Loading...

Knowledge Center


McAfee Security Bulletin - FREAK OpenSSL Vulnerability
Security Bulletins ID:   SB10108
Last Modified:  4/9/2017
Rated:


Summary

 Who Should Read This Document:  Technical and Security Personnel
 Impact of Vulnerability:  Buffer Errors (CWE-119)
 Cryptographic Issue (CWE-310)
 NULL Pointer Dereference (CWE-476)
 CVE Numbers:  CVE-2014-3569
 CVE-2014-3570
 CVE-2014-3571
 CVE-2014-3572
 CVE-2014-8275
 CVE-2015-0204
 CVE-2015-0205
 CVE-2015-0206
 CERT/CC and Other Numbers:  None
 Severity Rating:  Medium
 Base / Overall CVSS Scores:  CVSS v2: 5.0 / 4.4 (same for all 8 CVEs)
 CVSS v3: 5.3 / 5.1
 Recommendations:  Install product patches and version updates
 Security Bulletin Replacement: See SB10110 for updated information on CVE-2015-0204.
 Caveats:  None
 Affected Software:  See the McAfee Product Vulnerability Status lists below
 Location of Updated Software:  http://www.mcafee.com/us/downloads/downloads.aspx

{GENSUB.EN_US}
Article contents:

Description

Eight (8) OpenSSL vulnerabilities were reported as CVEs. Each have impacted several McAfee Enterprise products.
 
For more in-depth information, see the Cryptographic Engineering article, March 3, 2015: http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html.
 
These patches remediate the following issues:
 
CVE-2014-3569:
The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 0.9.8zc, 1.0.0o, and 1.0.1j does not properly handle attempts to use unsupported protocols, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an unexpected handshake, as demonstrated by an SSLv3 handshake to a no-ssl3 application with certain error handling. This issue became relevant after the CVE-2014-3568 fix.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3569
 
CVE-2014-3570:
The BN_sqr implementation in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not properly calculate the square of a BIGNUM value, which might make it easier for remote attackers to defeat cryptographic protection mechanisms via unspecified vectors, related to crypto/bn/asm/mips.pl, crypto/bn/asm/x86_64-gcc.c, and crypto/bn/bn_asm.c.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3570
 
CVE-2014-3571:
OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted DTLS message that is processed with a different read operation for the handshake header than for the handshake body, related to the dtls1_get_record function in d1_pkt.c and the ssl3_read_n function in s3_pkt.c.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3571
 
CVE-2014-3572:
The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct ECDHE-to-ECDH downgrade attacks and trigger a loss of forward secrecy by omitting the ServerKeyExchange message.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3572
 
CVE-2014-8275:
OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not enforce certain constraints on certificate data, which allows remote attackers to defeat a fingerprint-based certificate-blacklist protection mechanism by including crafted data within a certificate's unsigned portion, related to crypto/asn1/a_verify.c, crypto/dsa/dsa_asn1.c, crypto/ecdsa/ecs_vrf.c, and crypto/x509/x_all.c.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8275
 
CVE-2015-0204:
The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct RSA-to-EXPORT_RSA downgrade attacks and facilitate brute-force decryption by offering a weak ephemeral RSA key in a noncompliant role.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0204
 
CVE-2015-0205:
The ssl3_get_cert_verify function in s3_srvr.c in OpenSSL 1.0.0 before 1.0.0p and 1.0.1 before 1.0.1k accepts client authentication with a Diffie-Hellman (DH) certificate without requiring a CertificateVerify message, which allows remote attackers to obtain access without knowledge of a private key via crafted TLS Handshake Protocol traffic to a server that recognizes a Certification Authority with DH support.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0205
 
CVE-2015-0206:
Memory leak in the dtls1_buffer_record function in d1_pkt.c in OpenSSL 1.0.0 before 1.0.0p and 1.0.1 before 1.0.1k allows remote attackers to cause a denial of service (memory consumption) by sending many duplicate records for the next epoch, leading to failure of replay detection.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0206
 
CWE-119
Buffer Errors
http://cwe.mitre.org/data/definitions/119.html
  • CVE-2015-0206
CWE-310
Cryptographic Issues
http://cwe.mitre.org/data/definitions/310.html
  • CVE-2014-3570
  • CVE-2014-3572
  • CVE-2014-8275
  • CVE-2015-0204
  • CVE-2015-0205
CWE-476
NULL Pointer Dereference
http://cwe.mitre.org/data/definitions/476.html
  • CVE-2014-3569
All of these issues are resolved in patches listed below.
 
McAfee Product Vulnerability Status
 
Investigation into all McAfee products is ongoing. This security bulletin will be updated as additional information is available.
 
Vulnerable and Updated
  1. GTI Proxy 2.0
  2. McAfee Email Gateway (MEG) / Email and Web Security (EWS) (low risk)
  3. McAfee Web Gateway (MWG)
Vulnerable and Not Yet Updated
  1. McAfee Asset Manager (MAM)
Not Vulnerable
  1. Advanced Threat Defense (ATD)
  2. Boot Attestation Service (BAS) / Open Virtual Appliance (OVA)
  3. Content Security Reporter (CSR)
  4. Data Loss Prevention Endpoint (DLPe)
  5. Database Activity Monitoring (DAM)
  6. Database Vulnerability Manager (DVM)
  7. Drive Encryption (DE)
  8. Email and Web Security (EWS)
  9. Endpoint Encryption for Files and Folders (EEFF)
  10. Endpoint Encryption for PCs (EEPC) / McAfee Drive Encryption (MDE)
  11. Endpoint Encryption for Removable Media – USB (EERM)
  12. Endpoint Encryption Manager (EEM)
  13. Endpoint Intelligence Agent (EIA)
  14. Endpoint Protection for Mac (EPM)
  15. Enterprise Mobility Manager (EMM)
  16. ePO Cloud (TPS)
  17. ePO Deep Command (eDC)
  18. File and Removable Media Protection (FRP)
  19. Host Data Loss Prevention (HDLP)
  20. Host Intrusion Prevention Services (HIPS)
  21. Management for Optimized Virtual Environments (MOVE) AntiVirus
  22. McAfee Agent (MA)
  23. McAfee Application Control (MAC)
  24. McAfee Change Control (MCC)
  25. McAfee Cloud Single Sign On (MCSSO) / McAfee Cloud Identity Manager (MCIM)
  26. McAfee Endpoint Security 10 (MES) / Endpoint Protection 10.0 (EP10)
  27. McAfee ePolicy Orchestrator (ePO )
  28. McAfee Mobile Security (MMS)
  29. McAfee MOVE AntiVirus Security Virtual Appliance (MOVE SVA)
  30. McAfee MOVE AntiVirus Security Virtual Appliance Manager (MOVE SVA Manager)
  31. McAfee MOVE Firewall (MOVE Firewall)
  32. McAfee Network Access Control (MNAC)
  33. McAfee Policy Auditor (MPA)
  34. McAfee Quarantine Manager (MQM)
  35. McAfee Security for Domino Windows (MSDW)
  36. McAfee Security for Lotus Domino (MSLD)
  37. McAfee Security for Mac (MSM)
  38. McAfee Security for Microsoft Exchange (MSME)
  39. McAfee Security for Microsoft SharePoint (MSMS)
  40. McAfee Security Information and Event Management (SIEM)
  41. McAfee Vulnerability Manager (MVM)
  42. McAfee Web Reporter (MWR)
  43. Network Data Loss Prevention (NDLP)
  44. Network Security Platform (NSP) Sensor
  45. Network Security Manager (NSM)
  46. Network Threat Behavior Analysis (NTBA)
  47. Network Threat Response (NTR)
  48. Network User Behavior Analysis (NUBA) One Time Password (OTP) / Pledge
  49. Rogue System Detection (RSD)
  50. SaaS Account Management (SAM)
  51. SaaS Email Archiving (SEA)
  52. SaaS Email Protection and Continuity (SaaS Email) 
  53. SaaS Endpoint Protection (SEP)
  54. SaaS Web Protection (SaaS Web)
  55. Secure Container (Android and iOS)
  56. Site Advisor Enterprise (SAE)
  57. Threat Intelligence Exchange (TIE)
  58. Virus Scan Enterprise (VSE)
  59. VirusScan Enterprise for Storage (VSES) Mobile Cloud (MC)
  60. Network Security Manager (NSM)
  61. Network User Behavior Analysis (NUBA)
  62. One Time Password (OTP) / Nordic Edge / Pledge
  63. Online Child Protection (OCP)
  64. PortalShield (PS)
  65. Pre-Install Scanner (PIS)
  66. Public Cloud Security (PCS)
  67. Data Exchange Layer (DXL)
  68. Threat Intelligence Extension (TIE)
  69. SaaS Account Management (SAM)
  70. SaaS Email Archiving (SEA)
  71. SaaS Email Protection and Continuity (SaaS Email)
  72. SaaS Endpoint Protection (SEP)
  73. SaaS Web Protection (SaaS Web)
  74. Secure Container (Android and iOS)
  75. Site Advisor Enterprise (SAE)
  76. Threat Intelligence Exchange (TIE)
  77. Virus Scan Enterprise (VSE)
  78. VirusScan Enterprise for Storage (VSES)
  79. VirusScan Enterprise Linux (VSEL)
  80. VirusScan for Mac (VSMac)
For a description of each product, see: http://www.mcafee.com/us/apps/products-az.aspx.
 

Remediation

Go to the McAfee Downloads site and download the applicable product patch/hotfix file:
 
Product Type Patch Version File Name Release Date
GTI Proxy 2.0          Patch GTI Proxy Patch 6   July 15, 2015
MAM Hotfix 6.6 Hotfix 7 mam_hotfix_pack7.sh June 2015
MEG / EWS 7.6.x Patch 7.6.4   March 30, 2015 Contact Technical support to obtain the patch
MEG / EWS 7.5.x Hotfix 7.5 hotfix 1037302   March 27, 2015 Contact Technical Support to obtain the hotfix
MWG 7.5.1.1                Patch 7.5.1.1   March 27, 2015
MWG 7.4.2.8 Patch 7.4.2.8   March 27, 2015
70103E65*: 70103E65, which originally resolved this CVE, was made obsolete by 7.0.1.03H11.

Product Specific Notes:
  • GTI Proxy 2.0
    GTI Proxy is vulnerable to CVE-2014-3571 and CVE-2014-3569.
     
  • MAM
    MAM 6.6 is vulnerable due to the underlying Debian Squeeze Linux platform provided with it. Debian has released a fix for this already at https://security-tracker.debian.org/tracker/CVE-2015-0204. OpenSSL 0.9.8o-4squeeze19 fixes this problem.

    MAM 6.6 Hotfix 7 has superseded the release originally posted in this article.  MAM Hotfix 7 is a rollup that includes the content of hotfixes 1-6. 
     
  • MEG
    There is a workaround for clients that have not yet been patched. For instructions to disable EXPORT ciphers, see KB84267.
McAfee Product Download Instructions
  1. Launch Internet Explorer.
  2. Navigate to: http://www.mcafee.com/us/downloads/downloads.aspx.
  3. Provide your valid McAfee Grant Number. *
  4. Click your product suite.
  5. Click the applicable product (see table above) and click I Agree.
  6. Click the Patches tab and click the link to download the product .ZIP file under the Product column.
* NOTE: The Content and Cloud Security portal does not require a McAfee Grant number; however, customers have received login credentials together with their MWG license.

For instructions on how to download McAfee products, documentation, security updates, patches, or hotfixes, see: KB56057.

For instructions on how to install/upgrade this hotfix/patch, please review the Release Notes and the Installation Guide (which you can download from the Documentation tab) following the same steps above.

Workaround

None. Install the provided hotfix / patch / version updates.

Mitigations
The OpenSSL vendor fix was announced in OpenSSL 1.0.1k, 1.0.0p, and 0.9.8zd: https://www.openssl.org/news/secadv_20150108.txt. This fix is being recompiled into the affected McAfee products.
 
Some McAfee products have signatures to help detect this vulnerability. These include:
  • MVM – McAfee Vulnerability Manager
    • FSL vulnerability checks
    • 17635 - Splunk Enterprise OpenSSL Two Vulnerabilities
    • 17789 - IBM AIX OpenSSL Multiple Vulnerabilities (openssl_advisory12)
    • 17916 - (SOL16139) F5 BIG-IP OpenSSL Vulnerability
    • 17925 - (SOL16136) F5 BIG-IP OpenSSL Vulnerability
    • 17967 - SSL/TLS Export Suites Freak Attack
    • 17970 - (HPSBUX03244) HP-UX OpenSSL Multiple Vulnerabilities
    • 85856 - CentOS 6, 7 CESA-2015-0066 Update Is Not Installed
    • 88660 - Slackware Linux 13.0, 13.1, 13.37, 14.0, 14.1 SSA:2015-009-01 Update Is Not Installed
    • 91708 - Oracle Enterprise Linux ELSA-2015-0066 Update Is Not Installed
    • 91732 - Oracle Enterprise Linux ELSA-2015-3010 Update Is Not Installed
    • 93455 - Mandriva Linux MBS1 MDVSA-2015-019 Update Is Not Installed
    • 130048 - Debian Linux 7.0 DSA-3125-1 Update Is Not Installed
    • 140658 - Red Hat Enterprise Linux RHSA-2015-0066 Update Is Not Installed
    • 143399 - SuSE Linux 13.1, 13.2 openSUSE-SU-2015:0130-1 Update Is Not Installed
    • 143415 - SuSE SLES 10 SP4, SLED 11 SP3 SUSE-SU-2015:0182-1 Update Is Not Installed
    • 143431 - SuSE SLES 10 SP4 SUSE-SU-2015:0172-1 Update Is Not Installed
    • 143432 - SuSE SLES 11 SP1, 11 SP2, 11 SP3, SLED 11 SP3 SUSE-SU-2015:0172-2 Update Is Not Installed
    • 143471 - SuSE SLES 11 SP3 SUSE-SU-2015:0181-1 Update Is Not Installed
    • 143472 - SuSE SLES 12, SLED 12 SUSE-SU-2015:0205-1 Update Is Not Installed
    • 143494 - SuSE SLED 12 SUSE-SU-2015:0305-1 Update Is Not Installed
    • 170445 - Amazon Linux AMI ALAS-2015-469 Update Is Not Installed
    • 174631 - Scientific Linux Security ERRATA Moderate: openssl on SL6.x, SL7.x i386/x86_64 (1501-1506)
    • 17789 - IBM AIX OpenSSL Multiple Vulnerabilities (openssl_advisory12)
    • 181314 - FreeBSD OpenSSL Multiple Vulnerabilities (4e536c14-9791-11e4-977d-d050992ecde8)
    • 184662 - Ubuntu Linux 10.04, 12.04, 14.04, 14.10 USN-2459-1 Update Is Not Installed
    • 188790 - Fedora Linux 21 FEDORA-2015-0512 Update Is Not Installed
    • 188809 - Fedora Linux 20 FEDORA-2015-0601 Update Is Not Installed
Download the latest content for each and enable the checks if they are not enabled by default.

Acknowledgements

These vulnerabilities were first disclosed by The MITRE Corporation (http://cve.mitre.org/) as:
  • CVE-2014-3569
  • CVE-2014-3570
  • CVE-2014-3571
  • CVE-2014-3572
  • CVE-2014-8275
  • CVE-2015-0204
  • CVE-2015-0205
  • CVE-2015-0206

Support

Corporate Technical Support:
1-800-338-8754
http://www.mcafee.com/us/about/contact-us.aspx#ht=tab-techsupport 

Frequently Asked Questions (FAQs)

What is affected by this security vulnerability?
See the Product Specific Notes section above.
McAfee recommends that all customers verify that they have applied the latest updates.

What issues do this hotfix/patch address?
  • 1032655 - CVE-2014-3571, CVE-2015-0206, CVE-2014-3569, CVE-2014-3572, CVE-2015-0204, CVE-2015-0205, CVE-2014-8275, CVE-2014-3570 (OpenSSL)
  • 1035698 - Is CC vulnerable to CVE-2014-3571, CVE-2015-0206, CVE-2014-3569, CVE-2014-3572, CVE-2015-0204, CVE-2015-0205, CVE-2014-8275, CVE-2014-3570
Does this vulnerability affect McAfee enterprise products?
Yes. Several enterprise products are vulnerable. No consumer products are vulnerable.

How do I know if my McAfee product is vulnerable or not?

For Endpoint products:
Use the following instructions for endpoint or client based products:
  1. Right-click on the McAfee tray shield icon on the Windows task bar.
  2. Select Open Console.
  3. In the console, select Action Menu.
  4. In the Action Menu, select Product Details. The product version is displayed.
For ePO / Server products:
Use the following instructions for server based products:
  • Check the version and build of ePO that is installed. For more information on how to check the version, see: KB52634.
  • Or, create a query in ePO for the product version of the product installed within your organization.
For Appliances:
Use the following instructions for Appliance based products:
  1. Open the Administrator's User Interface (UI).
  2. Click the About link. The product version is displayed.
What is CVSS?
CVSS, or Common Vulnerability Scoring System, is the result of the National Infrastructure Advisory Council’s effort to standardize a system of assessing the criticality of a vulnerability. This system offers an unbiased criticality score between 0 and 10 that customers can use to judge how critical a vulnerability is and plan accordingly. For more information, please visit the CVSS website at: http://www.first.org/cvss/.

When calculating CVSS v2 scores, McAfee has adopted a philosophy that fosters consistency and repeatability. Our guiding principle for CVSS scoring is to score the exploit under consideration by itself. We consider only the immediate and direct impact of the exploit under consideration. We do not factor into a score any potential follow-on exploits that might be made possible by successful exploitation of the issue being scored.
 
What are the CVSS scoring metrics that have been used?

This score applies to all 8 CVEs.

 

 Base Score 5.0
 Related exploit range (AccessVector) Network
 Attack complexity (AccessComplexity) Low
 Level of authentication needed (Authentication) None
 Confidentiality impact None
 Integrity impact None
 Availability impact Partial
 Temporal Score (Overall) 4.4
 Availability of exploit (Exploitability) Not Defined
 Type of fix available (RemediationLevel) Official fix
 Level of verification that vulnerability exists (ReportConfidence) Confirmed

NOTE: CVSS version 2.0 was used to generate this score.
http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:N/C:N/I:N/A:P/E:ND/RL:OF/RC:C)

Alternate CVSS v3 Scoring:
https://www.first.org/cvss/v3/development

This score applies to all 8 CVEs.
 
 Base Score 5.3
Attack Vector (AV) Network (N)
Attack Complexity (AC) Low (L)
Privileges Required (PR) None (N)
User Interaction (UI) None (N)
Scope (S) Unchanged (U)
Confidentiality (C) None (N)
Integrity (I) None (N)
Availability (A) Low (L)
 Temporal Score (Overall) 5.1
Exploitability (E) Not Defined (X)
Remediation Level (RL) Official Fix (O)
Report Confidence (RC) Confirmed (C)

NOTE: CVSS version 3.0 (beta) vector was used to generate this score.
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/RL:O/RC:C

What has McAfee done to resolve the issue?
McAfee has already and will be releasing several product updates to address this security flaw.

Where do I download the fix?
You can download the fix from: http://www.mcafee.com/us/downloads/downloads.aspx.
Users will need to provide their McAfee Grant Number to initiate the download.

How does McAfee respond to this and any other security flaws?
McAfee’s key priority is the security of our customers. In the event that a vulnerability is found within any of McAfee’s software, we work closely with the relevant security research group to ensure rapid and effective development of a fix and communication plan.

McAfee only publishes product vulnerability bulletins together with an actionable workaround, hotfix, patch, or version update; otherwise we would simply be informing the hacker community that our products are a target, putting our customers at greater risk. 

McAfee may publish lists of known vulnerable and not vulnerable products if the product vulnerability is already generally known publicly, but no actionable workaround is ready yet.
 
Where can I find a list of all Security Bulletins?
To view all published Security Bulletins, visit the McAfee ServicePortal at https://mysupport.mcafee.com, click Knowledge Center, and select Security Bulletins in the left navigation pane under Content Source. Alternatively, you can use this link: https://support.mcafee.com/ServicePortal/faces/knowledgecenter?s=true&lang=en-us&sm=false&tab=SCtdl&facets=Security+Bulletin@INQUIRA_TYPE&sb=mostViewed&sbv=numberofviews%3Anumberdecreasing&scps=q.
 
If you know the Security Bulletin ID, use the following link after replacing the example Security Bulletin ID (SB10071) with the Security Bulletin ID you are searching for: https://kc.mcafee.com/corporate/index?page=content&id=SB10071.
 
How do I report a product vulnerability?
If you have information about a security issue or vulnerability with a McAfee product, please visit our product security website at: http://www.mcafee.com/us/threat-center/product-security-bulletins.aspx#=tab-vulnerability.

Resources

For contact details: Go to http://www.mcafee.com/us/about/contact/index.html. Non-US customers - select your country from the list of Worldwide Offices.

Alternatively:
Log into the McAfee Technical Support ServicePortal at https://mysupport.mcafee.com:
  • If you are a registered user, type your User ID and Password and click Log In.
  • If you are not a registered user, click Register and complete the required fields. Your password and login instructions will be emailed to you.
To download McAfee products, updates, and documentation, visit the Downloads page at http://www.mcafee.com/us/downloads/downloads.aspx. For instructions on downloading, see KB56057.

To download new Beta software or to read about the latest Beta information, go to http://www.mcafee.com/us/downloads/beta-programs/index.aspx.

To submit Beta feedback on any McAfee product, email: mcafee_beta@mcafee.com.

For copyright, trademark attributions, and license information, go to http://us.mcafee.com/root/aboutUs.asp?id=copyright.

For patents protecting this product, see your product documentation.

Disclaimer

The information provided in this security bulletin is provided as is without warranty of any kind. McAfee disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall McAfee or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits, or special damages, even if McAfee or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Any future product release dates mentioned in this bulletin are intended to outline our general product direction and they should not be relied on in making a purchasing decision. The product release dates are for information purposes only, and may not be incorporated into any contract. The product release dates are not a commitment, promise, or legal obligation to deliver any material, code, or functionality. The development, release, and timing of any features or functionality described for our products remains at our sole discretion and may be changed or cancelled at any time.

Rate this document

Did this article resolve your issue?

Please provide any comments below

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.