Loading...

Knowledge Center


How to disable EXPORT ciphers for Email Gateway to protect against a client with the FREAK OpenSSL vulnerability
Technical Articles ID:   KB84267
Last Modified:  7/14/2016

Environment

McAfee Email Gateway (MEG) 7.x 

Problem

While MEG has been patched against the FREAK OpenSSL vulnerability and is not vulnerable when acting as an email client, MEG is vulnerable to an unpatched client if EXPORT ciphers are enabled.

IMPORTANT:
For further information see SB10108.

Solution

This issue was originally resolved in MEG 7.6.3.3, which reached End of Life (EOL) on October 12, 2016. The current long-term supported version is MEG 7.6.40x.

For the MEG EOL announcement, see KB85857.

To review McAfee Email Security Solutions End of Life Frequently Asked Questions, see: http://www.mcafee.com/resources/faqs/faq-eol-email-security.pdf.

Technical Support recommends that you upgrade to the latest version of MEG, which is available by logging on to the ServicePortal at: https://support.mcafee.com/downloads.
 

Workaround

Disable EXPORT ciphers.

IMPORTANT: This workaround is only needed to handle clients that have not yet been patched.
 
IMPORTANT:
  • If you are using ePO to manage your appliance, you must follow the process documented in KB82606 to avoid ePO overwriting your configuration changes.
  • Technical Support recommends that you save the configuration file from the appliance and store a backup copy in a separate location. Edit a copy of the configuration file, and always keep a current version in a safe place.
  • For details about saving, editing, and restoring the appliance configuration file, follow the instructions in KB56323.
 
  1. Open the Appliance management console.
  2. Click System, System Administration, Backup and Restore.
  3. Save a copy of the configuration file.
  4. Create a new directory on your client.
  5. Extract smtp-config.xml from the saved configuration file into the new directory and create a backup copy of this file.

    NOTE:
    Ensure that you do not extract the full zip file, only the XML to be edited. Extracting the full configuration can cause corruption in the configuration.
     
  6. Open the smtp-config.xml file with Notepad or another plain text editor.
  7. Disable EXPORT ciphers:
    1. Locate the following entry:

      ForbiddenCiphers
       
    2. Add the line <Attr name="1" value="EXPORT"/> under the XML node as shown below:

      <ForbiddenCiphers>
      <Attr name="0" value="aNULL"/>
      <Attr name="1" value="EXPORT"/></ForbiddenCiphers>
       
    3. Save smtp-config.xml. If prompted, select .txt and ignore any warnings about removing the formatting.

      IMPORTANT:
      If you save smtp-config.xml in a rich text format, the data will be corrupted.
       
  8. Update the configuration zip file with the modified smtp-config.xml. Use Winzip or an equivalent application that works with long filenames.

    NOTE:
    If you use Winzip, ensure that the full path info option is not enabled.
     
  9. Restore the modified zip file to the Appliance via the Backup and Restore page.
  10. Click Apply Changes.

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.