Loading...

Knowledge Center


Intel Security - Security Bulletin: OpenSSL CVE-2015-1793 vulnerability
Security Bulletins ID:   SB10125
Last Modified:  11/15/2016

Summary

 Impact of Vulnerability:  Security Features (CWE-254)
 CVE Numbers:  CVE-2015-1793
 Severity Rating:  Medium
 Base / Overall CVSS v2 Scores:  6.4/5.6
 Recommendations:  Install recommended patch, see Remediation below
 Security Bulletin Replacement:  None
 Affected Software:  McAfee Email Gateway (MEG) 7.6.400 RTS
 Location of Updated Software:  http://www.mcafee.com/us/downloads/downloads.aspx


{GENSUB.EN_US}
Article contents:
 

Description

This patch remediates the following issue:
 
CVE-2015-1793
OpenSSL - Alternative chains certificate forger
 
During certificate verification, OpenSSL (starting from version 1.0.1n and 1.0.2b) will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can allow an attacker to bypass certain checks on untrusted certificates, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and "issue" an invalid certificate.
 
For more information, see:
 
Intel Security Product Vulnerability Status

Investigation into all Intel Security / McAfee products is ongoing. This security bulletin will be updated as additional information is available.
 
Vulnerable and Updated
  1. McAfee Email Gateway (MEG)
Not Vulnerable
  1. Database Activity Monitoring (DAM)
  2. Database Vulnerability Manager (DVM)
  3. Data eXchange Layer (DXL) Framework
  4. Email Gateway 7.x (MEG)
  5. Endpoint Intelligence Agent (EIA)
  6. ePolicy Orchestrator (ePO)
  7. GTI Proxy 2.0 (Global Threat Intelligence) [EOL 31-Dec-2015]
  8. GTI API v1/2/3
  9. GTI Cloud Server
  10. GTI Private Cloud
  11. GTI REST
  12. McAfee Agent (MA)
  13. McAfee Mobile Security (MMS)
  14. McAfee Quarantine Manager (MQM)
  15. McAfee Security for Application Stores (MSAS)
  16. McAfee Security Information and Event Management (SIEM)
  17. McAfee Vulnerability Manager (MVM)
  18. McAfee Web Gateway (MWG)
  19. Network Data Loss Prevention (NDLP)
  20. Network Security Manager (NSM)
  21. SaaS Account Management (SAM)
  22. SaaS Email Archiving (SEA)
  23. SaaS Email Protection and Continuity (SaaS Email)
  24. SaaS Endpoint Protection (SEP)
  25. SaaS Web Protection (SaaS Web)
  26. Threat Intelligence Exchange (TIE)
  27. True Key / PasswordBox
  28. Web Gateway (MWG)
No Vulnerabilities Reported
  1. Advanced Threat Defense (ATD)
  2. Boot Attestation Service (BAS) / Open Virtual Appliance (OVA)
  3. Capture Service (CS)
  4. Cloud Analysis and Deconstruction Service (CADS)
  5. Content Security Reporter (CSR)
  6. Critical Infrastructure Protection (CIP)
  7. Data Loss Prevention Endpoint (DLPe)
  8. Drive Encryption (DE)
  9. Email and Web Security (EWS)
  10. Endpoint Encryption for Files and Folders (EEFF)
  11. Endpoint Encryption for PCs (EEPC) / McAfee Drive Encryption (MDE)
  12. Endpoint Encryption for Removable Media – USB (EERM)
  13. Endpoint Encryption Manager (EEM/SafeBoot)
  14. Endpoint Protection for Mac (EPM)
  15. Enterprise Mobility Manager (EMM)
  16. ePO Cloud (TPS)
  17. ePO Deep Command (eDC)
  18. File and Removable Media Protection (FRP)
  19. Host Data Loss Prevention (HDLP)
  20. Host Intrusion Prevention Services (HIPS)
  21. Management for Optimized Virtual Environments (MOVE) AntiVirus
  22. McAfee Anti-Theft (MAT)
  23. McAfee Application Control (MAC)
  24. McAfee Asset Manager (MAM)
  25. McAfee Change Control (MCC)
  26. McAfee Cloud Single Sign On (MCSSO) / McAfee Cloud Identity Manager (MCIM)
  27. Email and Web Security (EWS)
  28. McAfee Endpoint Security 10 (MES) / Endpoint Protection 10.0 (EP10)
  29. McAfee MOVE AntiVirus Security Virtual Appliance (MOVE SVA)
  30. McAfee MOVE AntiVirus Security Virtual Appliance Manager (MOVE SVA Manager)
  31. McAfee MOVE Firewall (MOVE Firewall)
  32. McAfee Policy Auditor (MPA)
  33. McAfee Real Time for ePO (RTS)
  34. McAfee Security for Email Servers (MSES)
  35. McAfee Security for Lotus Domino (MSLD) / Domino Windows (MSDW)
  36. McAfee Security for Mac (MSM)
  37. McAfee Security for Microsoft Exchange (MSME)
  38. McAfee Security for Microsoft SharePoint (MSMS)
  39. McAfee Security Management Center (SMC)
  40. McAfee Web Reporter (MWR)
  41. Network Data Loss Prevention (NDLP)
  42. Network Security Platform (NSP) Sensor
  43. Network Threat Behavior Analysis (NTBA)
  44. Network Threat Response (NTR)
  45. One Time Password (OTP) / Pledge
  46. Public Cloud Security (PCS)
  47. Rogue System Detection (RSD)    [part of MAM]
  48. Site Advisor Enterprise (SAE)
  49. Total Protection Service Client (ToPS)
  50. Virus Scan Enterprise (VSE)
  51. VirusScan Enterprise for Storage (VSES)
  52. VirusScan Enterprise Linux (VSEL)
  53. VirusScan for Mac (VSMac)
  54. Whole Disk Encryption (WDE)
For a description of each product, see: http://www.mcafee.com/us/apps/products-az.aspx.

Remediation

Go to the Product Downloads site and download the applicable product patch/hotfix files:
 
Product Type Version File Name Release Date
McAfee Email Gateway (MEG)               Maintenance release MEG 7.6.400 RTS   July 23, 2015

Download and Installation Instructions
See KB56057 for instructions on how to download Intel Security / McAfee products, documentation, security updates, patches, and hotfixes.  Review the Release Notes and the Installation Guide, which you can download from the Documentation tab, for instructions on how to install these updates.

Product Specific Notes

 
  • Email Gateway 7.x
    For MEG specific information, see Knowledge Base article: KB85242 – Email Gateway 7.x response to CVE-2015-1793 (Vulnerable).
     
  • Network Security Manager
    For NSM specific information, see Knowledge Base article: KB85204 – Network Security Manager response to CVE-2015-1793 (Not Vulnerable).
     
  • Web Gateway
    For MWG specific information, see Knowledge Base article: KB88086 – Web Gateway response to CVE-2015-1793.

Workaround

None.

Mitigations

None

Acknowledgements

This vulnerability was first disclosed by OpenSSL, the Internet Systems Consortium (ISC), and The MITRE Corporation (http://cve.mitre.org/) as a CVE-2015-1793.

Frequently Asked Questions (FAQs)

What is CVSS?
CVSS, or Common Vulnerability Scoring System, is the result of the National Infrastructure Advisory Council’s effort to standardize a system of assessing the criticality of a vulnerability. This system offers an unbiased criticality score between 0 and 10 that customers can use to judge how critical a vulnerability is and plan accordingly. For more information, please visit the CVSS website at: http://www.first.org/cvss/.

When calculating CVSS v2 scores, Intel Security has adopted a philosophy that fosters consistency and repeatability. Our guiding principle for CVSS scoring is to score the exploit under consideration by itself. We consider only the immediate and direct impact of the exploit under consideration. We do not factor into a score any potential follow-on exploits that might be made possible by successful exploitation of the issue being scored.

CVSS v3 scoring is in final review as of March 2015. CVSS v2 will be replaced with CVSS v3 when v3 is fully approved.
https://www.first.org/cvss/v3/development
https://www.first.org/cvss/calculator/3.0
 
What are the CVSS scoring metrics that have been used?
 
CVE -2015-1793:
 
 Base Score 6.4
 Related exploit range (AccessVector) Network (N)
 Attack complexity (AccessComplexity) Low (L)
 Level of authentication needed (Authentication) None (N)
 Confidentiality impact Partial (P)
 Integrity impact Partial (P)
 Availability impact None (M)
 Temporal Score (Overall) 5.6
 Availability of exploit (Exploitability) Not Defined (ND)
 Type of fix available (RemediationLevel) Official Fix (OF)
 Level of verification that vulnerability exists (ReportConfidence) Confirmed (C)

NOTE: The below CVSS version 2.0 vector was used to generate this score.
http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N/E:ND/RL:OF/RC:C)

Where can I find a list of all security bulletins or how do I report a product vulnerability?
To find a list of all security bulletins, or if you have information about a security issue or vulnerability with an Intel Security product, please visit our product security website at: http://www.mcafee.com/us/threat-center/product-security-bulletins.aspx.

Resources

{GENAA.EN_US}

Disclaimer

The information provided in this security bulletin is provided as is without warranty of any kind. Intel Security disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Intel Security or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits, or special damages, even if Intel Security or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
 
Any future product release dates mentioned in this security bulletin are intended to outline our general product direction and they should not be relied on in making a purchasing decision. The product release dates are for information purposes only, and may not be incorporated into any contract. The product release dates are not a commitment, promise, or legal obligation to deliver any material, code, or functionality. The development, release, and timing of any features or functionality described for our products remains at our sole discretion and may be changed or cancelled at any time.

Rate this document

Did this article resolve your issue?

Please provide any comments below

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.