap Sinks--Update the Community string
      • Afterwards, apply the same Community string(s) or password to SNMP clients.
         
  • Log File Manager Passwords
    • Configuration, Log File Manager, Auto Pushing
      • Update the destination server's passwords (use the following Auto Pushing settings to identify destination servers).
      • Update the MWG configuration to reflect the new destination server password.
    • Policy, Settings, Engines, File System, File System Logging, Engine NameAuto Pushing
      • Update the destination server's passwords (use the following Auto Pushing settings to identify destination servers).
      • Update the MWG configuration to reflect the new destination server password.
         
  • Windows Domain Membership
    • Configuration, Windows Domain Membership
    • The MWG machine password within Active Directory has a lifetime of five days. It is not possible to manually change that password within Active Directory. To change the password immediately, it is recommended to rejoin each MWG to the domain. It is recommended to perform these steps during off-hours.
      • Document the existing domain membership settings.
      • Leave the domain.
      • Join the domain using the documented settings.
        • Select Overwrite Existing Account if specifying the same machine account name as prior.
        • Domain Administrator credentials are required to join the domain.
           
  • Kerberos keytab file
    • Configuration, Kerberos Administration, browse to the new keytab file
      • See the following Community post for steps on regenerating the keytab file and importing it into MWG:
        https://community.mcafee.com/docs/DOC-2682. Follow the steps through to the "Uploading keytab to the Web Gateway" section.
         
  • User Database (locally stored usernames and passwords)
    • PolicyLists, Local User, User Database
    • Update each user account password.
       
  • Authentication Passwords - Applicable to LDAP, E-Directory, OTP, Radius, and SWPS (MCP) authentication methods
    • Policy, Settings, Engines, Authentication
    • Review the Authentication engines to identify authentication methods using LDAP, E-Directory, OTP, or Radius.
      • Go to those external services to update the password.
      • In MWG, update the relative Authentication engine to reflect the new password.
    • Review the Authentication engines to identify authentication methods using SWPS (MCP).
  • External Lists
    • Policy, Settings, EnginesExternal Lists
       
  • Next Hop Proxy
    • Policy, Lists, Next Hop Proxy
       
  • Upstream proxy for URL / GTI Filter Updates
    • Policy, Settings, Engines, URL Filter, Advanced Settings
       
  • MATD
    • PolicySettingsEngines, Anti-Malware
       
  • Secure Token
    • PolicySettings, Engines, Secure Token


Change all private keys
Go to the mentioned UI areas to update private keys, as applicable.
  • SSL Scanner
    • If you are storing your CA and server key on an HSM you are not affected, otherwise generate or import a new CA. It is recommended to revoke the existing CA if it is signed by another CA and/or to remove it from the client's (usually workstation browsers) trust store. In conjunction with importing a new CA, the end user's browser trust store should be updated with the new CA to prevent browser warnings.
       
  • SSL Client Context with CA (could be more than one)
    • Policy, Settings, Engines, SSL Client Context with CA
       
  • SSL Client Context without CA (Reverse Proxy)
    • Policy, Settings, Engines, SSL Client Context without CA
       
  • SSL Client Certificate Handling
    • Policy, Settings, EnginesSSL Client Certificate Handling
       
  • User Interface
    •  Configuration, User Interface, User Interface Certificate
      • If your previously used certificate is signed by a CA you may want to revoke it. In conjunction with importing a new CA, any MWG UI administrator's browser trust store should be updated with the new CA to prevent browser warnings.
         
  • Central Management communication
    • Configuration, Appliances (Cluster), Cluster CA
    • If you imported a CA in the past, it is necessary to generate a new CA again and import it.
       
  • ICAPS Proxy
    • Configuration, Proxies, ICAP Server (only applicable if ICAPS is being used)
      • Generate or import a new certificate and key if you generated or imported a certificate in the past.
         
  • Mobile Device Certification
    • Policy, Settings, Engines, Mobile Device Certification
      • Generate or import a new CA. It is recommended to revoke the existing CA if it is signed by another CA and remove it from the client's (usually workstation browsers) trust store.
         
  • Single Sign On
    • Credentials stored in MAS (McAfee Attribute Server) are encrypted. For a short time frame they will be available in plain text. The user (or the service) needs to ensure that the passwords are updated.


Change keys in the Active System Console of your Hardware Appliance Model
NOTE: Only applicable to MWG Model B and Model C and if Active System Console is being enabled. The default is disabled.
  • Active System Console, a hardware monitoring component, is affected because it includes a TLS enabled web server with a key that is generated on activation. The potential risk is that the private key and the administrator password can be read using the vulnerability. If it is enabled (disabled per default), execute the following command as the user root. Be prepared to provide a new administrator password when running asc-enable.


    asc-disable
    rm -f /etc/{asc,asc5,asc6}/lighttp.{crt,pem}
    asc-enable

     
  • Please note: RMM3 and RMM4 use OpenSSL as well, but are not affected.
     
Download Server updates
The MWG team has updated the certificates of the download server. Because updates are additionally signed, there was no risk of executing untrusted code.

Rate this document

Did this article resolve your issue?

Please provide any comments below

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.