Loading...

Knowledge Center


McAfee - Security Bulletin: POODLE Vulnerability
Security Bulletins ID:   SB10090
Last Modified:  1/16/2019
Rated:


Summary

 
 Who Should Read This Document: Technical and Security Personnel
 Impact of Vulnerability: Cryptographic issues (CWE-310)
 CVE Number: CVE-2014-3566
 US CERT Number: OpenSSL Security Advisory 20141015
Microsoft Security Advisory 3009008
Red Hat Article 1232123
 Severity Rating: Medium
 Base / Overall CVSS Score: 4.3/3.7
 Recommendations: Deploy the remediation signatures/rules first. 
Update product patches/hotfixes.
 Security Bulletin Replacement: Related to SB10091
 Caveats: None
 Affected Software: See the McAfee Product Vulnerability Status lists below.
 Location of Updated Software: http://www.mcafee.com/us/downloads/downloads.aspx
 
 
Article contents:
 

Description

Several McAfee products are vulnerable to the POODLE (Padding Oracle on Downgraded Legacy Encryption) vulnerability (CVE-2014-3566). This issue is rated medium severity.  See the McAfee Product Vulnerability Status lists below for the status of each product. See the McAfee Mitigations section below for immediate action.
 
Security researchers at Google have discovered a vulnerability in Secure Sockets Layer (SSL) 3.0 that allows attackers to decrypt encrypted connections to websites. This attack, code named POODLE (CVE-2014-3566), allows attackers to exploit a weakness in the protocol's design to grab victims' session cookies, which are used for logging into webmail and other online accounts over HTTPS. The attack is easy to perform on-the-fly using JavaScript.

This vulnerability is not tied to OpenSSL. It is in the protocol and CBC cypher algorithm. It requires a Man-In-The-Middle attack first to break into a closed system.
 
SSL 3.0 is 18 years old and is a weak protocol. Support for it remains widespread, including support in nearly all browsers. To work around bugs in HTTPS servers, browsers will retry failed connections with older protocol versions, including SSL 3.0. Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue.

See SB10091 for information on three SSLv3 vulnerabilities released at the same time as POODLE.

OpenSSL Security Advisory
https://www.openssl.org/news/secadv_20141015.txt
 
Vulnerability ID

CVE-2014-3566 - SSL 3.0 Fallback protection (POODLE)
The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue.

OpenSSL has added support for TLS_FALLBACK_SCSV to allow applications to block the ability for a MITM attacker to force a protocol downgrade.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566
https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00
https://www.openssl.org/~bodo/ssl-poodle.pdf

Common Weakness ID

CWE-310
Cryptographic issues

Detecting Vulnerability
You can use the script below from Red Hat to manually detect the vulnerability:

export hostname=XXXXXXX
if echo Q | openssl s_client -connect $(hostname):443 -ssl3 2> /dev/null | grep -v "Cipher.*0000"; then echo "SSLv3 enabled"; else echo "SSLv3 disabled"; fi

Operating System Vendor Advisories

Microsoft Security Advisory 3009008
https://technet.microsoft.com/en-us/library/security/3009008.aspx

Red Hat Advisory
POODLE: SSLv3 vulnerability (CVE-2014-3566)
https://access.redhat.com/articles/1232123 
 
Investigation into all McAfee products is ongoing. This security bulletin will be updated as additional information and patches are made available. 

The distinction between vulnerable hosts and truly exposed hosts matters with this issue. Products that are vulnerable but have minimal or no exposure are in the Vulnerable but Low Risk list below. Justifications for being in this list are explained in the Product Specific Notes section below.
 

Vulnerable and Updated
  • Content Security Reporter (CSR)
  • Database Activity Monitoring (DAM)
  • Database Vulnerability Manager (DVM)
  • ePolicy Orchestrator (ePO)
  • Email and Web Security (EWS)
  • GTI Proxy 2.0
  • McAfee Email Gateway (MEG)
  • McAfee Vulnerability Manager (MVM)
  • McAfee Web Gateway (MWG)
  • Network Security Manager (NSM)
  • SaaS Account Management (SaaS AM)
  • SaaS Email Archiving (SaaS Archiving)
  • SaaS Email Protection and Continuity (SaaS Email)
  • SaaS Web Protection (SaaS Web)
  • VirusScan Enterprise Linux (VSEL)
 
Vulnerable and Not Yet Updated
  • Global Threat Intelligence (GTI) / GTI Cloud Server (CS) / Artemis
  • McAfee Quarantine Manager (MQM)
  • McAfee Real Time Command (RTC)
  • McAfee Real Time for ePO (RTE)
  • McAfee Security for App Store - Cloud (MSAS)
  • Mobile Cloud (MC)
  • Network Data Loss Prevention (NDLP)
Vulnerable but Low Risk (given standard deployment best practices)
  • McAfee Asset Manager (MAM)

Not Vulnerable
  • Advanced Threat Defense (ATD)
  • Boot Attestation Service (BAS) / Open Virtual Appliance (OVA)
  • Drive Encryption (DE)
  • Endpoint Intelligence Agent (EIA)
  • Endpoint Protection for Mac (EPM)
  • Endpoint Encryption for Files and Folders (EEFF)
  • Endpoint Encryption for Removable Media (EERM)
  • Endpoint Encryption for PCs (EEPC)
  • Endpoint Encryption Manager (EEM)
  • File and Removable Media Protection (FRP)
  • McAfee Agent (MA) / Common Management Agent (CMA)
  • McAfee MOVE AntiVirus Security Virtual Appliance (MOVE SVA)
  • McAfee MOVE AntiVirus Security Virtual Appliance Manager (MOVE SVA Manager)
  • McAfee MOVE Firewall (MOVE Firewall)
  • Network Security Platform (NSP) Sensor
  • Network Threat Behavior Analysis (NTBA)
  • VirusScan for Mac (VSMac)
  • Trusted Source Software Development Kit (TS-SDK)
For a description of each product, see: http://www.mcafee.com/us/apps/products-az.aspx.
 
 

Remediation

Go to the Product Downloads site and download the applicable product patch/hotfix file:
Product Type Patch Version File Name Release Date
CSR Hotfix 2.1.0 build 291 Content Security Reporter 2.1.0 (build 291) November 4, 2014
DAM Config N/A See the configuration settings in the Product Specific Notes section below. October 22, 2014
DVM Config N/A See the configuration settings in the Product Specific Notes section below. October 22, 2014
ePO Config 5.x See the configuration settings in the Product Specific Notes section below. November 14, 2014
EWS Hotfix 5.6 EWS-5.6h1014814-2964.109  
GTI Proxy 2.0 Cloud Update   MLOS Update for GTI Proxy 2.0. November 24, 2014
MEG Version Update 7.6.x
7.5.x
7.0.x
MEG-7.6.2h1014803-3044.120 or MEG-7.6.3RTW1-3173.100
MEG-7.5.4h1014806-3088.113
MEG-7.0.5h1014812-2934.114
November 3, 2014
MVM Version Update 7.5.8   February 9, 2015
MWG Patch 7.3.x
7.4.x
7.5.x
MWG 7.3.2.12 Build 18436
MWG 7.4.2.4 Build 18437
MWG 7.5.0.1 Build 18435
October 29, 2014
NSM Hotfix 7.1.5.15.5, 7.5.5.10.8, 8.1.7.13, 8.2.7.5   November 26, 2014
VSEL Hotfix 1.7.1 HF1017268 November 17, 2014
VSEL Hotfix 1.9.0 HF1017264 November 17, 2014
VSEL Hotfix 2.0.1 HF1017258 November 17, 2014
 
 
 
Product Specific Notes
  • CSR
    CSR is vulnerable to POODLE. By default, SSLv2 and SSLv3 are enabled on the underlying JBoss application server. Various client components are vulnerable as well.

    A hotfix has been released to fix POODLE. See KB83301.
     
  • DAM / DVM
    Both DAM and DVM are vulnerable. To mitigate this vulnerability, see KB83282.
     
  • ePO
    ePO 5.0.1 versions and later may become vulnerable, if they have been upgraded from a previous ePO 4.x version. This is due to a non-migrated Java security setting introduced in ePO 5.0.1. You can mitigate the vulnerability with ePO 5.0.1 and later by applying the following mitigation steps. ePO 5.1.2 and later has the appropriate Java security setting applied by default.

    Mitigation:
    See KB83240 for details on what manual steps are needed to protect ePO 5.0.1 and later servers against SSLv3 POODLE attacks.
     
  • EWS
    EWS 5.6 is vulnerable. A patch is available for download.
     
  • GTI Cloud / TS-SDK
    GTI Cloud and the TS SDK are both vulnerable. They will be patched after the MWG product is patched.

    McAfee GTI Proxy 2.0 provides an SSH interface for administration. The OpenSSL associated with SSH is susceptible to CVE-2014-3566 (POODLE). OpenSSL enabled communication channels for GTI File Reputations (through DTLS channels) are not susceptible to CVE-2014-3566 (POODLE). An appliance operating system update is available.
     
  • MAM
    MAM 6.6 is vulnerable to POODLE. MAM uses Debian Linux. Debian has not yet patched CVE-2014-3566. See https://security-tracker.debian.org/tracker/CVE-2014-3566.
     
  • MEG
    • MEG 7.0 is vulnerable. McAfee is investigating a workaround.
    • MEG 7.5 and MEG 7.6 are configured to use SSL 3.0 by default. Customers can change the configuration value to disable SSL v3.
    • Patches for MEG 7.3.x, 7.4.x, and 7.5.x are available for download.
    • MEG 7.6.3 has been fully released. It contains a fix for the POODLE vulnerability. For a full list of changes and upgrade instructions, see the Release Notes in PD25527. For a list of known issues, see KB81276.
       
  • Mobile Cloud
    The Mobile Cloud web services SSL/TLS connections are terminated at the load balancers (F5). MC is vulnerable to CVE-2014-3566. In addition, SSLv3 is currently enabled on the load balancers.
     
  • MQM
    MQM is currently using OpenSSL to provide secure SMTP access to a remote SMTP server when delivering reports and is vulnerable. v7.0.1 rollup-1 is vulnerable to CVE-2014-3566.
     
  • MSAS
    The MSAS web services SSL/TLS connections are terminated at the load balancers (F5). MSAS is vulnerable to CVE-2014-3566. In addition, SSLv3 is currently enabled on the load balancers.
     
  • MVM
    MVM is vulnerable to POODLE. By default, SSLv2 and SSLv3 are enabled on MVM Enterprise Manager. A fix is available in MVM 7.5.8.
     
  • MWG
    Some components are vulnerable to POODLE. Patches are available for download.
  • NDLP
    NDLP is vulnerable to POODLE. A fix is being developed.
      
  • NSM
    NSM was found vulnerable and is remediated with a hotfix. NSM's OpenSSL code was upgraded to 0.98zc (NSM v6.x) and 1.0.1j (NSM 7.x/8.x).
     
  • SIEM
    SIEM’s default HTTPS configuration does NOT support SSL-3, so CVE-2014-3566 (POODLE) does not apply to SIEM versions 9.1.4, 9.2.2, 9.3.2, or 9.4.x.
      
  • VSEL
    VSEL is vulnerable to POODLE. Hotfixes are available for download.
 
Product Download Instructions
  1. Launch Internet Explorer.
  2. Navigate to: http://www.mcafee.com/us/downloads/downloads.aspx.
  3. Provide your valid McAfee Grant Number. *
  4. Click your product suite.
  5. Click the applicable product and click I Agree.
  6. Click the Patches tab and click the link to download the product .ZIP file under the Product column.
* NOTE: The Content and Cloud Security portal does not require a McAfee Grant number; however, customers have received login credentials together with their MWG license.

For instructions on how to download McAfee products, documentation, security updates, patches, or hotfixes, see: KB56057.

For instructions on how to install / upgrade these hotfixes / patches, please review the Release Notes and the Installation Guide (which can be downloaded from the Documentation tab) following the same steps above.

Workaround

OpenSSL has published updates to address these issues in OpenSSL v0.9.8zc and 1.0.1j. Customers should patch products that are using a vulnerable version of OpenSSL.

 

In addition to patching products, McAfee recommends that customers disable SSL 3.0 by default.  Disabling SSL 3.0 may cause compatibility and availability issues.  You must choose between security and availability when it comes to using this weak and obsolete protocol.

Action can be taken on endpoint computers by reconfiguring the browser to disable SSL 3.0.

How to Disable SSL 3.0 in Microsoft Internet Explorer:
All supported versions of Microsoft Windows implement this protocol and are affected by this vulnerability.
Microsoft Security Advisory 3009008
https://technet.microsoft.com/en-us/library/security/3009008.aspx

How to Disable SSL 3.0 in Google Chrome:
Chrome users can disable SSLv3 by using the command line flag --ssl-version-min=tls1. (Chrome used to have an entry in the preferences for that, but users thought that “SSL 3.0” was a higher version than “TLS 1.0” and would mistakenly disable the latter.)

Mitigations
Several McAfee products have signatures to detect or help mitigate this vulnerability. These include:

Download the latest content for each and enable the checks if they are not enabled by default.

Acknowledgements

The POODLE vulnerability was first discovered by several researchers at Google, including Bodo Möller, Thai Duong, and Krzysztof Kotowicz. See http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html.
 

These vulnerabilities were first disclosed by the OpenSSL Project in a security advisory on October 15, 2014. See https://www.openssl.org/news/secadv_20141015.txt.

Support

Corporate Technical Support:
1-800-338-8754
http://www.mcafee.com/us/about/contact-us.aspx#ht=tab-techsupport 

Frequently Asked Questions (FAQs)

What is affected by this security vulnerability?
See the Product Specific Notes section above. 
McAfee recommends that all customers verify that they have applied the latest updates.

 

Does this vulnerability affect McAfee enterprise products?
Yes. Several enterprise products are vulnerable. No consumer products are vulnerable.

How do I know if my McAfee product is vulnerable or not?

For Endpoint products:
Use the following instructions for endpoint or client based products:

  1. Right-click on the McAfee tray shield icon on the Windows task bar.
  2. Select Open Console.
  3. In the console, select Action Menu.
  4. In the Action Menu, select Product Details. The product version is displayed.

For ePO / Server products:
Use the following instructions for server based products:

  • Check the version and build of ePO that is installed. For more information on how to check the version, see: KB52634.
  • Or, create a query in ePO for the product version of the product installed within your organization.

For Appliances:
Use the following instructions for Appliance based products:

  1. Open the Administrator's User Interface (UI).
  2. Click the About link. The product version is displayed.


What is CVSS?
CVSS, or Common Vulnerability Scoring System, is the result of the National Infrastructure Advisory Council’s effort to standardize a system of assessing the criticality of a vulnerability. This system offers an unbiased criticality score between 0 and 10 that customers can use to judge how critical a vulnerability is and plan accordingly. For more information, please visit the CVSS website at: http://www.first.org/cvss/.

What are the CVSS scoring metrics that have been used?

CVE-2014-3566: SSL 3.0 Fallback protection

 

 Base Score 4.3
 Related exploit range (AccessVector)  Network
 Attack complexity (AccessComplexity) Medium
 Level of authentication needed (Authentication)  None
 Confidentiality impact  Partial
 Integrity impact  None
 Availability impact  None
 Temporal Score 3.7
 Availability of exploit (Exploitability)  Unproven that exploit exists
 Type of fix available (RemediationLevel)  Temporary fix
 Level of verification that vulnerability exists (ReportConfidence)  Confirmed

NOTE: CVSS version 2.0 was used to generate this score.
http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:P/I:N/A:N/E:U/RL:T/RC:C)
 
What has McAfee done to resolve the issue?
McAfee will be releasing several product updates to address this security flaw.
 
Several signatures and rules have been created for McAfee products to detect and block this vulnerability.

Where do I download the fix?
You can download the fix from: http://www.mcafee.com/us/downloads/downloads.aspx.
Users will need to provide their McAfee Grant Number to initiate the download. 

How does McAfee respond to this and any other security flaws?
McAfee’s key priority is the security of our customers.  In the event that a vulnerability is found within any McAfee software, we work closely with the relevant security research group to ensure rapid and effective development of a fix and communication plan.
 
McAfee only publishes product vulnerability bulletins together with an actionable workaround, hotfix, patch, or version update; otherwise we would simply be informing the hacker community that our products are a target, putting our customers at greater risk. 
 
McAfee may publish lists of known vulnerable and not vulnerable products if the product vulnerability is already generally known publicly, but no actionable workaround is ready yet.
 

Resources

To download new Beta software or to read about the latest Beta information, go to: http://www.mcafee.com/us/downloads/beta-programs/index.aspx
 
To submit Beta feedback on any McAfee product, email: mcafee_beta@mcafee.com
 
For contact information, go to: http://www.mcafee.com/uk/about/contact-us.aspx
 
For copyright, trademark attributions, and license information, go to: http://us.mcafee.com/root/aboutUs.asp?id=copyright
 
For patents protecting this product, see your product documentation.

Disclaimer

The information provided in this security bulletin is provided as is without warranty of any kind. McAfee disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall McAfee or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if McAfee or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
 
Any future product release dates mentioned in this bulletin are intended to outline our general product direction and they should not be relied on in making a purchasing decision.  The product release dates are for information purposes only, and may not be incorporated into any contract.  The product release dates are not a commitment, promise or legal obligation to deliver any material, code, or functionality.  The development, release, and timing of any features or functionality described for our products remains at our sole discretion and may be changed or cancelled at any time.

Rate this document

Languages:

This article is available in the following languages:

English United States
Japanese

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.