Loading...

Knowledge Center


McAfee Security Bulletin - File and Removable Media Protection update addresses a brute-force attack on weak user passwords (CVE-2014-8518)
Security Bulletins ID:   SB10089
Last Modified:  7/13/2018

Summary

Who Should Read This Document: Technical and Security Personnel
Impact of Vulnerability: Insufficient Entropy (CWE-331)
CVE Number: CVE-2014-8518
US CERT Number: None
Severity Rating: Medium
Base / Overall CVSS Score: 6.3 / 5.2
Recommendations: Update to the hotfix that is appropriate for the product version installed. Refer to KB83095 for further information.
Security Bulletin Replacement: None
Caveats: None
Affected Software: EEFF 3.2.x, 4.0.x, 4.1.x, 4.2.x; FRP 4.3.0.x
Location of Updated Software: www.mcafee.com/us/downloads/downloads.aspx

Description

CVE-2014-8518
The (1) Removable Media and (2) CD and DVD encryption offsite access options (formerly Endpoint Encryption for Removable Media or EERM) in McAfee File and Removable Media Protection (FRP) 4.3.0.x, and Endpoint Encryption for Files and Folders (EEFF) 3.2.x through 4.2.x, uses a hard-coded salt, which makes it easier for local users to obtain passwords via a brute force attack.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8518

A security enhancement update is available for Endpoint Encryption for Files and Folders (EEFF) / File and Removable Media Protection (FRP) that increases the overall security of USB devices and CDs/DVDs by making it harder for attackers to perform a brute-force attack on the user's password, especially where the user's password is relatively weak.

EEFF/FRP now uses a strong implementation of PBKDF2. For more information about PBKDF2, see http://en.wikipedia.org/wiki/PBKDF2.

This security enhancement update is applicable only to customers who are using the Removable Media or CD/DVD encryption (offsite access options) with password as either the authentication or recovery mechanism. The offsite access options were formerly referred to as EERM (Endpoint Encryption for Removable Media). This update does not affect the other features/functionality of the product.

NOTES:
  • If you are not using these features, or if you are using the certificate-based authentication mechanism, EEFF/FRP is unaffected and you may ignore this update.
  • EEFF is now known as File and Removable Media Protection (FRP). The first release to adopt the new product name is FRP 4.3.

Remediation

Refer to the following KnowledgeBase article for detailed instructions to install the EEFF/FRP hotfix that is appropriate for the current version of the product that is installed. Additionally, the article contains a list of related FAQs.

KB83095 - Security Enhancement for Endpoint Encryption for Files and Folders and File and Removable Media Protection

Workaround

None. Install the provided hotfix update.

Mitigations
Irrespective of this security enhancement, password strength is important. McAfee recommends a strong password policy for the authentication/recovery mechanism of encrypted USB devices and CDs/DVDs. See KB83095 for more information.

Acknowledgements

McAfee credits Matthias Deeg from SySS GmbH for reporting this weakness.

Support

Corporate Technical Support:
1-800-338-8754
http://www.mcafee.com/us/about/contact-us.aspx#ht=tab-techsupport 

Frequently Asked Questions (FAQs)

What is affected by this security vulnerability?
The following McAfee products are affected:

  • McAfee Endpoint Encryption for Files and Folders (EEFF)
  • McAfee File and Removable Media Protection (FRP)
Affected Versions:
  • EEFF 3.2.x
  • EEFF 4.0.x, 4.1.x, 4.2.x
  • FRP 4.3.0.x
Protected Versions:
Refer to KnowledgeBase article KB83095 to identify and download the appropriate hotfix version to use.

McAfee recommends that all customers verify that they have applied the latest updates.

Does this vulnerability affect McAfee enterprise products?
Yes. EEFF and FRP are enterprise products.

What is CVSS?
CVSS, or Common Vulnerability Scoring System, is the result of the National Infrastructure Advisory Council’s effort to standardize a system of assessing the criticality of a vulnerability. This system offers an unbiased criticality score between 0 and 10 that customers can use to judge how critical a vulnerability is and plan accordingly. For more information, please visit the CVSS website at: http://www.first.org/cvss/.

What are the CVSS scoring metrics that have been used?

 

 Base Score  6.3
 Related exploit range (AccessVector)  Local
 Attack complexity (AccessComplexity)  Medium
 Level of authentication needed (Authentication)  None
 Confidentiality impact  Complete
 Integrity impact  Complete
 Availability impact  None
 Temporal Score  5.2
 Availability of exploit (Exploitability)  Functional exploit exists
 Type of fix available (RemediationLevel)  Official fix
 Level of verification that vulnerability exists (ReportConfidence)  Confirmed
 

What has McAfee done to resolve the issue?
McAfee has released security enhancement hotfixes for EEFF 3.2.9, EEFF 4.2, and FRP 4.3 to address this security vulnerability. Refer to KnowledgeBase article KB83095 for further information.

Where do I download the fix?
You can download the fix from: http://mcafee.com/us/downloads/downloads.aspx.
You will need to provide your McAfee Grant Number to initiate the download.

How does McAfee respond to this and any other security flaws?
McAfee’s key priority is the security of our customers. In the event that a vulnerability is found within any of McAfee’s software, we work closely with the relevant security research group to ensure rapid and effective development of a fix and communication plan. McAfee is an active member of the Organization for Internet Safety (OIS), which is dedicated to developing guidelines and best practices for the reporting and fixing of software vulnerabilities.

Resources

To download new Beta software or to read about the latest Beta information, go to: http://www.mcafee.com/us/downloads/beta-programs/index.aspx
 
To submit Beta feedback on any McAfee product, email: mcafee_beta@mcafee.com
 
For contact information, go to: http://www.mcafee.com/uk/about/contact-us.aspx
 
For copyright, trademark attributions, and license information, go to: http://us.mcafee.com/root/aboutUs.asp?id=copyright
 
For patents protecting this product, see your product documentation.

Disclaimer

McAfee’s key priority is the security of our customers. In the event that a vulnerability is found within any of McAfee’s software, we work closely with the relevant security research group to ensure rapid and effective development of a fix and communication plan. McAfee is an active member of the Organization for Internet Safety (OIS), which is dedicated to developing guidelines and best practices for the reporting and fixing of software vulnerabilities.

McAfee only publishes product vulnerability bulletins together with an actionable workaround, patch, or hotfix; otherwise we would simply be informing the hacker community that our products are a target, putting our customers at greater risk.

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.