Loading...

Knowledge Center


ePolicy Orchestrator remediation steps for CVE-2014-0160
Technical Articles ID:   KB81674
Last Modified:  4/7/2017
Rated:


Environment

McAfee ePolicy Orchestrator (ePO) 5.x

Summary

For those customers who feel that they may have been compromised by the Heartbleed vulnerability, follow the solutions below to regenerate ePO security keys, database passwords, passwords used in registered LDAP servers, and Agent Handler certificates. Follow the remediation steps only after you have applied HF960279-2 on the ePO server and all remote Agent Handlers (if any are in use).

NOTE: Apply all applicable solutions in the order listed. Each solution field indicates whether it is a recommended or optional solution. 

Any customer using an impacted version of ePO with one or more Agent Handlers in a DMZ follow these instructions. 

The Heartbleed vulnerability allows the attacker to request up to 64K of memory from the Apache process heap. This request cannot be targeted at specific memory, and in general will return data that had been allocated around the time of the request. While it is not possible to determine exactly what can and cannot be read, it is not possible for the attacker to request specific memory address, targeted content, or scan all allocated memory.

Critical data that might be in Apache process memory:
  • Agent-to-server secure communication keys
    Leaked Agent Handler key data could be used for forging server-to-agent messages. It is important for customers to generate new server secure communication keys and distribute those new keys to endpoints. Details about generating new server keys are covered in Solution 1.
     
  • ePO Database username/password
    Database password compromise is not critical for external facing data leakage, but could be used to log into the SQL server if the attacker has physical network access. Therefore, it is recommended changing the ePO database password. Details on steps for changing the database password are covered in Solution 2.
     
  • Agent Handler certificate and private key
    Leaked server private key data could be used to eavesdrop on agent-to-server communication. Details on steps for generating new server keys is covered in Solution 3 for the ePO server, and Solution 4 for remote Agent Handlers.
     
  • Agent Handler system user name and password
    The leaked Agent Handler system user password is automatically mitigated after applying the patch. On every restart of the Agent Handler, this system user password is regenerated with a new random password for the process session.
     
  • Active Directory user credentials if user-based policies are configured
    Update the Active Directory password for any registered LDAP servers configured in ePO if user-based policies are used in your environment. User-based policies may also be referred to as Policy Assignment Rules. Point products that commonly use user-based policies include, but are not limited to:
    • Data Loss Prevention Endpoint
    • Site Advisor Enterprise
    • Endpoint Encryption
Critical data that is not in Apache process memory would include any data used only in the Tomcat or Eventparser memory space. For example, general ePO user login data for the ePO console is used only by the Tomcat service, which is not impacted because Tomcat does not use OpenSSL; it uses an RSA library instead.

NOTE: None of the following are impacted by this vulnerability because they reside only in the Tomcat memory space:
  • Console SSL certificate
  • Console username/passwords
  • Certificates used for certificate-based authentication

Solution

Regenerate the ePO agent-server secure communication keys

NOTE: If you have one or more Agent Handlers in a DMZ, this is a recommended step.

To regenerate the ePO agent-server secure communication keys:
  1. Ensure that Hotfix 960279-2 for ePO has been applied. For details regarding the hotfix, see the ePolicy Orchestrator 5.x / 4.6 Hotfix 960279 Release Notes (PD25159).
  2. Generate the new agent-server secure communication keys:
    1. Log on to the ePO console.
    2. Click MenuConfigurationServer Settings.
    3. Click Security Keys under the Setting Categories column. 
    4. Click Edit.
    5. Click New Key.
    6. Type a new name for the key, select 2048 bit, and select Make this key the Master.
    7. Click OK.
    8. Repeat the steps above, specifying 1024 bit as the entry in step 2e.
  3. Configure the client update task to deploy server public keys to your endpoints:
    1. Click MenuPolicyClient Task Catalog.
    2. Expand McAfee Agent and click Product Update under Client Task Types.
    3. Click New Task.
    4. Select Product Update from the Task Types drop-down list and click OK.
    5. Type a name for your task in the Task Name field.
    6. Select the Selected packages entry in the Package selection field.
    7. Select the ePO Agent Key Updater entry in the Package types field.
    8. Click Save.
    9. Click that task in the client task catalog and click Assign under the Actions column.
    10. Expand My Organization and click OK.
    11. Click the Schedule tab link in the Client Task Assignment Builder wizard.
    12. Configure the schedule as needed (Daily with Run missed task set for 30 minute delay is recommended).
  4. Wait for agents to migrate to the new key before exporting and deleting the existing keys. As agents start using the new key, the node count will decrease on the existing key and increase on the new key. This migration can be seen on the Security Keys server settings page referenced above as a number of agents indicated after each server key in the list.
  5. After all active agents have migrated, you can safely remove the old key from use.

    NOTE: The agent installation package is updated when new server keys are created. If you have existing agent packages used for manual deployment of the McAfee Agent, you have to refresh those installation packages after deleting the previously used server keys.

Solution

Change the ePO database username/password 

NOTE: If you have one or more Agent Handlers in a DMZ, this is a recommended step.

IMPORTANT: If you have remote Agent Handlers, make sure to also perform Solution 4 below if you change the ePO database username and password.

To change the SQL password for the ePO database, do the following:
  1. Launch a supported browser.
  2. Open the Configure Database Settings page: https://<server_name>:8443/core/config.

    NOTE: If you do not use the default port (8443), substitute the console login port you configured. You can use a specific server name in the previous example only if you can resolve that name in your environment. 

  3. Modify the User password under Configure Database Settings.
  4. Click Apply.

    NOTE: Testing the connection will fail until the following steps are completed.

  5. Change the password for the user account for ePO in SQL to match the password used in step 3.
  6. Press Windows+R, type services.msc, and click OK.
  7. Restart the McAfee ePolicy Orchestrator Application Server service.

Solution

Regenerate the Agent Handler SSL certificate on the ePO server

NOTE: This is an optional step you can implement at your discretion. The Agent Handler SSL certificate on the ePO server could be compromised only if someone on the internal network was attempting to exploit the Heartbleed vulnerability or if your ePO server was available external to your network (for example, if the ePO server was in the DMZ). If you are confident neither of these scenarios apply, you can skip this step. 

To regenerate the Agent Handler certificate on the ePO server:
  1. Stop the following ePO services:
    1. Press Windows+R, type services.msc, and click OK.
    2. Right-click each of the following services and select Stop:

      McAfee ePolicy Orchestrator Event Parser
      McAfee ePolicy Orchestrator Server
  2. Attempt to log on to the ePO console. If your console logon fails, resolve that before proceeding. If you cannot resolve the console log on issue, contact Technical Support for further assistance before proceeding. 

    NOTE: You must be able to log on for the rest of the steps to work.

  3. Rename the SSL.CRT folder (see path below) to SSL.CRT.OLD and manually create an empty folder named SSL.CRT in the same path, otherwise the setup will fail to create a new certificate: 

    32-bit: "C:\Program Files\McAfee\ePolicy Orchestrator\Apache2\conf\ssl.crt" 
    64-bit: "C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Apache2\conf\ssl.crt"
 
  1. Press Windows+R, type cmd, and click OK. If UAC is enabled, you will have to open the command prompt with administrator privileges. 
  2. Change directories to your ePO installation directory.

    Default paths: 

    32-bit: Program Files\McAfee\ePolicy Orchestrator\ 
    64-bit: Program Files (x86)\McAfee\ePolicy Orchestrator\
     
  3. Run the following command: 

    IMPORTANT: 
    • This command will fail if you have enabled User Account Control (UAC) on this server. If this is a Windows Server 2008 or later, disable this feature. You can find more information about UAC at: http://technet.microsoft.com/en-us/library/cc709691(WS.10).aspx. Alternatively, you can open the command prompt with administrative permissions (right-click CMD and click Run as Administrator). 
    • This command is case-sensitive. The ahsetup.log (found in <install_directory\Apache2\conf\ssl.crt>) provides information about whether the command succeeded or failed and will state whether it used the files located in the ssl.crt folder.

    Rundll32.exe ahsetup.dll RunDllGenCerts <ePO_server_name> <console_HTTPS_port> <admin_username> <password> <"install_directory\Apache2\conf\ssl.crt">

    where:

    <ePO_server_name>: is your ePO server NetBIOS Name
    <console_HTTPS_port>: is your ePO console port (default is 8443)
    <admin_username>: is admin (use the default ePO admin account)
    <password>: is the password to the ePO admin console account
    <install_directory\Apache2\conf\ssl.crt>: is your installation path to the Apache folder; default installation path:

    32-bit: "C:\Program Files\McAfee\ePolicy Orchestrator\Apache2\conf\ssl.crt" 
    64-bit: "C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Apache2\conf\ssl.crt"

    Example:
    Rundll32.exe ahsetup.dll RunDllGenCerts eposervername 8443 administrator password "C:\Program Files\McAfee\ePolicy Orchestrator\Apache2\conf\ssl.crt"
  4. Start the following services:
    • McAfee ePolicy Orchestrator Event Parser
    • McAfee ePolicy Orchestrator Server
  5. Look in the DB/logs/server.log to ensure that the Agent Handler (Apache server) started correctly. It should state something similar to the following:

    20090923173647        I           #4108  NAIMSRV      ePolicy Orchestrator server started.

    If it does not, there will be an error similar to:

    20090923173319       E          #4736  NAIMSRV      Failed to get server key information.

Solution

Change the credentials used by the remote Agent Handlers and Agent Handler certificate and private key

NOTE: Typically only Agent Handlers in a DMZ require remediation because they can be exposed to the vulnerability without having access to an internal network. If you have no handlers in the DMZ, follow one of the two methods below at your discretion on all handlers. If you change your database password as described in Solution 2, you will have to update the database password on all handlers (Internal or External) for those to continue to function. 

There are two methods for completing this task. You only have to implement one of the two methods. Review both methods and select the method you prefer. 

IMPORTANT: To change the credentials used by the remote Agent Handlers to authenticate to the database, ensure you implement Solution 2 from this article before implementing either of the following methods. 

Method 1
After Solution 2 has been implemented, use the following procedure to reinstall the Agent Handler, which will update the database credentials and re-issue the Apache SSL certificate for that handler:
  1. Log on to the ePO console.
  2. Click MenuConfigurationAgent Handlers.
  3. Make a note of how your Agent Handler Assignment Rules are configured. Specifically, note which handlers are included in which rules and in what order, if an ordered handler list is used.
  4. Uninstall the remote handler using Programs and Features or Apps & features (depending on your version of Windows). 
  5. Reinstall the remote handler.

    NOTE: Instructions for installing the handler begin in the section "Install ePolicy Orchestrator software on each node" of the ePolicy Orchestrator Installation Guide.  

  6. Re-apply HF960279-2 on the remote Agent Handler. 
  7. Log on to the ePO console.
  8. Click MenuConfigurationAgent Handlers.
  9. Reconfigure your Agent Handler Assignment Rules so they once again match how they were configured previously. 
  10. Repeat these steps for all Agent Handlers that require remediation. 
Method 2
After Solution 2 has been implemented, use the following steps to upgrade the database credentials on the handler without re-installing:
  1. Access Programs and Features or Apps & features (depending on your version of Windows) on the computer hosting the Agent Handler.
  2. Right-click the Agent Handler entry and click Change.
  3. Click Next.
  4. Click Next again. 
  5. Enter Global Admin permissions for the ePO console, and click NextInstall.

    NOTE: If the Agent Handler cannot use the same connection information as the ePO server to authenticate to SQL, you will have to deselect the Use ePO Server's database credentials option and enter the correct database connection information on the next screen.  
Regenerate the Agent Handler certificate without re-installing the handler:
  1. Stop all Agent Handler services:
    1. Press Windows+R, type services.msc, and click OK.
    2. Right-click each of the following services and click Stop:

      McAfee ePolicy Orchestrator Event Parser
      McAfee ePolicy Orchestrator Server
  2. Attempt to log on to the ePO console from the remote Agent Handler. If your console login fails, resolve that before proceeding. If you cannot resolve the console login issue, contact Technical Support for further assistance before proceeding.

    NOTE: You must be able to log on to the ePO console from the remote Agent Handler for the rest of the steps to work.

  3. Rename the SSL.CRT folder (see path below) to SSL.CRT.OLD and manually create an empty folder named SSL.CRT in the same path, otherwise the setup will fail to create a new certificate: 

    32-bit: "C:\Program Files\McAfee\ePolicy Orchestrator\Apache2\conf\ssl.crt" 
    64-bit: "C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Apache2\conf\ssl.crt"
     
  4. Press Windows+R, type cmd, and click OK. If UAC is enabled, you will have to open the command prompt with administrator privileges. 
  5. Change directories to your ePO installation directory.

    Default paths: 

    32-bit: Program Files\McAfee\Agent Handler\ 
    64-bit: Program Files (x86)\McAfee\Agent Handler\
     
  6. Run the following command: 

    IMPORTANT: 
    • This command will fail if you have enabled User Account Control (UAC) on this server. If this is a Windows Server 2008 or later, disable this feature. You can find more information about UAC at: http://technet.microsoft.com/en-us/library/cc709691(WS.10).aspx. Alternatively, you can open the command prompt with administrative permissions (right-click CMD and click Run as Administrator). 
    • This command is case-sensitive. The ahsetup.log (found in <install_directory\Apache2\conf\ssl.crt>) provides information about whether the command succeeded or failed and will state whether it used the files located in the ssl.crt folder.

    Rundll32.exe ahsetup.dll RunDllGenCerts <ePO_server_name> <console_HTTPS_port> <admin_username> <password> <"install_directory\Apache2\conf\ssl.crt">

    where:

    <ePO_server_name>: is your ePO server NetBIOS Name
    <console_HTTPS_port>: is your ePO console port (default is 8443)
    <admin_username>: is admin (use the default ePO admin account)
    <password>: is the password to the ePO admin console account
    <install_directory\Apache2\conf\ssl.crt>: is your installation path to the Apache folder; default installation path:

    32-bit: "C:\Program Files\McAfee\Agent Handler\Apache2\conf\ssl.crt" 
    64-bit: "C:\Program Files (x86)\McAfee\Agent Handler\Apache2\conf\ssl.crt"

    Example
    Rundll32.exe ahsetup.dll RunDllGenCerts eposervername 8443 administrator password "C:\Program Files\McAfee\Agent Handler\Apache2\conf\ssl.crt"
     
  7. Start the following services:
    • McAfee ePolicy Orchestrator Event Parser 
    • McAfee ePolicy Orchestrator Server
       
  8. Look in the DB/logs/server.log to ensure that the Agent Handler (Apache server) started correctly. It should state something similar to the following: 

    20090923173647        I           #4108  NAIMSRV      ePolicy Orchestrator server started. 

    If it does not, there will be an error similar to: 

    20090923173319       E          #4736  NAIMSRV      Failed to get server key information. 
     

Solution

Update the Active Directory password for any registered LDAP servers

NOTE: If you have one or more Agent Handlers in a DMZ, this is a recommended step. These steps are required only if user-based policies are used, because that is the only scenario where LDAP credentials would be loaded into Apache's memory space.

To update the Active Directory password:
  1. Log on to the ePO console.
  2. Click MenuConfigurationRegistered Servers.
  3. Select a registered server in the LDAP Servers section, and click Edit, Next.

    NOTE: If you have no registered LDAP servers defined, this solution is not necessary because registered LDAP servers are required for user-based policies. 

  4. Note the account specified in the User name: field.
  5. Log on to your AD server and change the password for the account you noted in step 4.
  6. Select Change password: in the ePO console and type the new password.
  7. Click Test Connection and verify it is successful.
  8. Click Save.
  9. Repeat these steps for all registered LDAP servers created.

Rate this document

Did this article resolve your issue?

Please provide any comments below

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.