Loading...

Knowledge Center


McAfee Security Bulletin – OpenSSL Heartbleed vulnerability patched in McAfee products
Security Bulletins ID:  SB10071
Last Modified:  5/8/2015
Rated:


Summary

Who Should Read This Document: Technical and Security Personnel
Impact of Vulnerability: Information Leak / Disclosure (CWE-717, OWASP 2004:A6)
Cryptographic Issues - (CWE-310)
CVE Numbers: CVE-2014-0160
CERT/CC and Other Number: US CERT VU#720951
Severity Rating: Medium
Base / Overall CVSS Score: 5.0 / 3.9
Recommendations: Install the hotfixes listed below.
Install the patches once they are released.
Regenerate your private keys.
Deploy new SSL certificates.
Revoke old SSL certificates.
Security Bulletin Replacement: None
Caveats: None
Affected Software:

See specific versions affected in the patch table below.

  • eDC - ePO Deep Command
  • EIA - Endpoint Intelligence Agent
  • ePO - ePolicy Orchestrator
  • MEG - McAfee Email Gateway
  • MFE – McAfee Firewall Enterprise
  • MFE CC - McAfee Firewall Enterprise Control Center
  • MS - McAfee SECURE (Trustmark)
  • MSDW - McAfee Security for Lotus Domino on Windows
  • MSLD - McAfee Security for Lotus Domino
  • MSME - McAfee Security for Microsoft Exchange
  • MSMS - McAfee Security for Microsoft Sharepoint
  • MWG – McAfee Web Gateway
  • NGFW – Next Generation Firewall (Stonesoft)
  • RTE - Real Time for ePO
  • SaaS Email – SaaS Email Protection Service and Continuity
  • SaaS Web – SaaS Web Protection
  • SIEM – McAfee Security Information and Event Management (SIEM) / Nitro
  • VPN - McAfee SSLVPN
  • VSEL - VirusScan Enterprise for Linux 
Location of Updated Software: http://www.mcafee.com/us/downloads/downloads.aspx

Description

Several McAfee products are vulnerable to OpenSSL Heartbleed. See the McAfee Product Vulnerability Status lists below for the status of each product.

The Heartbleed Bug
http://heartbleed.com
http://www.mcafee.com/us/about/heartbleed.aspx

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness can allow an attacker to steal information that is normally protected by the SSL/TLS encryption used to secure communications on the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read up to 64K of memory on systems using the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

Only products that use the following versions of OpenSSL are vulnerable:
  • 1.0.1 beta 1 – beta 3
  • 1.0.1
  • 1.0.1.a – 1.0.1f
  • 1.0.2 beta 1

This bug was introduced to OpenSSL in December 2011 and has been in production since OpenSSL release 1.0.1 on 14 March 2012. OpenSSL 1.0.1g, released on 7 April 2014, fixes the bug.

In addition to affecting servers, it has been reported that some clients are vulnerable as well:
https://security.stackexchange.com/questions/55249/what-clients-are-proven-to-be-vulnerable-to-heartbleed

Free Heartbleed Detection Tools:

Servers / Websites
McAfee has provided a test server to determine if a server is vulnerable: http://www.mcafee.com/heartbleed

Clients
A client test server to determine if a client (endpoint) is vulnerable is available at: https://github.com/Lekensteyn/pacemaker

A python script to check for vulnerable clients:
https://github.com/Lekensteyn/pacemaker

Android Phones and Devices
McAfee has provided a free Android app to determine if your mobile device is vulnerable:
https://play.google.com/store/apps/details?id=com.mcafee.heartbleed 



CVE-2014-0160
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160


CERT/CC Vulnerability Note VU#720951
OpenSSL heartbeat extension read overflow discloses sensitive information
http://www.kb.cert.org/vuls/id/720951


CWE-119
Weakness Class Improper Restriction of Operations within the Bounds of a Memory Buffer - (119)
http://cwe.mitre.org/data/definitions/119.html


McAfee Product Vulnerability Status
Investigation into all McAfee products is ongoing.  Products not on these lists are being investigated.  This security bulletin will be updated as additional information is available.  Not every version of the “vulnerable and updated” products are vulnerable.  See the version information later in this bulletin.

Vulnerable and Updated

  • Endpoint Intelligence Agent (EIA)
  • ePolicy Orchestrator (ePO)
  • ePO Deep Command (eDC)
  • McAfee Email Gateway (MEG)
  • McAfee Firewall Enterprise (MFE)
  • McAfee Firewall Enterprise Control Center (MFE CC)
  • McAfee Real Time for ePO (RTE)
  • McAfee SECURE (MS) / Trustmark
  • McAfee Security for Email Servers (MSES) / GroupShield
  • McAfee Security for Lotus Domino (MSLD)
  • McAfee Security for Microsoft Exchange (MSME)
  • McAfee Security for Microsoft SharePoint (MSMS)
  • McAfee Security Information and Event Management (SIEM) / Nitro
  • McAfee SSLVPN (VPN)
  • McAfee Web Gateway (MWG)
  • Next-Generation Firewall (NGFW) / Stonesoft
  • SaaS Email Protection and Continuity
  • SaaS Web Protection
  • VirusScan Enterprise for Linux (VSEL)

Not Vulnerable

  • Advanced Threat Defense (ATD) / Network Threat Response (NTR)
  • All 3rd Party Consumer Modules (Mozy, LastPass/SafeKey, Daon/Personal Locker)
  • All Partner Custom products
  • All Platform / Web products
  • Anti-Malware Core (AMC)
  • Anti-Malware Engine (AME)
  • Anti-Spam Engine (ASE)
  • AntiVirus Engine
  • Artemis / GTI Cloud Server (CS) / GTI Private Cloud (File Reputation)
  • CleanBoot
  • Content Security Interlock (CSI)
  • Content Security Reporter (CSR)
  • Data Loss Prevention Endpoint (DLPe)
  • Database Activity Monitoring (DAM)
  • Database Vulnerability Manager (DVM)
  • Deep Defender (DD)
  • DeepSAFE
  • Email and Web Security (EWS) / IronMail
  • Endpoint Encryption for Files and Folders (EEFF)
  • Endpoint Encryption for PCs (EEPC) / McAfee Drive Encryption (MDE)
  • Endpoint Encryption for Removable Media – USB (EERM)
  • Endpoint Encryption Manager (EEM)
  • Enterprise Mobility Manager  (EMM) 
  • Gateway Anti-Malware Engine (GAM)
  • Global Threat Intelligence (GTI)
  • Host Data Loss Prevention (HDLP)
  • Host Intrusion Prevention Services (HIPS)
  • Management for Optimized Virtual Environments (MOVE) AntiVirus
  • McAfee Agent (MA) / Common Management Agent (CMA)
  • McAfee Antivirus Plus (Consumer)
  • McAfee Application Control (MAC)
  • McAfee Asset Manager (MAM)
  • McAfee Change Control (MCC) 
  • McAfee Cloud Single Sign On (MCSSO) / McAfee Cloud Identity Manager (MCIM)
  • McAfee Embedded Control (MEC)
  • McAfee Foundation Services (MFS)
  • McAfee Home Network (MHN)
  • McAfee Integrity Control (MIC)
  • McAfee Mobile Security (MMS)
  • McAfee Policy Auditor (MPA)
  • McAfee Quarantine Manager (MQM)
  • McAfee Risk Manager (MRM)
  • McAfee Security Management Center (SMC)
  • McAfee Security for App Store- Cloud (MSAS)
  • McAfee Security for Mac (MSM)
  • McAfee Vulnerability Manager (MVM)
  • McAfee Web Reporter (MWR)
  • Mobile Cloud
  • Network Access Control (NAC)
  • Network Data Loss Prevention (NDLP)
  • Network Security Platform (NSP) / Network Security Management (NSM)
  • Network Threat Behavior Analysis (NTBA)
  • Network User Behavior Analysis (NUBA)
  • One Time Password (OTP) / Nordic Edge / Pledge
  • Pre-Install Scanner
  • SaaS Account Management (SAM)
  • SaaS Email Archiving
  • SaaS Endpoint Protection (SEP)
  • Secure Container (Android and iOS)
  • Site Advisor Enterprise (SAE)
  • McAfee Web Protection (MWP) / SmartFilter
  • Virus Scan Enterprise (VSE)
  • VirusScan for Mac (VSMac)
  • Whole Disk Encryption (WDE)
  • Windows Systems Security (WSS)

For a description of each product, see http://www.mcafee.com/us/apps/products-az.aspx.

Remediation

Go to the McAfee Downloads site and download the hotfix file:

 
Product
Type
Patch Version
File Name
Release Date
EDC
Hotfix
2.1 Hotfix 962199
imrsdk_HF962199.zip
April 22, 2014**
EIA
Patch
EIA 2.2.1
eia_epo_deploy_221.zip
April 16, 2014
ePO
Hotfix
4.6.x Hotfix 960279-2
EPOHF960279-2.zip
April 11, 2014 (* reposted April 15, 2014)
ePO
Hotfix
5.0.x Hotfix 960279-2
EPOHF960279-2.zip
April 11, 2014 (* reposted April 15, 2014)
ePO
Hotfix
5.1.0 Hotfix 960279-2
EPOHF960279-2.zip
April 11, 2014 (* reposted April 15, 2014)
MEG
Hotfix
MEG 7.5h960401 OpenSSL hotfix 2846.114
MEG-7.5h960401-2846.114.zip
April 11, 2014
MEG
Hotfix
MEG 7.6h960405 OpenSSL hotfix 2810.114
MEG-7.6h960405-2810.114.zip
April 11, 2014
MFE
Hotfix
MFE 8.3.2 ePatch 14
8.3.2E14
April 10, 2014
MFE CC
Patch
Control Center 5.3.2 Patch 1
5.3.2E01.zip
April 17, 2014
MS Patch N/A This service was patched by PathDefender, a McAfee partner. April 22, 2014
MSLD / MSDW
Patch
MSDW 7.5 Patch 2
HF961473
April 30, 2014
MSME
Hotfix
7.6 Rollup 2 (Hotfix 961473)
HF961473
April 28, 2014
MSME
Patch
8.0 Patch 1
HF961473
April 25, 2014
MSMS
Hotfix
3.0 Hotfix HF961473
HF961473
April 30, 2014
MWG
Patch
7.3.2.8
mwgappl-7.3.2.8.0-17286.x86_64.* (use Yum)
April 10, 2014
MWG
Patch
7.4.1.3
mwgappl-7.4.1.3.0-17293.x86_64.* (use Yum)
April 10, 2014
NGFW Patch
5.5.7 Build 9887
sg_engine_5.5.7.9887_i386.*
sg_engine_5.5.7.9887_x86-64.*
April 10, 2014
NGFW Patch 5.7.1 See KB81708 April 30,  2014
OTP
Config
See recommendations below
N/A
N/A
Real Time for ePO
Hotfix
1.0.3 Hotfix (Build 104)
MRTBase.zip
MRTServer 1.0.3 HF.zip
April 14, 2014
Saas Email
Hotfix
SaaS Email was dependent upon MWG.
Used the MWG patch
April 12, 2014
Saas Web
Hotfix
SaaS Email was dependent upon MWG.
Used the MWG patch
April 12, 2014
SIEM
Hotfix
9.1.4 20140408 (HF2)
Use the standard upgrade files for each SIEM device you own.
April 8, 2014
SIEM
Hotfix
9.1.4 20140408 (HF2)
Use the standard upgrade files for each SIEM device you own.
April 8, 2014
SIEM
Hotfix
9.1.4 20140408 (HF2)
Use the standard upgrade files for each SIEM device you own.
April 8, 2014
SIEM
Hotfix
9.4.0 beta1 HF1
Use the standard upgrade files for each SIEM device you own.
April 8, 2014
SSL VPN Hotfix 1.5.201.2009
1.5.202.2011
hotfix_accesspoint_openssl_1_0_1_g_1_i386.v1.5.201.2009.sh

hotfix_accesspoint_openssl_1_0_1_g_1_i386.v1.5.202.2011.sh

hotfix_accesspoint_openssl_1_0_1_g_1_x86.v1.5.201.2009.sh

hotfix_accesspoint_openssl_1_0_1_g_1_x86.v1.5.202.2011.sh
April 10, 2014
VSEL Hotfix 1.7.1 Hotfix 961964 McAfeeVSEForLinux-1.7.1.28698-HF961964.tar.gz April 22, 2014
VSEL Hotfix 1.9 Hotfix 960962 McAfeeVSEForLinux-1.9.0.28822-HF960962-release.tar.gz April 22, 2014
VSEL Hotfix 2.0 Hotfix 960961 McAfeeVSEForLinux-2.0.0.28948-HF960961-release.tar.gz April 22, 2014


*See KB81713 for details on why ePO Hotfix 960279 was reposted.
**eDC Hotfix 962199 was posted to ePO Software Manager.

In addition to installing the updates, the following actions are highly recommended:

Regenerating private keys and upgrading SSL certificates
This OpenSSL vulnerability creates the possibility that malicious attackers could extract private keys from an SSL server.

Customers who are using McAfee appliances or products with the SSL feature should re-generate the private keys and SSL certificates and revoke the old certificates ASAP.

You will need to follow the process outlined by your certificate provider to re-issue your certificate using a new private key. After you have re-generated your key and certificate, you must update the certificate on the McAfee products.

Appliances, especially those that have hardcoded service accounts or special user accounts for updates, should ensure that users cannot login remotely or change the credentials.
 

Product Specific Notes:

eDC:
ePO Deep Command uses a vulnerable library that ships with ePO called IMRSDK. The hotfix replaces the IMRSDK.dll file with a non-vulnerable version.
For remediation steps, see:

  • KB81729 – ePO Deep Command Heartbleed Remediation Instructions
  • PD25164 – Release Notes - ePO Deep Command 2.1 Hotfix HF962199
The following additional remediation steps are recommended:

  1. Re-issue root certificate and re-provision Intel vPro Active Management Technology (AMT) systems.
  2. Change the Admin credentials on every AMT Client. 
     
ePO:
See the remediation KB article for ePolicy Orchestrator:

  • KB81674 - ePolicy Orchestrator Remediation Steps for CVE-2014-0160
Also see the ReadMe file associated with this hotfix.

The hotfix should be installed to the ePO server and any remote Agent Handlers where the ssleay32.dll file version is earlier than 1.0.1.7. See the Release Notes (PD25159) for more information.

If you install the hotfix then upgrade to another affected version of ePO, you must apply the hotfix again.

FIPS 140-2 installs of ePO are not vulnerable. These updates will not install in FIPS mode.

Customers who have already installed the original Hotfix 960279 and have verified their install per instructions in the release notes do not need to install the new re-posted hotfix. The only difference is that the 32-bit and 64-bit versions have been separated.

Only customers, who experience the issue described in article KB81713 (ePO Hotfix 960279 (EPOHF960279.zip) is installed to the incorrect directory on ePO 5.x servers) should install the new re-posted version of the hotfix.

NOTE: Remote Agent Handlers are not affected by this install path issue.

 
MEG:
Both McAfee Email Gateway hotfixes update the OpenSSL package to address the following vulnerabilities:

  • CVE-2013-4242 - Susceptible to cache side-channel attack (Gcrypt) [1.9]
  • CVE-2013-4353 - Fix TLS record tampering bug [4.3]
  • CVE-2013-6449 - Fix TLS version checking bug [4.3]
  • CVE-2013-6450 - Fix DTLS retransmission bug [5.8]
  • CVE-2014-0076 - ECDSA cache side-channel attack [4.3] 
  • CVE-2014-0160 - Heartbleed leaking private keys [5.0] 
How will I know if the hotfix (Email Gateway 7.5 Hotfix 7.5h960401 and Email Gateway 7.6 Hotfix 7.6h960405) has patched the vulnerability? 

  1. Open a command-line session on the Appliance.
  2. Type rpm -q openssl and press ENTER.
If the output is:
openssl-1.0.1e-10.mlos2.x86_64
then the patch has been correctly installed, and the appliance is no longer vulnerable.


MFE:
To download McAfee Firewall Enterprise (MFE) 8.3.2E14:

  1. 1. Log into the McAfee Firewall Enterprise GUI.
  2. 2. Click Maintenance.
  3. 3. Click Software Management.
  4. 4. Click Check for Updates in the Manage Packages tab.
  5. 5. Download and install the available patch for your product version.
Alternatively, it can be downloaded via http://go.mcafee.com/patchindex.html ; you will need your firewall serial number to access the patch.


MFE CC:
See the remediation KB article for McAfee Firewall Enterprise Control Center:

  • KB81699 - REGISTERED - Firewall Enterprise response to CVE-2014-0160 “Heartbleed”
This KB article is available only to registered users. You must first log in to the McAfee ServicePortal (https://support.mcafee.com) to view this article.


MWG:
If you are running the Main Release of MWG and want to update to the fixed 7.3.2.8 version, use the following commands:

mwg-switch-repo 7.3.2.8
yum upgrade

If you are running the Controlled Release of MWG (7.4.x) and want to update to the fixed 7.4.1.3 version, use the following commands:

mwg-switch-repo 7.4.1.3
yum upgrade

To download the ISO files for theses versions go to the McAfee downloads site at:
https://contentsecurity.mcafee.com/software_mwg7_download

MWG 7.3.2.8 Instructions:
https://kc.mcafee.com/corporate/index?page=content&id=PD25155  

MWG 7.4.1.3 Instructions:
https://kc.mcafee.com/corporate/index?page=content&id=PD25156

For further required steps about the risks and remediation please read: "Heartbleed - What to do after upgrading MWG?"
https://kc.mcafee.com/corporate/index?page=content&id=KB81669
 
MWG uses the patched MLOS2 version openssl-1.0.1e-10. Even though the version is 1.0.1e, it has been recompiled with the -DOPENSSL_NO_HEARTBEATS option, so it is  which is not vulnerable.


MSME, MSMS, MSDW, MSLD, MSES:
McAfee Security for Microsoft Exchange (MSME), McAfee Security for Microsoft SharePoint (MSMS), McAfee Security for Lotus Domino (MSLD), and McAfee Security for Email Servers (MSES) / GroupShield can be vulnerable. They include Postgres 8.4.13, which includes OpenSSL 1.0.1f.

By default, the Postgres installation has SSL disabled. There is not an easy way for an admin enable SSL, but if it is enabled, then Postgres is vulnerable.

HotFix HF961473 updates all of these products to patch the vulnerability.


NGFW and SSL VPN:
Knowledgebase article on Next Generation Firewall response to CVE-2014-0160: https://kc.mcafee.com/corporate/index?page=content&id=KB81708
 
OpenSSL library update (#106380)
The OpenSSL library has been updated to version 1.0.1g to address the issue listed in CVE-2014-0160. The engine uses vulnerable OpenSSL routines only for its TLS management communications and cluster communications between the cluster nodes. Workaround: If you use the default template from dynamic update package 575 or newer, engine exposure is limited, as connections to vulnerable TLS endpoints are allowed only from the Management Server IP address.
 

One Time Password (OTP) / Nordic Edge / Pledge
None of the OTP or NordicEdge product servers are vulnerable; however some customer installations (not OTP server) include an Apache web server. The version installed by McAfee would not be vulnerable, but if you have upgraded them yourselves, then they may have become vulnerable.
 
If new certificates and key pairs have been created as a precaution, then given the high level of assurance OTP’s provide, it would be prudent to re-enroll users. Do this by having all users regenerate their Pledge profiles – so if you have Pledge on your PC and mobile device, then you would need to do both. It’s only the enrollment process and the initial download by the client that is affected, but this issue has been in the wild for a long time.
 
Additionally the administrator can get in over HTTPS to the service to administer it.

For admins:
  Change your password
For users:  Re-enroll on PCs and mobile devices


SaaS Email and SaaS Web:
SaaS Email Protection and Continuity and SaaS Web Protection both sit on top of McAfee Web Gateway. MWG was the vulnerable product. The MWG patch was deployed, which fixed the SaaS Email and SaaS Web products.
 
 
VSEL
The VirusScan Enterprise Linux hotfixes update the OpenSSL package to address the below vulnerabilities:

  • CVE-2010-5298 OpenSSL SSL_MODE_RELEASE_BUFFERS vulnerability
  • CVE-2014-0160 - Heartbleed leaking private keys
After applying this Hotfix, the OpenSSL library version is upgraded to 1.0.1g that has a fix for the OpenSSL Heartbeat vulnerability. VirusScan Enterprise for Linux generates new keys and installs the new certificate. When you launch the software interface, you will be prompted to accept the new certificate.

IMPORTANT:
McAfee strongly recommends that you reset the VirusScan Enterprise for Linux administrator password after applying this Hotfix.
 

Intel Products
“Multiple Intel Software Products and API Services impacted by CVE-2014-0160”
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00037&languageid=en-fr 
 

McAfee Product download instructions:
  1. Launch Internet Explorer.
  2. Navigate to: http://www.mcafee.com/us/downloads.aspx.
  3. Provide your valid McAfee Grant Number.*
  4. Click your product suite.
  5. Click the applicable product (see table above) and click I Agree.
  6. Click the Patches tab and click the link to download the product .ZIP file under the Product column.
For instructions on how to download McAfee products, documentation, security updates, patches, or hotfixes, see KB56057.  

For instructions on how to install/upgrade this patch, see the Release Notes and the Installation Guide (which can be downloaded from the Documentation tab) following the previous procedure.

Workaround

There is no workaround. Only a recompile of the affected products with the non-vulnerable version of OpenSSL (1.0.1g (or later) or 1.0.2 beta 2 (or later)) or with the -DOPENSSL_NO_HEARTBEATS compiler flag set can fix this vulnerability.

Some customers are turning off outbound TLS.  This keeps information from leaking; however encrypted SSL traffic is disabled.

Mitigations:
Several McAfee products have signatures to help mitigate this vulnerability. These include:
  • NGFW
    • Detection / prevention update
       
  • SIEM
    • Heartbleed mitigation rules for the NitroSecurity IPS / McAfee NTP available for download via the SIEM rule server. They stop heartbleed requests from entering your network. 
    • Setup the ACL feature restricting web access
       
  • MVM – McAfee Vulnerability Manager
  • NSP – Network Security Platform
    • Network detection signature – a UDS
Download the latest content for each and enable the checks if they are not enabled by default.

Acknowledgements

No acknowledgement due.

McAfee was given no prior knowledge of this vulnerability (zero-day). It was announced late Monday, April 7, 2014. See http://heartbleed.com.

Support

Corporate Technical Support:

Frequently Asked Questions (FAQs)

What is affected by this security vulnerability?

eDC – McAfee ePO Deep Command:

Affected Versions:
  • 1.5
  • 2.0
  • 2.1
Protected Versions:
  • Update the Imrsdk.dll on ePO 4.6.x, 4.7.x, and 5.x.x servers.
NOTE: Imrsdk.dll is Intel® Active Management Technology Redirection SDK Library; McAfee ePO Deep Command uses this library.


EIA – Endpoint Intelligence Agent:

Affected Versions:
  • NIA 1.0
  • NIA 1.0.1
  • EIA 2.0.0
  • EIA 2.1.0
  • EIA 2.2.0
Protected Versions:
  • EIA 2.2.1 or later
NOTE: Network Integrity Agent (NIA) later changed its name to Endpoint Intelligence Agent (EIA).


ePO - McAfee ePolicy Orchestrator

Affected Versions:
  • 4.5.7
  • 4.6.5 - 4.6.7
  • 5.0.0 - 5.0.1
  • 5.1.0
Protected Versions:
  • 4.5.6 and earlier
  • 4.6.0 – 4.6.4*
  • 4.6.x universal hotfix
  • 5.0.x universal hotfix
  • 5.1.x universal hotfix
NOTES:
  • ePO 4.5 ended support on December 31st 2013. The recommended path to protect your systems from this vulnerability is to upgrade to one of the protected, supported versions.
  • Some hotfixes for ePO 4.6.0 – 4.6.4 included a vulnerable version of OpenSSL. If you applied an ePO hotfix that upgraded Apache, please use the instructions in Product specific notes above or PD25159 to verify whether your server is affected.

MEG – McAfee Email Gateway:
 
Affected Versions:
  • 7.5
  • 7.6
Protected Versions:
  • EWS 5.6.x and earlier
  • 6.7.2 (IronMail)
  • 7.0.x and earlier
  • 7.5 Hotfix 960401
  • 7.6 Hotfix 060405
 
MFE – McAfee Firewall Enterprise:
 
Affected Versions:
  • MFE 8.3.2
Protected Versions:
  • MFE 8.3.1 and earlier
  • MFE 8.3.2 ePatch 14

MFE CC – McAfee Firewall Enterprise Control Center:

Affected Versions:
  • MFE CC 5.3.2
Protected Versions:
  • MFE CC 5.2.1
  • MFE CC 5.3.2 Patch 1 (E01)
     
MWG – McAfee Web Gateway:
 
Affected Versions:
  • MWG 7.3.x
  • MWG 7.4.x
Protected Versions:
  • 7.1.x
  • 7.2.x
  • 7.3.2.8 or later
  • 7.4.1.3 or later
MSLD – McAfee Security for Lotus Domino:
MSDW - McAfee Security for Lotus Domino on Windows:
Affected Versions:

  • 7.5
 Protected Versions:

  • 7.5 Patch 2 (HF961473) or later

MSME – McAfee Security for Microsoft Exchange:
Affected Versions:

  • 7.6
  • 8.0
     
 Protected Versions:
  • 7.6 Rollup 2 (HF961473) or later
  • 8.0 Patch 1 (HF961473) or later
MSMS – McAfee Security for Microsoft SharePoint:
Affected Versions:

  • 3.0
 Protected Versions:

  • 3.0 Hotfix HF961473 or later
     
NGFW – McAfee Next Generation Firewall (Stonesoft):
 
Affected Versions:
  • 5.5.0 - 5.5.6
  • 5.7.0 beta
  • 5.7.0
Protected Versions:
  • 5.5.7  (or 5.5.x versions later than 5.5.7)
  • 5.7.1 or later
 
SIEM – McAfee Security Information and Event Management (SIEM) / Nitro:
 
Affected Versions:
 
All current SIEM devices are vulnerable, including:
  • 9.1.x
  • 9.2.x
  • 9.3.x
  • 9.4.0 beta
 
Protected Versions:
  • 9.1.4 HF2 (20140408) or later
  • 9.2.2 HF5 (20140408) or later
  • 9.3.2 HF7 (20140408) or later
  • 9.4.0 beta1 HF1
  • NitroSecurity (pre-McAfee) SIEM prior to v9.1
     
SSL VPN – McAfee SSL Virtual Private Network:

Affected Versions:
  • 1.5.200
  • 1.5.201
  • 1.5.202
Protected Versions:
  • 1.5.201.2009 or later
  • 1.5.202.2011 or later

VSEL – McAfee VirusScan Enterprise for Linux (LinuxShield):

Affected Versions:
  • 1.7.1
  • 1.8
  • 1.9
  • 2.0
Protected Versions:
  • 1.7.0
  • 1.7.1 Hotfix 961964 or later
  • 1.9 Hotfix 960962 or later
  • 2.0 Hotfix 960961 or later

McAfee recommends that all customers verify that they have applied the latest updates.

Does this vulnerability affect McAfee enterprise products?
Yes. All of the affected products are Enterprise products.


How do I know if my McAfee product is vulnerable or not? 
Check your McAfee product version against those in the FAQ section above.

For Endpoint products:
Use the following instructions for endpoint or client based products:
  1. Right-click on the McAfee tray shield icon on the Windows task bar.
  2. Select Open Console.
  3. In the console, click Action Menu.
  4. In the Action Menu, click Product Details.
  5. The product version is displayed.
For ePO and Server products:
Use the following instructions for server based products:
  1. Check the version and build of ePO that is installed. For more information on how to check the version, see: KB52634.
For ePO integrated products:
Use the following instructions for server based products:
  1. Create a query in ePO for the product version of the product installed within your organization.
For Appliance based products:
Use the following instructions for Appliance based products:
  1. Open the Administrator's User Interface (UI).
  2. Click the About link.
  3. The product version is displayed.
What is CVSS?
CVSS, or Common Vulnerability Scoring System, is the result of the National Infrastructure Advisory Council’s effort to standardize a system of assessing the criticality of a vulnerability. This system offers an unbiased criticality score that customers can use to judge how critical a vulnerability is and plan accordingly. For more information, please visit the CVSS website at: http://www.first.org/cvss/.


What are the CVSS scoring metrics that have been used?

CVE-2014-2587
 Base Score 5.0
 Related exploit range (AccessVector) Network
 Attack complexity (AccessComplexity) Low
 Level of authentication needed (Authentication) None
 Confidentiality impact Partial
 Integrity impact None
 Availability impact None
 Temporal Score 3.9
 Availability of exploit (Exploitability) Proof of concept code
 Type of fix available (RemediationLevel) Official fix
 Level of verification that vulnerability exists (ReportConfidence) Confirmed

NOTES:

What has McAfee done to resolve the issue?
McAfee has released several product updates to address this security flaw.


Where do I download the fix?
The fix can be downloaded from: http://www.mcafee.com/us/downloads/downloads.aspx
Users will need to provide their McAfee Grant Number to initiate the download. 


How does McAfee respond to this and any other security flaws?
The McAfee key priority is the security of our customers. In the event that a vulnerability is found within any McAfee software, we work closely with the relevant security research group to ensure rapid and effective development of a fix and communication plan. McAfee is an active member of the Organization for Internet Safety (OIS), which is dedicated to developing guidelines and best practices for the reporting and fixing of software vulnerabilities.

McAfee's policy is to only publish product vulnerability bulletins together with an actionable workaround, patch, or hotfix; otherwise we would be informing the hacker community that our products are a target, putting our customers at greater risk. 

Resources

{SBRESOURCES}

Disclaimer

The information provided in this security bulletin is provided as is without warranty of any kind. McAfee disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall McAfee or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if McAfee or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Any future product release dates mentioned in this bulletin are intended to outline our general product direction and they should not be relied on in making a purchasing decision. The product release dates are for information purposes only, and may not be incorporated into any contract. The product release dates are not a commitment, promise or legal obligation to deliver any material, code, or functionality. The development, release, and timing of any features or functionality described for our products remains at our sole discretion and may be changed or cancelled at any time.

Rate this document

Did this article resolve your issue?

Please provide any comments below

Languages:

This article is available in the following languages:

English United States
Japanese

Beta Translate with

Select a desired language below to translate this page.