Loading...

Knowledge Center


Intel Security - Security Bulletin: Network Data Loss Prevention update addresses CVE-2016-0800
Security Bulletins ID:   SB10154
Last Modified:  9/13/2016

Summary

First Published: 4/7/2016
 
 Impact of Vulnerability:  Information Leak / Disclosure (CWE-200)
 Cryptographic Issues (CWE-310)
 CVE Numbers:  CVE-2016-0800
 Severity Rating:  Medium
 Base / Overall CVSS v3 Scores:
 5.9 / 5.5
 Recommendations:  Apply Network Data Loss Prevention (Network DLP) Hotfix 9.3.4.1.1 to Network DLP 9.3.4.1
 Applicable only for 4400 and 5500 platforms.
 1650 and 3650 platforms are not vulnerable.
 Security Bulletin Replacement:  None
 Affected Software:  Network DLP 9.3.4.1 (and earlier)
 Location of Updated Software:  http://www.mcafee.com/us/downloads/downloads.aspx

{GENSUB.EN_US}
Article contents:

Description

Typically, the Network DLP Management Console is deployed on a trusted network and will have access granted only on an as-needed basis. Data Loss Prevention tools are typically among an organization's most sensitive systems and should be restricted as such. Before updating the Network DLP software with the fixes, customers are advised to configure typical system and network access controls (see the Workaround section below).
 
When access to Network DLP is restricted appropriately, this vulnerability poses a reduced security risk because access should be restricted to trusted insiders.
 
Scenario 1:
The Network DLP user interface (UI) is accessed over HTTPS from the client's browser. The handshake takes place between the browser and Network DLP, where Network DLP acts as server.
 
Network DLP posts sensitive information such as an Incident Summary. Incident Summary might contain very sensitive information (for example, Social Security Number) and user details.
 
Without the hotfix installed, Network DLP runs on OpenSSL, which supports both SSLv2 and TLS. However, SSLv2 was disabled from the back end to prevent any SSL communications. An administrator can perform a misconfiguration and enable SSLv2. This can cause Network DLP to support both SSLv2 and TLS as a server and hence be vulnerable because sensitive information could be compromised.
 
Scenario 2:
McAfee Logon Collector (MLC) provides user information to Network DLP, and based on the user information, Network DLP fetches other user details from Active Directory. Network DLP initiates communication to MLC offering SSLv2 and TLS to fetch user information whenever any incident is reported. This communication might occur over the vulnerable SSLv2 protocol if MLC does not support TLS. After installing the hotfix, as a best practice, Network DLP offers only TLS so further communication occurs over a TLS connection; Network DLP does not support SSLv2 as a server and client.
 
CVE-2016-0800: Cross-protocol attack on TLS using SSLv2
This vulnerability affects HTTPS and other services that rely on SSLv2.
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0800
 
CWE-200 Information Leak / Disclosure
The intentional disclosure of information to an actor that is not explicitly authorized to have access to that information.
http://cwe.mitre.org/data/definitions/200.html
 
CWE-310 Cryptographic Issues
Weaknesses in the use of cryptography.
http://cwe.mitre.org/data/definitions/310.html
 
Affected Components:
  • Network DLP Manager
  • Network DLP Monitor
  • Network DLP iPrevent
  • Network DLP iDiscover
The 4400 and 5500 platforms are vulnerable. The 1650 and 3650 platforms are not vulnerable.
 
NOTE: Data Loss Prevention Endpoint (DLP Endpoint) is not affected by this issue.

Remediation

These issues are resolved in Network DLP Hotfix 9.3.4.1.1 released on April 7, 2016 for the 4400 and 5500 platforms. The 1650 and 3650 platforms are not vulnerable.

Go to the Product Downloads site and download the applicable product hotfix file:
 
Product Type Version File Name Release Date
Network DLP Hotfix Hotfix 9.3.4.1.1 hotfix_ 9.3.4.1.1.tar.gz April 7, 2016

Download and Installation Instructions
See KB56057 for instructions on how to download Intel Security / McAfee products, documentation, security updates, patches, and hotfixes. Review the Release Notes and the Installation Guide, which you can download from the Documentation tab, for instructions on how to install these updates.

Workaround

Before upgrading to Network DLP 9.3.4.1.1, Intel Security strongly recommends that you configure system and network access controls according to the following best practices:
  • Change the default root password of the system to a strong, un-guessable password.
  • Place the Network DLP Management console only on a trusted network.
  • Only give accounts on Network DLP systems to personnel with a "need-to-know".
  • Place network restrictions such that only Network DLP Monitors can communicate with Network DLP Managers.
  • Use only a single network interface card (NIC) for inter-system communications.
  • Present management functions only a single NIC. The management NIC should accept connections only from a trusted, restricted network.

Mitigations

No vulnerability detection signatures are available.

Acknowledgements

None.

Frequently Asked Questions (FAQs)

How do I know whether my Intel Security product is vulnerable or not?

For Endpoint products:
Use the following instructions for endpoint or client based products:
  1. Right-click on the McAfee tray shield icon on the Windows task bar.
  2. Select Open Console.
  3. In the console, select Action Menu.
  4. In the Action Menu, select Product Details. The product version is displayed.
For Appliances:
Use the following instructions for Appliance based products:
  1. Open the Administrator's User Interface (UI).
  2. Click the About link. The product version is displayed.
What is CVSS?
CVSS, or Common Vulnerability Scoring System, is the result of the National Infrastructure Advisory Council’s effort to standardize a system of assessing the criticality of a vulnerability. This system offers an unbiased criticality score between 0 and 10 that customers can use to judge how critical a vulnerability is and plan accordingly. For more information, please visit the CVSS website at: http://www.first.org/cvss/.

When calculating CVSS scores, Intel Security has adopted a philosophy that fosters consistency and repeatability. Our guiding principle for CVSS scoring is to score the exploit under consideration by itself. We consider only the immediate and direct impact of the exploit under consideration. We do not factor into a score any potential follow-on exploits that might be made possible by successful exploitation of the issue being scored
 
What are the CVSS scoring metrics that have been used?
 
CVE-2016-0800 – SSLv2, default negotiation, and weak ciphers
 
CVSS v3.0 Scoring:
 
 Base Score 5.9
Related exploit range
(Access Vector)
Network Access
Attack complexity
(Access Complexity)
High
Level of authentication needed
(Authentication)
None
Confidentiality impact High
Integrity impact None
Availability impact None
 Temporal Score (Overall)
5.5
Availability of exploit
(Exploitability)
Functional
Type of fix available
(Remediation Level)
Official fix
Level of verification that vulnerability exists
(Report Confidence)
Confirmed

NOTE: The below CVSS version 3.0 vector was used to generate this score.
https://nvd.nist.gov/cvss/v3-calculator?name=CVE-2016-0800&vector=AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

This vulnerability is addressed by upgrading to OpenSSL-1.0.1s.

Where can I find a list of all security bulletins or how do I report a product vulnerability?
To find a list of all security bulletins, or if you have information about a security issue or vulnerability with an Intel Security product, please visit our product security website at: http://www.mcafee.com/us/threat-center/product-security-bulletins.aspx.

Resources

{GENAA.EN_US}

Disclaimer

The information provided in this security bulletin is provided as is without warranty of any kind. Intel Security disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Intel Security or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits, or special damages, even if Intel Security or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
 
Any future product release dates mentioned in this security bulletin are intended to outline our general product direction and they should not be relied on in making a purchasing decision. The product release dates are for information purposes only, and may not be incorporated into any contract. The product release dates are not a commitment, promise, or legal obligation to deliver any material, code, or functionality. The development, release, and timing of any features or functionality described for our products remains at our sole discretion and may be changed or cancelled at any time.

Rate this document

Did this article resolve your issue?

Please provide any comments below

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.