Loading...

Knowledge Center


McAfee Security Bulletin - Three SSLv3 Vulnerabilities
Security Bulletins ID:   SB10091
Last Modified:  11/8/2018
Rated:


Summary

 
 Who Should Read This Document: Technical and Security Personnel
 Impact of Vulnerability: Input Validation (CWE-20)
Resource Management Errors (CWE-399)
Cryptographic Issues (CWE-310)
 CVE Number: CVE-2014-3513
CVE-2014-3567
CVE-2014-3568
 US CERT Number: OpenSSL Security Advisory 20141015
Microsoft Security Advisory 3009008
Red Hat Article 1232123
 Severity Rating: High
 Base / Overall CVSS Score: 7.1/5.3
7.1/5.3
4.3/3.2
 Recommendations: Deploy the remediation signatures/rules first. 
Update product patches/hotfixes.
 Security Bulletin Replacement: Related to SB10090
 Caveats: CVSS scores adjusted to match nvd.NIST.gov
 Affected Software: See the McAfee Product Vulnerability Status lists below.
 Location of Updated Software: http://www.mcafee.com/us/downloads/downloads.aspx
 
 
Article contents:

Description

Several McAfee products are vulnerable to one or more of the three Open Secure Sockets Layer (OpenSSL) 3.0 (SSLv3) vulnerabilities. All of these issues are rated medium severity.  See the McAfee Product Vulnerability Status lists below for the status of each product. See the McAfee Mitigations section below for immediate action.
 
SSL 3.0 is 18 years old and is a weak protocol. Support for it remains widespread, including support in nearly all browsers. To work around bugs in HTTPS servers, browsers will retry failed connections with older protocol versions, including SSL 3.0. Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue.

Two of the OpenSSL 3.0 vulnerabilities (CVE-2014-3513 and CVE-2014-3567) involve memory leaks that could be used in Denial-of-Service attacks.

The third vulnerability (CVE-2014-3568) occurs in all implementations of SSL 3.0 that have not yet added support for TLS_FALLBACK_SCSV, which prevents TLS/SSL version fallback by external attack. OpenSSL has added TLS_FALLBACK_SCSV.

Since the use of transport encryption is generally confined to versions of TLS between McAfee product components, the risk of exploitation from CDE–2014–3568 is considerably lowered. In McAfee products, both the client and the server support non-exploitable TLS versions. Without direct attacker intervention, no fallback to SSL version 3.0 can be induced. Attacker intervention requires an attacker controlled network or HTTPS proxy to be inserted into the TCP route. TLS between McAfee built clients and servers traversing any of the standard common carriers or an internal, trusted network is relatively un-exploitable.

See SB10090 for information on the POODLE vulnerability released at the same time as these three SSLv3 vulnerabilities.
 
Vulnerability IDs

CVE-2014-3513 - SRTP Memory Leak
A flaw in the DTLS SRTP extension parsing code allows an attacker, who sends a carefully crafted handshake message, to cause OpenSSL to fail to free up to 64k of memory causing a memory leak. This could be exploited in a Denial Of Service attack. This issue affects OpenSSL 1.0.1 server implementations for both SSL/TLS and DTLS regardless of whether SRTP is used or configured. Implementations of OpenSSL that have been compiled with OPENSSL_NO_SRTP defined are not affected.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3513

CVE-2014-3567 - Session Ticket Memory Leak
When an OpenSSL SSL/TLS/DTLS server receives a session ticket the integrity of that ticket is first verified. In the event of a session ticket integrity check failing, OpenSSL will fail to free memory causing a memory leak. By sending a large number of invalid session tickets an attacker could exploit this issue in a Denial Of Service attack.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3567

CVE-2014-3568 - Build option no-ssl3 is incomplete
When OpenSSL is configured with "no-ssl3" as a build option, servers could accept and complete a SSL 3.0 handshake, and clients could be configured to send them.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3568

Common Weakness IDs

CWE-399
Resource Management Errors
http://cwe.mitre.org/data/definitions/399.html

Detecting Vulnerability
You can use the script below from Red Hat to manually detect the vulnerability:
export hostname=XXXXXXX
if echo Q | openssl s_client -connect $(hostname):443 -ssl3 2> /dev/null | grep -v "Cipher.*0000"; then echo "SSLv3 enabled"; else echo "SSLv3 disabled"; fi


McAfee Product Vulnerability Status
Investigation into all McAfee products is ongoing. This security bulletin will be updated as additional information and patches are made available. 

The distinction between vulnerable hosts and truly exposed hosts matters with this issue. Products that are vulnerable but have minimal or no exposure are in the Vulnerable but Low Risk list below. Justifications for being in this list are explained in the Product Specific Notes section below.
 

Vulnerable and Updated
  1. ePolicy Orchestrator (ePO)
  2. Email and Web Security (EWS)
  3. McAfee Asset Manager (MAM)
  4. McAfee Email Gateway (MEG)
  5. McAfee Security Information and Event Management (SIEM) / Nitro
  6. Network Security Manager (NSM)
  7. VirusScan Enterprise Linux (VSEL)
  8. Threat Intelligence Exchange (TIE) Server
Vulnerable and Not Yet Updated
  1. Advanced Threat Defense (ATD)
  2. Global Threat Intelligence (GTI) / GTI Cloud Server (CS) / Artemis
  3. McAfee Quarantine Manager (MQM)
  4. McAfee Security for App Store - Cloud (MSAS)
  5. McAfee Web Gateway (MWG)
  6. Mobile Cloud (MC)
Not Vulnerable
  1. Boot Attestation Service (BAS) / Open Virtual Appliance (OVA)
  2. Database Activity Monitoring (DAM)
  3. Database Vulnerability Manager (DVM)
  4. Endpoint Intelligence Agent (EIA)
  5. Endpoint Protection for Mac (EPM)
  6. GTI Proxy 2.0
  7. McAfee Agent (MA) / Common Management Agent (CMA)
  8. McAfee MOVE AntiVirus Security Virtual Appliance (MOVE SVA)
  9. McAfee MOVE AntiVirus Security Virtual Appliance Manager (MOVE SVA Manager)
  10. McAfee MOVE Firewall (MOVE Firewall)
  11. McAfee Real Time Command (RTC)
  12. McAfee Real Time for ePO (RTE)
  13. Network Data Loss Prevention (NDLP)
  14. Network Security Platform (NSP) Sensor
  15. SaaS Account Management (SaaS AM)
  16. SaaS Email Archiving (SaaS Archiving)
  17. SaaS Email Protection and Continuity (SaaS Email)
  18. SaaS Web Protection (SaaS Web)
  19. VirusScan for Mac (VSMac)
For a description of each product, see: http://www.mcafee.com/us/apps/products-az.aspx.

Product Vulnerability Summary Table
 
Product Vulnerable to this CVE
ePO
EWS
GTI
MAM
MC
MEG
MSAS
MWG
SIEM
VSEL
CVE-2014-3513: SRTP Memory Leak
ATD
ePO
EWS
GTI
MAM
MC
MEG
MSAS
MVM
MWG
NTBA
SIEM
TIE
VSEL
CVE-2014-3567: Session Ticket Memory Leak
EWS
GTI
MAM
MC
MEG
MQM
MSAS
MWG
TIE
CVE-2014-3568: Build option no-ssl3 is incomplete
 

Remediation

Go to the McAfee Downloads site and download the applicable product patch/hotfix file:
 
Product Type Patch Version File Name  Release Date
ePO Hotfix 1014944 for 4.6.x – 5.1.1 1014944 November 5, 2014
EWS          Hotfix 5.6 EWS-5.6h1014814-2964.109.zip October 29, 2014
MAM 6.6 Hotfix Hotfix 7 mam_hotfix_pack7.sh June 23, 2015
MEG Hotfix 7.9 MEG-7.0.5h1014812-2934.114.zip October 29, 2014
MEG Hotfix 7.5 MEG-7.5.4h1014806-3088.113.zip October 29, 2014
MEG Hotfix 7.6 MEG-7.6.2h1014803-3044.120.zip October 29, 2014
MWG Patch   7.5.0.1 build 18435
7.4.2.4 build 18437
7.3.2.12 build 18436   
October 29, 2014
NSM Hotfix 7.1.5.15.5, 7.5.5.10.8, 8.1.7.13, 8.2.7.5   November 26, 2014
SIEM Hotfix 9.4.1-hf2 Build stamp 20141017094914 October 17, 2014
SIEM Hotfix 9.3.2-hf16 Build stamp 20141017094446 October 17, 2014
TIE Server Release 2.0.0.645 TIE Platform 2.0.0.645
TIE Server 2.0.0.645
October 3, 2016
VSEL Hotfix 1.7.1 HF1017268 November 17, 2014
VSEL Hotfix 1.9.0    HF1017264 November 17, 2014
VSEL Hotfix 2.0.1    HF1017258 November 17, 2014
 
 
Product Specific Notes
  • ATD
    ATD is vulnerable to CVE-2014-3567 only.
     
  • ePO
    ePO is vulnerable to CVE-2014-3513 and CVE-2014-3567, but not to CVE-2014-3568. A hotfix is available.

    The following KB article has been created for this release:
      PD25538 - ePolicy Orchestrator Hotfix 1014944 Release Notes

    You can apply the hotfix to the following versions of the product:
    • McAfee ePolicy Orchestrator 4.6.x
    • McAfee ePolicy Orchestrator 5.0.x
    • McAfee ePolicy Orchestrator 5.1.0
    • McAfee ePolicy Orchestrator 5.1.1
    • All remote agent handlers for the versions above
     
  • EWS
    EWS 5.6 is vulnerable to CVE-2014-3567, but not CVE-2014-3513 and CVE-2014-3568. Hotfixes are available.
     
  • MC
    MC is vulnerable to all three CVEs.
     
  • MAM
    MAM 6.6 is vulnerable to all three CVEs. MAM uses Debian Linux. Debian has patched CVE-2014-3513, but not the other two CVEs. See https://security-tracker.debian.org/tracker/CVE-2014-3513. A MAM patch is available for download.

    MAM 6.6 Hotfix 7 has superseded the release previously posted in this article.  Hotfix 7 is a rollup that includes the content from hotfixes 1-6.
     
  • MEG
    • MEG 7.0 is vulnerable to CVE-2014-3567, but not CVE-2014-3513 and CVE-2014-3568. A hotfix is available
    • MEG 7.5 and MEG 7.6 will fall back to using SSLv3. Customers can change the configuration value to disable SSL v3. See KB83165 for instructions. Hotfixes are available.
       
  • Mobile Cloud
    The Mobile Cloud web services SSL/TLS connections are terminated at the load balancers (F5). MC is vulnerable to CVE-2014-3513, CVE-2014-3567, and CVE-2014-3568.
     
  • MQM
    MQM is currently using OpenSSL to provide secure SMTP access to remote SMTP servers when delivering reports and is vulnerable. v7.0.1 rollup-1 is vulnerable to CVE-2014-3568, but not to the other two CVEs since MQM only uses OpenSSL as a client and not as a server.
     
  • MSAS
    The MSAS web services SSL/TLS connections are terminated at the load balancers (F5). MSAS is vulnerable to all three CVEs.
     
  • MVM
    MVM is vulnerable to CVE-2014-3567 only. FSL scripts have been provided to detect all three CVEs.
     
  • MWG
    MWG may be vulnerable to CVE-2014-3513 and CVE-2014-3567, and is vulnerable to CVE-2014-3568.
     
  • NDLP
    NDLP is not vulnerable to any of these three CVEs. McAfee initially thought it was vulnerable to CVE-2014-3567, however, upon further investigation we determined that session tickets were introduced after OpenSSL 0.98e. NDLP uses OpenSSL 0.98e.  
  • NSM
    NSM was found vulnerable and is remediated with a hotfix. NSM's OpenSSL code was upgraded to 0.98zc (NSM v6.x) and 1.0.1j (NSM 7.x/8.x).
     
  • NTBA
    NTBA is vulnerable to CVE-2014-3567 only.
     
  • SIEM
    All SIEM appliances require an update to OpenSSL 1.0.1j to address CVE-2014-3513 and CVE-2014-3567. Patches are now available for the supported versions: 9.4.x and 9.3.2.

    SIEM is not vulnerable to CVE-2014-3568.

    SIEM does not put “hotfix” numbers in the product. The full build stamp for a SIEM appliance is on its System Information tab in the System Properties dialog. Example: Version 9.4.1 Build 20141017094914.

    Unsupported version notices:
    • The official fix for 9.4.0 is to update to 9.4.1.
      • McAfee plans to release a hotfix for 9.4.0 by October 24, 2014. This hotfix will only be available by contacting support.
      • Version 9.4.0 is supported via the 9.4.1 release.
    • The official fix for all versions prior to 9.3.2 is to upgrade to 9.4.1.
      • McAfee plans to release hotfixes for 9.2.2 and 9.1.4 by October 24, 2014. These hotfixes will only be available by contacting support.
      • All versions prior to 9.3.2 are officially unsupported.
         
  • VSEL
    VSEL is vulnerable to CVE-2014-3513 and CVE-2014-3567, but not to CVE-2014-3568. Hotfixes are available for download.
McAfee Product Download Instructions
  1. Launch Internet Explorer.
  2. Navigate to: http://www.mcafee.com/us/downloads/downloads.aspx.
  3. Provide your valid McAfee Grant Number. *
  4. Click your product suite.
  5. Click the applicable product and click I Agree.
  6. Click the Patches tab and click the link to download the product .ZIP file under the Product column.
* NOTE: The Content and Cloud Security portal does not require a McAfee Grant number; however, customers have received login credentials together with their MWG license.

For instructions on how to download McAfee products, documentation, security updates, patches, or hotfixes, see: KB56057.

For instructions on how to install / upgrade these hotfixes / patches, please review the Release Notes and the Installation Guide (which can be downloaded from the Documentation tab) following the same steps above.

Workaround

OpenSSL has published updates to address these issues in OpenSSL v0.9.8zc and 1.0.1j. Customers should patch products that are using a vulnerable version of OpenSSL.

In addition to patching products, McAfee recommends that customers disable SSL 3.0 by default. Disabling SSL 3.0 may cause compatibility and availability issues. You must choose between security and availability when it comes to using this weak and obsolete protocol.

Action can be taken on endpoint computers by reconfiguring the browser to disable SSL 3.0.

How to Disable SSL 3.0 in Microsoft Internet Explorer:
All supported versions of Microsoft Windows implement this protocol and are affected by this vulnerability.
Microsoft Security Advisory 3009008
https://technet.microsoft.com/en-us/library/security/3009008.aspx

How to Disable SSL 3.0 in Google Chrome:
Chrome users can disable SSLv3 by using the command line flag --ssl-version-min=tls1. (Chrome used to have an entry in the preferences for that, but users thought that “SSL 3.0” was a higher version than “TLS 1.0” and would mistakenly disable the latter.)

Mitigations
Several McAfee products have signatures to detect or help mitigate this vulnerability. These include:

  • AV - AntiVirus
    • Includes all McAfee AntiVirus products, including VSE, McAfee AntiVirus Plus, and MWG.
    • 7573 DAT – Detects all payload samples seen from exploit of the Bash vulnerability
      • Samples are detected as “Linux/Dingle”
         
  • MVM – McAfee Vulnerability Manager
     
  • NSP – Network Security Platform
     
  • SIEM – Security Information and Event Management
    • Eight signature detection rules for the NitroGuard IPS / NitroSecurity IPS / McAfee NTP are available for download via the SIEM rule server
    • Signatures:
      • Two (2) for options in DHCP ACK messages
      • Six (6) for web traffic, examining URIs, HTTP headers, cookies, bodies, and the HTTP Version number
         
  • TIE – Threat Intelligence Exchange Server
    1. Log on as root and set ssl_ciphers = 'TLSv1.2:!aNULL:!eNULL' in /data/tieserver_pg/postgresql.conf.
    2. Restart TIE Server by running service tieserver stop && service tieserver start.

Download the latest content for each and enable the checks if they are not enabled by default.

Acknowledgements

These vulnerabilities were first disclosed by the OpenSSL Project in a security advisory on October 15, 2014.  See https://www.openssl.org/news/secadv_20141015.txt

Support

Corporate Technical Support:
1-800-338-8754
http://www.mcafee.com/us/about/contact-us.aspx#ht=tab-techsupport 

Frequently Asked Questions (FAQs)

What is affected by this security vulnerability?
See the Product Specific Notes section above. 
McAfee recommends that all customers verify that they have applied the latest updates.

 

Does this vulnerability affect McAfee enterprise products?
Yes. Several enterprise products are vulnerable. No consumer products are vulnerable.

How do I know if my McAfee product is vulnerable or not?

For Endpoint products:
Use the following instructions for endpoint or client based products:

  1. Right-click on the McAfee tray shield icon on the Windows task bar.
  2. Select Open Console.
  3. In the console, select Action Menu.
  4. In the Action Menu, select Product Details. The product version is displayed.

For ePO / Server products:
Use the following instructions for server based products:

  • Check the version and build of ePO that is installed. For more information on how to check the version, see: KB52634.
  • Or, create a query in ePO for the product version of the product installed within your organization.

For Appliances:
Use the following instructions for Appliance based products:

  1. Open the Administrator's User Interface (UI).
  2. Click the About link. The product version is displayed.


What is CVSS?
CVSS, or Common Vulnerability Scoring System, is the result of the National Infrastructure Advisory Council’s effort to standardize a system of assessing the criticality of vulnerability. This system offers an unbiased criticality score between 0 and 10 that customers can use to judge how critical a vulnerability is and plan accordingly. For more information, please visit the CVSS website at: http://www.first.org/cvss/.

What are the CVSS scoring metrics that have been used?
 
CVE-2014-3513: SRTP Memory Leak

 Base Score  7.1
 Related exploit range (AccessVector)  Network
 Attack complexity (AccessComplexity)  Medium
 Level of authentication needed (Authentication)  None
 Confidentiality impact  None
 Integrity impact  None
 Availability impact  Complete
 Temporal Score 5.3
 Availability of exploit (Exploitability)  Unproven that exploit exists
 Type of fix available (RemediationLevel)  Official fix
 Level of verification that vulnerability exists (ReportConfidence)  Confirmed

NOTE: CVSS version 2.0 was used to generate this score.
http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:N/A:C/E:U/RL:OF/RC:C)

CVE-2014-3567: Session Ticket Memory Leak

 

 Base Score  7.1
 Related exploit range (AccessVector)  Network
 Attack complexity (AccessComplexity)  Medium
 Level of authentication needed (Authentication)  None
 Confidentiality impact  None
 Integrity impact  None
 Availability impact  Complete
 Temporal Score 5.3
 Availability of exploit (Exploitability)  Unproven that exploit exists
 Type of fix available (RemediationLevel)  Official fix
 Level of verification that vulnerability exists (ReportConfidence)  Confirmed

NOTE: CVSS version 2.0 was used to generate this score.
http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:N/A:C/E:U/RL:OF/RC:C)

CVE-2014-3568: Build option no-ssl3 is incomplete

 

 Base Score 4.3
 Related exploit range (AccessVector)  Network
 Attack complexity (AccessComplexity)  Medium
 Level of authentication needed (Authentication)  None
 Confidentiality impact  None
 Integrity impact  Partial
 Availability impact  None
 Temporal Score 3.2
 Availability of exploit (Exploitability)  Unproven that exploit exists
 Type of fix available (RemediationLevel)  Official fix
 Level of verification that vulnerability exists (ReportConfidence)  Confirmed

NOTE: CVSS version 2.0 was used to generate this score.
http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:P/I:P/A:N/E:U/RL:OF/RC:C)

What has McAfee done to resolve the issue?
McAfee will be releasing several product updates to address these security flaws.
Several signatures and rules have been created for McAfee products to detect and block this vulnerability.

Where do I download the fix?
You can download the fix from: http://www.mcafee.com/us/downloads/downloads.aspx.
Users will need to provide their McAfee Grant Number to initiate the download. 

How does McAfee respond to this and any other security flaws?
McAfee’s key priority is the security of our customers.  In the event that a vulnerability is found within any of McAfee’s software, we work closely with the relevant security research group to ensure rapid and effective development of a fix and communication plan.
 
McAfee only publishes product vulnerability bulletins together with an actionable workaround, hotfix, patch, or version update; otherwise we would simply be informing the hacker community that our products are a target, putting our customers at greater risk. 
 
McAfee may publish lists of known vulnerable and not vulnerable products if the product vulnerability is already generally known publicly, but no actionable workaround is ready yet.
 

Resources

To download new Beta software or to read about the latest Beta information, go to: http://www.mcafee.com/us/downloads/beta-programs/index.aspx
 
To submit Beta feedback on any McAfee product, email: mcafee_beta@mcafee.com
 
For contact information, go to: http://www.mcafee.com/uk/about/contact-us.aspx
 
For copyright, trademark attributions, and license information, go to: http://us.mcafee.com/root/aboutUs.asp?id=copyright
 
For patents protecting this product, see your product documentation.

Disclaimer

The information provided in this security bulletin is provided as is without warranty of any kind. McAfee disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall McAfee or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if McAfee or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
 
Any future product release dates mentioned in this bulletin are intended to outline our general product direction and they should not be relied on in making a purchasing decision.  The product release dates are for information purposes only, and may not be incorporated into any contract.  The product release dates are not a commitment, promise or legal obligation to deliver any material, code, or functionality.  The development, release, and timing of any features or functionality described for our products remains at our sole discretion and may be changed or cancelled at any time.

Rate this document

Languages:

This article is available in the following languages:

English United States
Japanese

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.