Loading...

Knowledge Center


McAfee Security Bulletin – Seven OpenSSL vulnerabilities patched in McAfee products
Security Bulletins ID:   SB10075
Last Modified:  1/10/2017
Rated:


Summary

Who Should Read This Document: Technical and Security Personnel
Impact of Vulnerability: Man-in-the-Middle Attack (CWE-300)
Malicious File Execution (CWE-714)
Injection Flaws (CWE-713)
Denial of Service (CWE-730)
CVE Numbers: CVE-2014-0224
CVE-2014-0221
CVE-2014-0195
CVE-2014-0198
CVE-2010-5298
CVE-2014-3470
CVE-2014-0076
CERT/CC and Other Number: US CERT VU#978508
Severity Rating: Medium
Base / Overall CVSS Score: CVE-2014-0224: 6.8/6.1
CVE-2014-0221: 4.3/3.9
CVE-2014-0195: 6.8/6.1
CVE-2014-0198: 4.3/3.9
CVE-2010-5298: 4.0/3.6
CVE-2014-3470: 4.3/3.9
CVE-2014-0076: 4.3/3.9
Recommendations: Install the hotfixes listed below.
Install the patches to replace the hotfixes once they are released.
Security Bulletin Replacement: None
Caveats: None
Affected Software:

See specific versions affected in the patch table below.

  • ATD - Advanced Threat Defense
  • EWS - Email and Web Security / IronMail
  • ePO - ePolicy Orchestrator
  • LastPass/SafeKey
  • MA Mac - McAfee Agent for Mac
  • MAM - McAfee Asset Manager
  • MC - Mobile Cloud
  • MEG - McAfee Email Gateway
  • MSAS - McAfee Security for App Store - Cloud
  • MSDW - McAfee Security for Lotus Domino on Windows
  • MSLD - McAfee Security for Lotus Domino
  • MSME - McAfee Security for Microsoft Exchange
  • MSMS - McAfee Security for Microsoft SharePoint
  • MWG – McAfee Web Gateway
  • NDLP - Network Data Loss Prevention
  • NSP - Network Security Manager(NSM) Software
  • RTE - McAfee Real Time for ePO
  • SaaS AM - SaaS Account Management
  • SIEM – McAfee Security Information and Event Management (Nitro)
  • VSEL - VirusScan Enterprise for Linux
Location of Updated Software: http://www.mcafee.com/us/downloads/downloads.aspx

Description

Several McAfee products are vulnerable to a batch of six (6) new OpenSSL vulnerabilities and one (1) previously known vulnerability published post-Heartbleed. Unlike Heartbleed, these vulnerabilities affect older versions of OpenSSL. This means more than the 19 McAfee products affected by Heartbleed (SB10071) may be affected.

Products that use the following versions of OpenSSL SSL/TLS are vulnerable:
  • 0.9.8a-y
  • 1.0.0a-l
  • 1.0.1a-g

Products that use the following versions of OpenSSL SSL/TLS are not vulnerable:
  • 0.9.8e.mlos1 (MLOS1)
  • 0.9.8za
  • 1.0.0m
  • 1.0.1e-13 (MLOS2)
  • 1.0.1e-16 (MLOS1)
  • 1.0.1h
NOTE: McAfee Linux OS (MLOS) provides a standardized Linux platform on which McAfee security appliances are built. All MLOS versions are built from RedHat’s GPL sources and are used in various McAfee point products.
  • MLOS1 - Built from CentOS 5 sources
  • MLOS2 - Built from RHEL 6 sources
  • MLOS3 - Built from RHEL 7 sources (in alpha testing now)

OpenSSL Security Advisory [05 Jun 2014]
https://www.openssl.org/news/secadv_20140605.txt

OpenSSL Vulnerabilities
For detailed vulnerable version information see:
https://www.openssl.org/news/vulnerabilities.html

See the McAfee Product Vulnerability Status lists below for the status of each product.
  1. CVE-2014-0224: Man-in-the-Middle (MITM) attack
    An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server.

    The attack can only be performed between a vulnerable client *and* server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.
    http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0224

    CERT/CC Vulnerability Note VU#978508
    OpenSSL is vulnerable to a man-in-the-middle attack
    http://www.kb.cert.org/vuls/id/978508

    How I discovered CCS Injection Vulnerability (Lepidum Engineers’ Blog)
    http://ccsinjection.lepidum.co.jp/blog/2014-06-05/CCS-Injection-en/index.html  
    https://www.imperialviolet.org/2014/06/05/earlyccs.html 
     
    NET SECURITY Article
    http://www.net-security.org/secworld.php?id=16966 
     
  2. CVE-2014-0221: DoS attack
    By sending an invalid DTLS handshake to an OpenSSL DTLS client the code can be made to recurse eventually crashing in a DoS attack.
    http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0221
     
  3. CVE-2014-0195: Arbitrary code execution on a vulnerable client or server
    A buffer overrun attack can be triggered by sending invalid DTLS fragments to an OpenSSL DTLS client or server. This is potentially exploitable to run arbitrary code on a vulnerable client or server.
    http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0195
     
  4. CVE-2014-0198: DoS attack
    A flaw in the do_ssl3_write function can allow remote attackers to cause a denial of service via a NULL pointer dereference. This flaw only affects OpenSSL 1.0.0 and 1.0.1 where SSL_MODE_RELEASE_BUFFERS is enabled, which is not the default and not common.
    http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0198
     
  5. CVE-2010-5298: DoS attack or session injection
    A race condition in the ssl3_read_bytes function can allow remote attackers to inject data across sessions or cause a denial of service. This flaw only affects multithreaded applications using OpenSSL 1.0.0 and 1.0.1, where SSL_MODE_RELEASE_BUFFERS is enabled, which is not the default and not common.
    http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-5298 
     
  6. CVE-2014-3470: DoS attack
    OpenSSL TLS clients enabling anonymous ECDH ciphersuites are subject to a denial-of-service attack.
    http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3470
     
  7. CVE-2014-0076: Side-channel Attack
    The Montgomery ladder implementation in OpenSSL through 1.0.0l does not ensure that certain swap operations have a constant-time behavior, which makes it easier for local users to obtain ECDSA nonces via a FLUSH+RELOAD cache side-channel attack. (Fixed earlier in OpenSSL 1.0.1g)
    http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0076

McAfee Product Vulnerability Status
Investigation into all McAfee products is ongoing. This security bulletin will be updated as additional information is available.

The products denoted below are either vulnerable and patched or not vulnerable to these OpenSSL vulnerabilities: 

Vulnerable and Updated
  • Third-Party Consumer Module: LastPass/SafeKey
  • Advanced Threat Defense (ATD) / Network Threat Response (NTR)
  • Email and Web Security (EWS)
  • ePolicy Orchestrator (ePO)
  • McAfee Agent for Mac (MA Mac)
  • McAfee Asset Manager (MAM)
  • McAfee Email Gateway (MEG)
  • McAfee Network Security Platform (NSP) / Network Security Manager (NSM)
  • McAfee Real Time for ePO (RTE)
  • McAfee Security for App Store - Cloud (MSAS)
  • McAfee Security for Lotus Domino on Windows
  • McAfee Security for Lotus Domino
  • McAfee Security for Microsoft Exchange
  • McAfee Security for Microsoft SharePoint
  • McAfee Network Data Loss Prevention (NDLP)
  • McAfee Web Gateway (MWG)
  • McAfee Security Information and Event Management (SIEM) / Nitro
  • Mobile Cloud (MC)
  • SaaS Account Management (SaaS AM)
  • VirusScan Enterprise for Linux (VSEL)
Not Vulnerable – Use OpenSSL
  • Artemis
  • Drive Encryption (DE) - (formerly known as Endpoint Encryption for PC)
  • Endpoint Encryption for Files and Folders (EEFF)
  • Endpoint Encryption Manager (EEM)
  • Endpoint Encryption for PC (EEPC)
  • Endpoint Encryption for Removable Media – USB (EERM) - (Now known as Removable Media Protection and is part of FRP)
  • Enterprise Mobility Manager (EMM)
  • File and Removable Media Protection (FRP) - (formerly known as Endpoint Encryption for Files and Folders)
  • ePO Deep Command (eDC)
  • GTI API
  • GTI Cloud Server (CS)
  • GTI Private Cloud (File Reputation)
  • GTI Proxy
  • McAfee Agent (MA) for Windows / Common Management Agent (CMA)
  • McAfee Network Security Sensor
  • McAfee Policy Auditor (MPA)
  • McAfee Application Control (MAC)
  • McAfee Change Control (MCC)
  • McAfee Embedded Control (MEC)
  • McAfee Security for App Store - Cloud (MSAS)
  • McAfee Vulnerability Manager (MVM)
  • Policy Auditor (PA)
Not Vulnerable – Do Not Use OpenSSL
  • Third-Party Consumer Module: Daon/Personal Locker
  • All Partner Custom products
  • All Platform / Web products
  • Anti-Malware Core (AMC)
  • Content Security Interlock (CSI)
  • Content Security Reporter (CSR)
  • Data Loss Prevention Endpoint (DLPE)
  • Database Activity Monitoring (DAM)
  • Database Vulnerability Manager (DVM)
  • Gateway Anti-Malware Engine (GAM)
  • Host Intrusion Prevention Services (HIPs)
  • McAfee Antivirus Plus (Consumer)
  • McAfee Cloud Single Sign On (MCSSO) / McAfee Cloud Identity Manager (MCIM)
  • McAfee Foundation Services (MFS)
  • McAfee Home Network (MHN)
  • McAfee Mobile Security (MMS)
  • McAfee Web Reporter (MWR)
  • Mobile ePO (MePO)
  • One Time Password (OTP) / Nordic Edge / Pledge
  • Pre-Install Scanner
  • SaaS Endpoint Protection (SEP/TPS)
  • Secure Container (Android and iOS)
  • Virus Scan Enterprise (VSE)
  • VirusScan for Mac (VSMac)
For a description of each product, see: http://www.mcafee.com/us/apps/products-az.aspx

Remediation

Go to the McAfee Downloads site and download the applicable product patch/hotfix file:

NOTE: This remediation table will be updated daily.
 
Product Type Patch Version File Name Release Date
ATD Patch 3.0.4.94 amas-3.0.4.94.39056.msu June 18, 2014
ePO Hotfix 4.6.0-4.6.8 Hotfix HF973112

5.0.0-5.1.0 Hotfix HF973112

ePOHF973112.zip* June 10, 2014
LastPass/SafeKey Patch Patched the day the vulnerability was made public. Product Update June 5, 2014
EWS Hotfix EWS-5.6h973308- OpenSSL hotfix 2964.107 EWS-5.6h973308-2964.107.zip June 23, 2014
MA Mac Hotfix MA 4.6.0 Patch 3 Hotfix 974930 MA460P3HF974930Mac.zip June 18, 2014
MA Mac Hotfix MA 4.8.0 Patch 2 Hotfix 974930 MA480P2HF974930Mac.zip June 18, 2014
MAM Hotfix MAM 6.6 Hotfix 7 mam_hotfix_pack7.sh July 14, 2014
MC Hotfix Cloud patched Cloud patched June 20, 2014
MEG Hotfix MEG-7.0.5h973323- OpenSSL hotfix 2934.109 MEG-7.0.5h973323-2934.109.zip June 23, 2014
MEG Hotfix MEG 7.5h968383 OpenSSL hotfix 2846.121 MEG-7.5h968383-2846.121.zip June 23, 2014
MEG Hotfix MEG 7.6h968406 OpenSSL hotfix 3044.102 MEG-7.6h960406-3044.102.zip June 23, 2014
MSLD/MSDW Patch MSDW 7.5 Patch 2 MSDW75HF975466.zip June 24, 2014
MSME Patch 8.0 Patch 1 MSME80HF975466.zip June24, 2014
MSME Hotfix 7.6 Rollup 2 MSME76HF975466.zip June 26, 2014
MSMS Hotfix 3.0 MSMSv30-HF975466.zip June 27, 2014
MSAS Hotfix Cloud patched Cloud patched June 20, 2014
MWG Patch 7.3.2.10 mwgappl-7.3.2.10.0-17286.x86_64.* (use Yum) June 6, 2014
MWG Patch 7.4.2.1 mwgappl-7.4.2.1.0-17293.x86_64.* (use Yum) June 6, 2014
NDLP Hotfix NDLP version 9.3.2 hotfix_97697_47171_03.tar.gz (1650/3650)
hotfix_1020759_47238_04.tar.gz (4400/5500/VM)
December 9, 2014
NSP Hotfix NSM 6.1.15.39, 7.1.5.15, 7.5.5.10, 8.1.7.5.1, 8.1.7.5.2, 8.1.7.5.3   July 30, 2014
RTE Hotfix 1.0.3.105 Hotfix HF973794 MRTServer1.0.3.105_HF973794.zip June 16, 2014
RTE Hotfix 2.1.0.113 Hotfix HF973799 MRT2.1.0.113_HF973799.zip June 16, 2014
SIEM Hotfix 9.1.4 (HF3) Use the standard upgrade files for each SIEM device you own. June 6, 2014
SIEM Hotfix 9.2.2 (HF6) Use the standard upgrade files for each SIEM device you own. June 6, 2014
SIEM Hotfix 9.3.2 (HF11) Use the standard upgrade files for each SIEM device you own. June 6, 2014
SIEM Hotfix 9.4.0 GA Use the standard upgrade files for each SIEM device you own. June 5, 2014
VSEL Hotfix 1.6 Hotfix 961964 McAfeeVSEForLinux-1.6.0.28698-HF961964.tar.gz June 23, 2014
VSEL Hotfix 1.7.1 Hotfix 973565 McAfeeVSEForLinux-1.7.1.28698-HF973565.tar.gz June 23, 2014
VSEL Hotfix 1.9 Hotfix 972024 McAfeeVSEForLinux-1.9.0.28822-HF972024-release.tar.gz June 23, 2014
VSEL Hotfix 2.0 Hotfix 967083 McAfeeVSEForLinux-2.0.0.28948-HF967083-release.tar.gz June 23, 2014

*NOTE: There are separate installers for ePO 4.6.x (ePOHF973112_4x.exe) and ePO 5.x (ePOHF973112_5x.exe) inside the ePO .zip file listed above.

Product Specific Notes:

DAM/DVM:

DAM and DVM are not vulnerable. There are two versions of DAM/DVM:

- ePO managed: No OpenSSL is used in this version because all communication is performed through the McAfee Agent
- Standalone: OpenSSL 0.9.8 is used only on the client (the server uses Java) and none of the vulnerable settings are used.

ePO:
The single hotfix provided is for all of the following versions of ePO:
  1. ePO 4.6.x
  2. ePO 5.0.x
  3. ePO 5.1.1
FIPS 140-2 installs of ePO are not vulnerable because OpenSSL FIPS 0.9.8 and 0.9.8x are not affected. This hotfix will not install in FIPS mode.
For more information, see the following release notes:
PD25233 - ePolicy Orchestrator 5.x / 4.6 Hotfix 973112 Release Notes


EMM:

EMM uses OpenSSL 0.9.8.11, but it's not impacted by these issues.
 


MA for Mac:

McAfee Agent for Mac is the only platform of McAfee Agent that is impacted. The hotfixes provided will upgrade previous versions of MA 4.6 and 4.8 to the current hotfix level.

  • PD25256 - McAfee Agent 4.6.0 for Mac Patch 3 Hotfix 974930 Release Notes
  • PD25255 - McAfee Agent 4.8.0 for Mac Patch 2 Hotfix 974930 Release Notes

ePO/MA for Mac is only vulnerable to the SSL/TLS MITM vulnerability (CVE-2014-0224). This vulnerability only applies if using specific vulnerable versions of OpenSSL on both the server and client. MA uses OpenSSL 0.9.8 on MAC OS X with MA 4.5, MA 4.6 and MA 4.8 so only MAC OS X platforms were affected.

MAC / MCC:

MAC / MCC and MEC products use openssl-0.9.8k, but this is only used at compile time to generate hashes. They do not ship OpenSSL in a state where it can be exploited, so they are not vulnerable. They do not initiate any Client/Server communication using OpenSSL and no mechanism is available for anyone else to initiate/receive any openssl communication as OpenSSL libraries or binaries are not available within the products.

MAM:

While the MAM product itself is not vulnerable, the underlying platform we provide with the product (based on Debian Linux) is vulnerable. Apply the provided patch to fix the Heartbleed II and Gnu-TLS vulnerabilities. This patch should be installed on systems running the MAM console and sensors.

MePO:

MePO is not vulnerable by itself, but it relies on ePO for cryptography and communications.
  

MC / MSAS:

Mobile Cloud and MSAS are not vulnerable. The deployment environment (load balancers) were vulnerable to CVE-2014-0224 and have been updated. The MSAS application servers are not externally facing. All external requests coming into them terminate at the load balancers.

MSME, MSMS, MSDW, MSLD, MSES:

McAfee Security for Microsoft Exchange (MSME), McAfee Security for Microsoft SharePoint (MSMS), McAfee Security for Lotus Domino (MSLD), and McAfee Security for Email Servers (MSES) / GroupShield can be vulnerable. They include Postgres 8.4.21-3 which includes OpenSSL 1.0.1g.  By default, the Postgres installation has SSL turned off.  There isn’t an easy way for an admin to turn SSL on, but if an admin turns it on, Postgres is vulnerable.

MWG:

If you are running the Main Release of MWG and want to update to the fixed 7.3.2.10 version, please use the following commands:

mwg-switch-repo 7.3.2.10
yum upgrade


If you are running the Controlled Release of MWG (7.4.x) and want to update to the fixed 7.4.2.1 version, please use the following commands:

mwg-switch-repo 7.4.2.1
yum upgrade


To download the ISO files for these versions, go to the McAfee Downloads site at:
https://contentsecurity.mcafee.com/software_mwg7_download

NDLP:
NDLP was only vulnerable to CVE-2014-0224. A few issues were reported on the hotfix released on July 30, 2014. A new hotfix has been released. The older hotfix has also been updated to install only on legacy appliances.
 
RTE:

There are two hotfixes for RTE (Real Time for ePO). Download the release notes.

  • PD25240 – Real Time for ePolicy Orchestrator 1.0.3.105 Hotfix 973794 Release Notes
  • PD25241 – Real Time for ePolicy Orchestrator 2.1.0.113 Hotfix 973799 Release Notes

SaaS Email and SaaS Web:

SaaS Email Protection and Continuity and SaaS Web Protection both sit on top of McAfee Web Gateway. MWG was the vulnerable product. The MWG patch was deployed, which fixed the SaaS Email and SaaS Web products.

SIEM:
All versions of SIEM going back to 8.0.0 use OpenSSL 0.9.8 and/or 1.0.1a-g and are thus vulnerable. All customers using versions prior to 9.1.4 are strongly urged to upgrade to 9.3.2 or 9.4.0. OpenSSL 0.9.8za is not vulnerable.

SIEM 9.1.4 and 9.2.2 are only being supported for critical issues. Customers are encouraged to upgrade to 9.3.2 (hf11) or even better, 9.4.0 GA. McAfee will still be releasing 9.1 and 9.2 security patches.


McAfee Product Download Instructions
  1. Launch your browser, such as Internet Explorer.
  2. Navigate to: http://www.mcafee.com/us/downloads/downloads.aspx
  3. Provide your valid McAfee Grant Number. *
  4. Click your product suite.
  5. Click the applicable product (see table above) and click I Agree.
  6. Click the Patches tab and click the link to download the product *.zip file under the Product column.

* NOTE: The Content and Cloud Security portal does not require a McAfee Grant number; however, customers have received login credentials together with their MWG license / Cloud and Content Security Portal license.

For instructions on how to download McAfee products, documentation, security updates, patches, or hotfixes, see: KB56057.

For instructions on how to install these hotfixes / patches, please review the Release Notes and the Installation Guide (which can be downloaded from the Documentation tab) following the same steps above.

Workaround

None.
 
Mitigations
Several McAfee products have signatures to help mitigate this vulnerability. These include:
  • MVM -- McAfee Vulnerability Manager 
    • FSL vulnerability checks
    • FID checks with corresponding descriptions and CVE references:
       
      FID # Description CVE #
      *16684 *OpenSSL SSL/TLS Man-In-The-Middle Injection Attack CVE-2014-0224
      16808 (SB10075) McAfee ePolicy Orchestrator OpenSSL Multiple Vulnerabilities CVE-2014-0195, CVE-2010-5298, CVE-2014-0076, CVE-2014-0198, CVE-2014-0221, CVE-2014-0224, CVE-2014-3470
      91510 Oracle Enterprise Linux ELSA-2014-0625 Update Is Not Installed CVE-2010-5298, CVE-2014-0195, CVE-2014-0198, CVE-2014-0221, CVE-2014-0224, CVE-2014-3470
      91511 Oracle Enterprise Linux ELSA-2014-0624 Update Is Not Installed CVE-2014-0224
      91512 Oracle Enterprise Linux ELSA-2014-0626 Update Is Not Installed CVE-2012-2110, CVE-2014-0224
      140466 Red Hat Enterprise Linux RHSA-2014-0626 Update Is Not Installed CVE-2014-0224
      140467 Red Hat Enterprise Linux RHSA-2014-0624 Update Is Not Installed CVE-2014-0224
      140468 Red Hat Enterprise Linux RHSA-2014-0625 Update Is Not Installed CVE-2010-5298, CVE-2014-0195, CVE-2014-0198, CVE-2014-0221, CVE-2014-0224, CVE-2014-3470
      174504 Scientific Linux Security ERRATA Important: openssl097a and openssl098e on SL5.x, SL6.x i386/x86_64 (1406-800) CVE-2014-0224
      174505 Scientific Linux Security ERRATA Important: openssl on SL6.x i386/x86_64 (1406-953) CVE-2010-5298, CVE-2014-0195, CVE-2014-0198, CVE-2014-0221, CVE-2014-0224, CVE-2014-3470
      85731 CentOS 5 CESA-2014-0624 Update Is Not Installed CVE-2014-0224
      85732 CentOS 5, 6 CESA-2014-0626 Update Is Not Installed CVE-2014-0224
      181211 FreeBSD OpenSSL Multiple Vulnerabilities (5ac53801-ec2e-11e3-9cf3-3c970e169bc2) CVE-2014-0195, CVE-2014-0221, CVE-2014-0224, CVE-2014-3470
      187962 Fedora Linux 19 FEDORA-2014-7101 Update Is Not Installed CVE-2010-5298, CVE-2014-0195, CVE-2014-0198, CVE-2014-0221, CVE-2014-0224, CVE-2014-3470
      187963 Fedora Linux 20 FEDORA-2014-7102 Update Is Not Installed CVE-2010-5298, CVE-2014-0195, CVE-2014-0198, CVE-2014-0221, CVE-2014-0224, CVE-2014-3470
      184429 Ubuntu Linux 10.04, 12.04, 13.10, 14.04 USN-2232-1 Update Is Not Installed CVE-2014-0195, CVE-2014-0221, CVE-2014-0224, CVE-2014-3470
      58861 Debian Linux 7.0 DSA-2950-1 Update Is Not Installed CVE-2014-0195, CVE-2014-0221, CVE-2014-0224, CVE-2014-3470
      85730 CentOS 6 CESA-2014-0625 Update Is Not Installed CVE-2010-5298, CVE-2014-0195, CVE-2014-0198, CVE-2014-0221, CVE-2014-0224, CVE-2014-3470

      * Recommended check to be added.

Download the latest content for each and enable the checks if they are not enabled by default.

Acknowledgements

This vulnerability was first disclosed by CERT/CC Vulnerability Note VU#978508.

Support

Corporate Technical Support:

Frequently Asked Questions (FAQs)

What is affected by this security vulnerability?
See the list above. Products not on the list are being investigated. McAfee recommends that all customers verify that they have applied the latest updates.
ePO – McAfee ePolicy Orchestrator:

Hotfix 973112 should be installed to the ePO server and any remote Agent Handlers where the ssleay32.dll file version is not 1.0.1.8 or later. See the hotfix Release Notes for more information. 

NOTES:
  • FIPS 140-2 installs of ePO are not vulnerable.
  • ePO 4.5 ended support on December 31, 2013. The recommended path to protect your systems from this vulnerability is to upgrade to one of the protected, supported versions.
  • Although ePO 4.6.0-4.6.4 RTW did not contain an affected version of OpenSSL, some hotfixes for ePO 4.6.0 – 4.6.4 included a vulnerable version. If you applied an ePO hotfix that upgraded Apache, please review PD25233 to verify whether your server is affected.
MA Mac - McAfee Agent for Mac:

Affected Versions:
  • 4.5 for Mac OS X and earlier (uses 1.0.1e/0.9.8g) (EOL 30 June 2014)
  • 4.6.0 Patch 3 for Mac OS X and earlier (uses 1.0.1e/0.9.8g)
  • 4.8.0 Patch 2 for Mac OS X and earlier (uses 1.0.1e/0.9.8g)
Protected Versions:
  • 4.6.0 with Patch 3 Hotfix 974930 and later
  • 4.8.0 with Patch 2 Hotfix 974930 and later
MAM - McAfee Asset Manager

Affected versions:
The affected versions before applying the hotfix are:
  • MAM 6.6 (all console and sensor builds)
Protected versions:
The protected versions after applying the hotfix are:
  • MAM 6.6 with Hotfix 7 (updates OpenSSL to 0.9.80-4squeeze1 and Libgnutls to 2.8.6-1+squeeze4)
MSLD – McAfee Security for Lotus Domino and MSDW – McAfee Security for Lotus Domino on Windows:

Affected Versions:

  • 7.5 Patch 2 (HF961473) and earlier (uses 1.0.1g in PostgreSQL 8.4.21-3)
Protected Versions:
  • 7.5 Patch 3 or later
MSME – McAfee Security for Microsoft Exchange:
Affected Versions:
  • 7.6 (uses 1.0.1g in PostgreSQL 8.4.21-3)
  • 8.0 (uses 1.0.1g in PostgreSQL 8.4.21-3)

Protected Versions:

  • 7.6 Rollup 2 (HF961473) or later
  • 8.0 Patch 1 (HF961473) or later
MSMS – McAfee Security for Microsoft SharePoint:
Affected Versions:
  • 3.0 (uses 1.0.1g in PostgreSQL 8.4.21-3)
MWG – McAfee Web Gateway:

Affected Versions:
  • MWG 7.3.2.9 and earlier
  • MWG 7.4.2.0 and earlier
Protected Versions:
  • 7.3.2.10 or later (use 1.0.1e-13 in MLOS2 and is not vulnerable)
  • 7.4.2.1 or later (use 1.0.1e-13 in MLOS2 and is not vulnerable)
NDLP - Network Data Loss Prevention

Affected versions:
  • All versions of NDLP prior to 9.3.2 or earlier
Protected versions:
  • NDLP version 9.3.2 with hotfix 97697_47171 or later
SIEM – McAfee Security Information and Event Management (SIEM) / Nitro:

Affected Versions:
All current SIEM devices are vulnerable, including:
  • 9.1.x (uses 0.9.8)
  • 9.2.x (uses 1.0.1g)
  • 9.3.x (uses 1.0.1g)
  • 9.4.0 beta (uses 1.0.1g)
Protected Versions:
  • 9.1.4 HF3 or later
  • 9.2.2 HF6 or later
  • 9.3.2 HF11 or later
  • 9.4.0 GA
Does this vulnerability affect McAfee enterprise products?
Yes. All of the affected products are Enterprise products.


How do I know if my McAfee product is vulnerable or not? 
Check your McAfee product version against those in the FAQ section above.

For Endpoint products:
Use the following instructions for endpoint or client based products:
  1. Right-click on the McAfee tray shield icon on the Windows task bar.
  2. Select Open Console.
  3. In the console, click Action Menu.
  4. In the Action Menu, click Product Details.
  5. The product version is displayed.
For Server products:
  • Check the version and build of ePO that is installed. For more information on how to check the version, see: KB52634.
For ePO integrated products:
  • Create a query in ePO for the product version of the product installed within your organization.
For Appliance based products:
Use the following instructions for Appliance based products:
  1. Open the Administrator's User Interface (UI).
  2. Click the About link.
  3. The product version is displayed.
What is CVSS?
CVSS, or Common Vulnerability Scoring System, is the result of the National Infrastructure Advisory Council’s effort to standardize a system of assessing the criticality of a vulnerability. This system offers an unbiased criticality score that customers can use to judge how critical a vulnerability is and plan accordingly. For more information, please visit the CVSS website at: http://www.first.org/cvss/.


What are the CVSS scoring metrics that have been used?
The CVSS scores have not all been published yet by MITRE.org or NIST.  Here are the scores provided so far:
 
CVE-2014-0224: Man-in-the-middle (MITM) attack
 
 Base Score 6.8
 Related exploit range (AccessVector) Network
 Attack complexity (AccessComplexity) Medium
 Level of authentication needed (Authentication) None
 Confidentiality impact Partial
 Integrity impact Partial
 Availability impact Partial
 Temporal Score 6.1
 Availability of exploit (Exploitability) Proof of concept code
 Type of fix available (RemediationLevel) Unavailable
 Level of verification that vulnerability exists (ReportConfidence) Confirmed

NOTE: The below CVSS version 2.0 vector was used to generate this score.
http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P/E:POC/RL:U/RC:C)
 

CVE-2014-0221: DoS attack
 
 Base Score 4.3
 Related exploit range (AccessVector) Network
 Attack complexity (AccessComplexity) Medium
 Level of authentication needed (Authentication) None
 Confidentiality impact None
 Integrity impact None
 Availability impact Partial
 Temporal Score 3.9
 Availability of exploit (Exploitability) Proof of concept code
 Type of fix available (RemediationLevel) Unavailable
 Level of verification that vulnerability exists (ReportConfidence) Confirmed

NOTE: The below CVSS version 2.0 vector was used to generate this score.
http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:N/A:P/E:POC/RL:U/RC:C
 

CVE-2014-0195: Arbitrary code execution on a vulnerable client or server
 
 Base Score 6.8
 Related exploit range (AccessVector) Network
 Attack complexity (AccessComplexity) Medium
 Level of authentication needed (Authentication) None
 Confidentiality impact Partial
 Integrity impact Partial
 Availability impact Partial
 Temporal Score 6.1
 Availability of exploit (Exploitability) Proof of concept code
 Type of fix available (RemediationLevel) Unavailable
 Level of verification that vulnerability exists (ReportConfidence) Confirmed

NOTE: The below CVSS version 2.0 vector was used to generate this score.
http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P/E:POC/RL:U/RC:C)
 

CVE-2014-0198: DoS attack
 
 Base Score 4.3
 Related exploit range (AccessVector) Network
 Attack complexity (AccessComplexity) Medium
 Level of authentication needed (Authentication) None
 Confidentiality impact None
 Integrity impact None
 Availability impact Partial
 Temporal Score 3.9
 Availability of exploit (Exploitability) Proof of concept code
 Type of fix available (RemediationLevel) Unavailable
 Level of verification that vulnerability exists (ReportConfidence) Confirmed

NOTE: The below CVSS version 2.0 vector was used to generate this score.
http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:N/A:P/E:POC/RL:U/RC:C)
 

CVE-2010-5298: DoS attack or session injection 

 Base Score 4.0
 Related exploit range (AccessVector) Network
 Attack complexity (AccessComplexity) High
 Level of authentication needed (Authentication) None
 Confidentiality impact None
 Integrity impact None
 Availability impact Partial
 Temporal Score 3.6
 Availability of exploit (Exploitability) Proof of concept code
 Type of fix available (RemediationLevel) Unavailable
 Level of verification that vulnerability exists (ReportConfidence) Confirmed
NOTE: The below CVSS version 2.0 vector was used to generate this score.
http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:P/E:POC/RL:U/RC:C)

 

CVE-2014-3470: DoS attack
 Base Score 4.3
 Related exploit range (AccessVector) Network
 Attack complexity (AccessComplexity) Medium
 Level of authentication needed (Authentication) None
 Confidentiality impact None
 Integrity impact None
 Availability impact Partial
 Temporal Score 3.9
 Availability of exploit (Exploitability) Proof of concept code
 Type of fix available (RemediationLevel) Unavailable
 Level of verification that vulnerability exists (ReportConfidence) Confirmed

NOTE: The below CVSS version 2.0 vector was used to generate this score.
http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:N/A:P/E:POC/RL:U/RC:C)
 

CVE-2014-0076: Side-channel Attack

 Base Score 4.3
 Related exploit range (AccessVector) Network
 Attack complexity (AccessComplexity) Medium
 Level of authentication needed (Authentication) None
 Confidentiality impact Partial
 Integrity impact None
 Availability impact None
 Temporal Score 3.9
 Availability of exploit (Exploitability) Proof of concept code
 Type of fix available (RemediationLevel) Unavailable
 Level of verification that vulnerability exists (ReportConfidence) Confirmed
NOTE: The below CVSS version 2.0 vector was used to generate this score.
http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N/E:POC/RL:U/RC:C)

 
What has McAfee done to resolve the issue?
McAfee has released several product updates to address these security flaws. Additional product updates will be published as they are made available.

How does McAfee respond to this and any other security flaws?
The McAfee key priority is the security of our customers. In the event that a vulnerability is found within any McAfee software, we work closely with the relevant security research group to ensure rapid and effective development of a fix and communication plan. McAfee is an active member of the Organization for Internet Safety (OIS), which is dedicated to developing guidelines and best practices for the reporting and fixing of software vulnerabilities.

McAfee's policy is to only publish product vulnerability bulletins together with an actionable workaround, patch, or hotfix; otherwise we would be informing the hacker community that our products are a target, putting our customers at greater risk. 

Resources

{SBRESOURCES.EN_US}

Disclaimer

The information provided in this security bulletin is provided as is without warranty of any kind. McAfee disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall McAfee or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if McAfee or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Any future product release dates mentioned in this bulletin are intended to outline our general product direction and they should not be relied on in making a purchasing decision. The product release dates are for information purposes only, and may not be incorporated into any contract. The product release dates are not a commitment, promise or legal obligation to deliver any material, code, or functionality. The development, release, and timing of any features or functionality described for our products remains at our sole discretion and may be changed or cancelled at any time.

Rate this document

Did this article resolve your issue?

Please provide any comments below

Languages:

This article is available in the following languages:

English United States
Japanese

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.