Loading...

Knowledge Center


McAfee Security Bulletin - GHOST Vulnerability
Security Bulletins ID:   SB10100
Last Modified:  4/9/2017
Rated:


Summary

 Who Should Read This Document:  Technical and Security Personnel
 Impact of Vulnerability:  Remote Code Execution (CWE-714, OWASP 2007:A3)
 Buffer Overflow (CWE-726, OWASP 2004:A5)
 Authentication Bypass (CWE-592)
 CVE Numbers:  CVE-2015-0235
 CERT/CC and Other Numbers:  Qualys Advisory: GHOST-CVE-2015-0235
 Severity Rating:  High
 Base / Overall CVSS Scores:  10.0 / 7.8
 Recommendations:  Deploy the remediation signatures/rules first.  
 Update product patches/hotfixes.
 Security Bulletin Replacement:  None
 Caveats:  None
 Affected Software:  See the McAfee Product Vulnerability Status lists below
 Location of Updated Software:  http://www.mcafee.com/us/downloads/downloads.aspx

{GENSUB.EN_US}
Article contents:

Description

The GHOST vulnerability is a serious weakness in the Linux glibc library. It allows attackers to remotely take complete control of the target system without having any prior knowledge of system credentials. This buffer overflow vulnerability can be triggered both locally and remotely. CVE-2015-0235 has been assigned to this issue. This is referred to as the GHOST vulnerability because it can be triggered by the GetHOST functions.
 
The GNU C Library or glibc is an implementation of the standard C library and is a core part of the Linux operating system. Linux distribution vendors have released patches for all distribution as of January 27, 2015.
The first vulnerable version of the GNU C Library was released on November 10, 2000. This vulnerability was actually fixed on May 21, 2013, but was not recognized as a security threat. As a result, most stable and long-term-support distributions were left exposed.
 
 
CWE-714
OWASP Top Ten 2007 Category A3 - Malicious File Execution
http://cwe.mitre.org/data/definitions/714.html
 
Qualys Advisory: GHOST-CVE-2015-0235
GHOST Vulnerability
McAfee Product Vulnerability Status
 
Investigation into all McAfee products is ongoing. Products not on these lists are being investigated. This security bulletin will be updated as additional information is available. Not every version of the "vulnerable and updated" products are vulnerable.
 
* Products listed as "Vulnerable but Low Risk (given standard deployment best practices)" may contain one or more of the following conditions:
  • Contains a vulnerable component, but an attack vector cannot be identified or the component is not used by the product.
  • Only rarely used configurations are vulnerable. For example, it is vulnerable only in FIPS-140 mode, which is not the default and is not commonly used.
  • Internal controls that block this vulnerability should be deployed as recommended in the installation documents. For example, internal firewalls.
  • Privileges are not elevated enough to be vulnerable, unless granted explicitly by the customer.
  • The product may be momentarily vulnerable during an install or uninstall, but not during normal operation.
See the version information later in this bulletin.
 
Vulnerable and Updated
  1. Advanced Threat Defense (MATD)
  2. Global Threat Intelligence (GTI) [GTI Cloud Server (CS) / Artemis / REST]
  3. GTI Proxy 2.0
  4. McAfee Agent (MA) (Linux 32-bit) 4.8.0 and 5.0.0
  5. McAfee Asset Manager (MAM)
  6. McAfee Security for App Store- Cloud (MSAS)
  7. McAfee Security Information and Event Management (SIEM) / Nitro
  8. McAfee Web Gateway (MWG)
  9. Mobile Cloud (MC)
  10. MOVE AntiVirus Security Virtual Appliance (MOVE SVA)
  11. McAfee MOVE AntiVirus Security Virtual Appliance Manager (MOVE SVA Manager)
  12. Network Data Loss Prevention (NDLP)
  13. TrueKey Password Manager API (TKPM) / You Are the Password (YAP) / PasswordBox
  14. VirusScan Enterprise Linux (VSEL)
Vulnerable and Not Yet Updated
  1. Cloud Analysis and Deconstruction Service (CADS)
  2. Site Advisor Live (SA)
Vulnerable but Low Risk (given standard deployment best practices)*
  1. CleanBoot (CB)
  2. Data Exchange Layer (DXL)
  3. Email and Web Security (EWS)
  4. Host Intrusion Prevention Services (HIPS)
  5. McAfee Email Gateway (MEG)
  6. Network Security Platform (NSP) Sensor
  7. Network Threat Behavior Analysis (NTBA)
  8. Network Threat Response (NTR)
  9. Threat Intelligence Exchange (TIE)
Not Vulnerable
  1. Anti-Malware Engine (AME)
  2. Content Security Interlock (CSI)
  3. Content Security Reporter (CSR)
  4. Database Activity Monitoring (DAM)
  5. Database Vulnerability Manager (DVM)
  6. Deep Defender (DD)
  7. Drive Encryption (DE)
  8. Endpoint Encryption Manager (EEM/SafeBoot)
  9. Endpoint Protection for Mac (EPM)
  10. Enterprise Mobility Manager  (EMM)
  11. ePO Deep Command (eDC)
  12. ePolicy Orchestrator (ePO)
  13. Endpoint Encryption for Files and Folders (EEFF)
  14. Endpoint Encryption for PCs (EEPC) / McAfee Drive Encryption (MDE)
  15. Endpoint Encryption for Removable Media – USB (EERM)
  16. File and Removable Media Protection (FRP)
  17. McAfee Application Control (MAC)
  18. McAfee Antivirus Plus (AV+)
  19. McAfee Endpoint Security 10 (ENS) / Endpoint Protection 10.0 (EP10)
  20. McAfee Family Protection (MFP)
  21. McAfee Foundation Services (MFS)   [part of ePO]
  22. McAfee Home Network (MHN)
  23. McAfee Minimum Escalation Requirements Tool (MER)
  24. McAfee Mobile Security (MMS)
  25. McAfee Quarantine Manager (MQM)
  26. McAfee Security for Domino Windows (MSDW)
  27. McAfee Security for Email Servers (MSES) / GroupShield
  28. McAfee Security for Lotus Domino (MSLD) / GroupShield Domino (GSD)
  29. McAfee Security for Microsoft Exchange (MSME) / GroupShield Exchange
  30. McAfee Security for Microsoft SharePoint (MSMS)
  31. McAfee Security for Mac (MSM)
  32. McAfee Vulnerability Manager (MVM)
  33. McAfee Virtual Technician (MVT)
  34. McAfee Web Reporter (MWR)
  35. Network Security Manager (NSM)
  36. Rogue System Detection (RSD)    [part of ePO]
  37. SaaS Endpoint Protection (SEP)
  38. Secure Container (Android and iOS)
  39. Site Advisor Enterprise (SAE)
  40. Total Protection Service Client (ToPS)
  41. Virus-Scan Enterprise (VSE)
  42. VirusScan for Mac (VSMac)
  43. Windows Systems Security (WSS)
Being Investigated
  1. Anti-Malware Core (AMC)
  2. Anti-Spam Engine (ASE)
  3. AntiVirus Engine (AVE)
  4. Boot Attestation Service (BAS) / Open Virtual Appliance (OVA)
  5. Data Loss Prevention Endpoint (DLPe)
  6. DeepSAFE (SAFE)
  7. Endpoint Intelligence Agent (EIA)
  8. ePO Cloud
  9. Gateway Anti-Malware Engine (GAM)
  10. Host Data Loss Prevention (HDLP)
  11. Management for Optimized Virtual Environments (MOVE) AntiVirus
  12. McAfee Anti-Theft (MAT)
  13. McAfee Change Control (MCC)
  14. McAfee Cloud Single Sign On (MCSSO) / McAfee Cloud Identity Manager (MCIM)
  15. McAfee Network Access Control (MNAC)
  16. McAfee Policy Auditor (MPA)
  17. McAfee Real Time Command (RTC)
  18. McAfee Real Time for ePO (RTE)
  19. McAfee SECURE (MS) / Trustmark
  20. McAfee Security Scan+ (MSS+)
  21. Network User Behavior Analysis (NUBA)
  22. One Time Password (OTP) / Nordic Edge / Pledge
  23. Online Child Protection (OCP)
  24. PortalShield (PS)
  25. Pre-Install Scanner (PIS)
  26. Stinger
  27. Super DAT Manager (SDAT)
  28. ToPS Server (TPS)
  29. Trusted Source Software Development Kit (TS-SDK)
  30. Whole Disk Encryption (WDE)
For a description of each product, see:

Remediation

Go to the McAfee Downloads site and download the applicable product patch/hotfix file:
 
Product Type Patch Version File Name Release Date
ATD Patch 3.4.4.63.45665   March 31, 2015
MAM Security Hotfix Script Hotfix 7 mam_hotfix_pack7.sh June 23, 2015
McAfee Agent 4.8.0           Patch 3 MA480P3LNX.zip February 17, 2015
McAfee Agent 5.0.0 Security Hotfix NA MA500LNXHF1037455.zip February 19, 2015
MOVE 3.5 SVA Manager Upgrade to MA 4.8 Patch 3 and VSEL 2.02, and then deploy HF1043657 from ePO.               MOVE 3.5 SVA Manager
MOVE AL 3.5    Upgrade to MA 4.8 Patch 3 and VSEL 2.02, and then deploy HF1043655 from ePO.  HF1043655 N/A  February 23, 2015
MOVE AL 3.0 Upgrade to MA and VSEL 1.9.1, and then deploy HF1043684 from ePO. HF1043684 N/A After VSEL 1.9.1 release, which is scheduled for February 27, 2015
MOVE MP 3.5 Development is still under progress. N/A N/A Date will be updated later.
MOVE 2.6 MOVE 2.6 is EOL July 31 — customers are advised to move to MOVE 3.0/3.5. N/A N/A N/A
MWG Patch 7.5.1
7.4.2.7
mwgappl-7.5.1-18935.x86_64.yum

mwgappl-7.4.2.7.0-18936.x86_64.yum
January 29, 2015
MWG Patch 7.3.2.13 mwgappl-7.3.2.13.0-18938.x86_64.yum February 2, 2015
NDLP Security Hotfix Hotfix 1045663 hotfix_ 1045663_47280.tar.gz March 12, 2015
SIEM Maintenance Release 9.4.2 MR6
9.3.2 MR17
  January 28, 2015
TrueKey Cloud Update N/A N/A January 27, 2015
VSE for Linux 1.7.x Customers are advised to upgrade to VSEL 1.9.1/2.0.2 to fix all the vulnerabilities. N/A N/A N/A
VSE for Linux 2.0.2 VSEL 2.0.2 is getting reposted and fixes the glibc vulnerability in the field and contains all the previously released hotfixes merged (including the Poodle vulnerability).   N/A N/A February 19, 2015
VSE for Linux 1.9.1 VSEL 1.9.1 is getting reposted and fixes the glibc vulnerability in the field and contains all the previously released hotfixes merged (including the Poodle vulnerability).  N/A  McAfeeVSEForLinux-1.9.1.29107.zip March 4, 2015
 
Product Specific Notes:
  • DXL
    DXL clients are not vulnerable. The platform the DXL Broker runs on has a vulnerable version of Linux; however, it does not expose the vulnerability. DXL 1.0.1 will still be patched to avoid false positives by vulnerability scanners.
     
  • HIPS
    'HIPS for Linux' statically links to vulnerable versions of glibc, but there is no attack vector. The Windows version is not vulnerable.
     
  • MA
    Only (Linux 32-bit) running 4.6, 4.8, and 5.0 Agents are bundled with this runtime library and are affected.
     
    NOTE: All other non-Linux, 64-bit Linux, and embedded Linux distributions without this runtime are not impacted. MA 4.6 reaches EOL status on March 31, 2015. Customers are advised to migrate to the latest supported versions for obtaining this fix.
     
  • MAM
    MAM is vulnerable, not because of the product itself, but because of the underlying Debian Squeezy Linux platform shipped with it.
     
    MAM 6.6 Hotfix 7 has superseded the release previously posted in this article.  Hotfix 7 is a rollup that includes the content of hotfixes 1-6.
     
  • MC
    McAfee Mobile Cloud was updated by McAfee in the cloud. No actions are required by customers.
     
  • MWG
    MWG appliances use the vulnerable glibc, but investigation shows that there is no attack vector for the MWG proxy for user traffic because MWG uses a different implementation for DNS lookups (uDNS). MWG ships with several third-party products, such as Dante Socks Proxy and Helix Streaming Proxy, which may be vulnerable. These third-party products are NOT enabled by default.
     
  • TIE
    The platform the TIE Server runs on has a vulnerable version of Linux; however, it does not expose the vulnerability. TIE 1.0.1 will still be patched to avoid false positives by vulnerability scanners.
     
  • TrueKey/YAP
    All production systems related to the TrueKey platform were updated by McAfee on January 27, 2015. No customer action is required.
McAfee Product Download Instructions
  1. Launch Internet Explorer.
  2. Navigate to: http://www.mcafee.com/us/downloads/downloads.aspx.
  3. Provide your valid McAfee Grant Number. *
  4. Click your product suite.
  5. Click the applicable product (see table above) and click I Agree.
  6. Click the Patches tab and click the link to download the product .ZIP file under the Product column.
* NOTE: The Content and Cloud Security portal does not require a McAfee Grant number; however, customers have received login credentials together with their MWG license.

For instructions on how to download McAfee products, documentation, security updates, patches, or hotfixes, see: KB56057.

For instructions on how to install/upgrade this hotfix/patch, please review the Release Notes and the Installation Guide (which you can download from the Documentation tab) following the same steps above.

Workaround

Linux distribution vendors have all released patches as of January 27, 2015. McAfee products that rely upon these vulnerable Linux distributions will be patched by product-specific McAfee tested and approved patches and hotfixes.

Mitigations
Several McAfee products have signatures to help mitigate this vulnerability. These include:

Support

Corporate Technical Support:
1-800-338-8754
http://www.mcafee.com/us/about/contact-us.aspx#ht=tab-techsupport 

Frequently Asked Questions (FAQs)

What is affected by this security vulnerability?
See the Product Specific Notes section above.
 
 
McAfee recommends that all customers verify that they have applied the latest updates.

Does this vulnerability affect McAfee enterprise products?
Yes. Several enterprise products are vulnerable. No consumer products are vulnerable.

How do I know if my McAfee product is vulnerable or not?

For Endpoint products:
Use the following instructions for endpoint or client based products:
  1. Right-click on the McAfee tray shield icon on the Windows task bar.
  2. Select Open Console.
  3. In the console, select Action Menu.
  4. In the Action Menu, select Product Details. The product version is displayed.
For ePO / Server products:
Use the following instructions for server based products:
  • Check the version and build of ePO that is installed. For more information on how to check the version, see: KB52634.
  • Or, create a query in ePO for the product version of the product installed within your organization.
For Appliances:
Use the following instructions for Appliance based products:
  1. Open the Administrator's User Interface (UI).
  2. Click the About link. The product version is displayed.
For DLPe ePO Extension:
Use the following instructions:
  1. Log on to the ePO server.
  2. Click Menu, Data Protection, DLP Policy.
  3. Inside the DLP console, click the Help menu item, About. The product version is displayed.
What is CVSS?
CVSS, or Common Vulnerability Scoring System, is the result of the National Infrastructure Advisory Council’s effort to standardize a system of assessing the criticality of a vulnerability. This system offers an unbiased criticality score between 0 and 10 that customers can use to judge how critical a vulnerability is and plan accordingly. For more information, please visit the CVSS website at: http://www.first.org/cvss/.

When calculating CVSS v2 scores, McAfee has adopted a philosophy that fosters consistency and repeatability. Our guiding principle for CVSS scoring is to score the exploit under consideration by itself. We consider only the immediate and direct impact of the exploit under consideration. We do not factor into a score any potential follow-on exploits that might be made possible by successful exploitation of the issue being scored.
 
What are the CVSS scoring metrics that have been used?

CVE-2015-0235: GHOST Vulnerability

 

 Base Score 10.0
 Related exploit range (AccessVector) Network
 Attack complexity (AccessComplexity) Low
 Level of authentication needed (Authentication) None
 Confidentiality impact Complete
 Integrity impact Complete
 Availability impact Complete
 Temporal Score (Overall) 7.8
 Availability of exploit (Exploitability) Proof of concept code
 Type of fix available (RemediationLevel) Official fix
 Level of verification that vulnerability exists (ReportConfidence) Confirmed

NOTE: CVSS version 2.0 was used to generate this score.
https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C)

NOTE: The CVSS base score was adjusted higher (10.0) since NIST (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0235) scored the CVE. The initial score (6.8) was from RedHat: https://access.redhat.com/security/cve/CVE-2015-0235.
 
What has McAfee done to resolve the issue?
McAfee will be releasing several product updates to address this security flaw.

Where do I download the fix?
You can download the fix from: http://www.mcafee.com/us/downloads/downloads.aspx.
Users will need to provide their McAfee Grant Number to initiate the download.

How does McAfee respond to this and any other security flaws?
McAfee’s key priority is the security of our customers. In the event that a vulnerability is found within any of McAfee’s software, we work closely with the relevant security research group to ensure rapid and effective development of a fix and communication plan.

McAfee only publishes product vulnerability bulletins together with an actionable workaround, hotfix, patch, or version update; otherwise we would simply be informing the hacker community that our products are a target, putting our customers at greater risk. 

McAfee may publish lists of known vulnerable and not vulnerable products if the product vulnerability is already generally known publicly, but no actionable workaround is ready yet.
 
Where can I find a list of all Security Bulletins?
To view all published Security Bulletins, visit the McAfee ServicePortal at https://mysupport.mcafee.com, click Knowledge Center, and select Security Bulletins in the left navigation pane under Content Source. Alternatively, you can use this link: https://support.mcafee.com/ServicePortal/faces/knowledgecenter?s=true&lang=en-us&sm=false&tab=SCtdl&facets=Security+Bulletin@INQUIRA_TYPE&sb=mostViewed&sbv=numberofviews%3Anumberdecreasing&scps=q.
 
If you know the Security Bulletin ID, use the following link after replacing the example Security Bulletin ID (SB10071) with the Security Bulletin ID you are searching for: https://kc.mcafee.com/corporate/index?page=content&id=SB10071.
 
How do I report a product vulnerability?
If you have information about a security issue or vulnerability with a McAfee product, please visit our product security website at: http://www.mcafee.com/us/threat-center/product-security-bulletins.aspx#=tab-vulnerability.

Resources

For contact details: Go to http://www.mcafee.com/us/about/contact/index.html. Non-US customers - select your country from the list of Worldwide Offices.

Alternatively:
Log into the McAfee Technical Support ServicePortal at https://mysupport.mcafee.com:
  • If you are a registered user, type your User ID and Password and click Log In.
  • If you are not a registered user, click Register and complete the required fields. Your password and login instructions will be emailed to you.
To download McAfee products, updates, and documentation, visit the Downloads page at http://www.mcafee.com/us/downloads/downloads.aspx. For instructions on downloading, see KB56057.

To download new Beta software or to read about the latest Beta information, go to http://www.mcafee.com/us/downloads/beta-programs/index.aspx.

To submit Beta feedback on any McAfee product, email: mcafee_beta@mcafee.com.

For copyright, trademark attributions, and license information, go to http://us.mcafee.com/root/aboutUs.asp?id=copyright.

For patents protecting this product, see your product documentation.

Disclaimer

The information provided in this security bulletin is provided as is without warranty of any kind. McAfee disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall McAfee or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits, or special damages, even if McAfee or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Any future product release dates mentioned in this bulletin are intended to outline our general product direction and they should not be relied on in making a purchasing decision. The product release dates are for information purposes only, and may not be incorporated into any contract. The product release dates are not a commitment, promise, or legal obligation to deliver any material, code, or functionality. The development, release, and timing of any features or functionality described for our products remains at our sole discretion and may be changed or cancelled at any time.

Rate this document

Did this article resolve your issue?

Please provide any comments below

Languages:

This article is available in the following languages:

English United States
Japanese

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.