Loading...

Knowledge Center


McAfee Security Bulletin: McAfee product updates fix vulnerabilities in OpenSSL that can allow an attacker to decrypt the traffic, corrupt the heap, and cause a denial of service
Security Bulletins ID:   SB10160
Last Modified:  1/16/2019

Summary

First Published: 6/7/2016
 
 Impact of Vulnerability:  Buffer Errors (CWE-119)
 Resource Management Errors (CWE-399)
 Numeric Errors (CWE-189)
 Information Leak / Disclosure (CWE- 200)
 Cryptographic Issues (CWE-310)
CVE Information
CVE Numbers: Severity Rating CVSS v3 Base / Temporal Scores: Affected Products
CVE-2016-2105 Low Base 2.6 / Temporal 2.3  Threat Intelligence Exchange
CVE-2016-2105 Medium Base 7.5 / Temporal 7.2 Network Security Manager
Network Threat Behavior Analysis
CVE-2016-2105 Medium Base 4.8 / Temporal 4.1 Active Response
CVE-2016-2106   Low Base 2.6 / Temporal 2.3 Threat Intelligence Exchange
CVE-2016-2106 Medium Base 7.5 / Temporal 7.2 Network Security Manager
Network Security Platform
Network Threat Behavior Analysis
CVE-2016-2106            Low Base 3.7 / Temporal 3.3 McAfee Vulnerability Manager
Network Data Loss Prevention
CVE-2016-2106 Low Base 3.4 / Temporal 3.0 McAfee GTI Cloud Server
CVE-2016-2106 Medium Base 4.8 / Temporal 4.1 Active Response
CVE-2016-2107  Low Base 3.1 / Temporal 2.7 Threat Intelligence Exchange
CVE-2016-2107 Medium Base 5.9 / Temporal 5.7 Network Security Manager
Network Security Platform
Network Threat Behavior Analysis
CVE-2016-2107        Medium Base 4.8 / Temporal 4.1 Active Response
McAfee Vulnerability Manager
Network Data Loss Prevention
CVE-2016-2107 Medium Base 4.8 / Temporal 4.3 McAfee GTI Cloud Server
CVE-2016-2108            Medium Base 4.8 / Temporal 4.1 Active Response
CVE-2016-2109   Low Base 3.1 / Temporal 2.7 Threat Intelligence Exchange
CVE-2016-2109 Medium Base 7.5 / Temporal 7.2 Network Security Manager
Network Threat Behavior Analysis
CVE-2016-2109 Medium Base 4.8 / Temporal 4.1 Active Response
CVE-2016-2176 High Base 8.2 / Temporal 7.8 Network Security Manager
Network Threat Behavior Analysis
CVE-2016-2176          Medium Base 4.8 / Temporal 4.1 Active Response
 Recommendations: See Product Specific Notes for recommendations.
 Security Bulletin Replacement:  None   
 Affected Software:  See the McAfee Product Vulnerability Status lists below
 Location of Updated Software:  http://www.mcafee.com/us/downloads/downloads.aspx

To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.

Article contents:
 

Description

The following issues affect all versions of software released prior to the versions listed in the Remediation table:
  • CVE-2016-2105
    This vulnerability allows a remote attacker to corrupt the heap when the attacker passes a very large amount of input data.

    "An overflow can occur in the EVP_EncodeUpdate() function which is used for Base64 encoding of binary data. If an attacker is able to supply very large amounts of input data then a length check can overflow resulting in a heap corruption."

    CVE-2016-2105
    EVP_EncodeUpdate overflow
    http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2105

    CWE-189
    Weaknesses in this category are related to improper calculation or conversion of numbers.
    http://cwe.mitre.org/data/definitions/189.html
     
  • CVE-2016-2106
    An integer overflow in the EVP_EncryptUpdate function in crypto/evp/evp_enc.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of data.

    "An overflow can occur in the EVP_EncryptUpdate() function. If an attacker is able to supply very large amounts of input data after a previous call to EVP_EncryptUpdate() with a partial block then a length check can overflow resulting in a heap corruption. Following an analysis of all OpenSSL internal usage of the EVP_EncryptUpdate() function all usage is one of two forms."

    CVE-2016-2106
    EVP_EncodeUpdate overflow
    http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2106

    CWE-189
    Weaknesses in this category are related to improper calculation or conversion of numbers.
    http://cwe.mitre.org/data/definitions/189.html
     
  • CVE-2016-2107
    This vulnerability allows a remote attacker to decrypt the traffic when the connection uses the AES CBC Cipher.

    "A MITM attacker can use a padding oracle attack to decrypt traffic when the connection uses an AES CBC cipher and the server supports AES-NI."

    CVE-2016-2107
    Padding oracle in AES-NI CBC MAC check
    http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2107

    CWE-200
    An information exposure is the intentional or unintentional disclosure of information to an actor that is not explicitly authorized to have access to that information.
    http://cwe.mitre.org/data/definitions/200.html

    CWE-310
    Weaknesses in this category are related to the use of cryptography.
    http://cwe.mitre.org/data/definitions/310.html
     
  • CVE-2016-2108
    This vulnerability allows remote attackers to execute arbitrary code or cause a denial of service.

    CVE-2016-2108
    Buffer underflow and memory corruption.
    https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2108

    CWE-119
    Improper Restriction of Operations within the Bounds of a Memory Buffer
    http://cwe.mitre.org/data/definitions/119.html
     
  • CVE-2016-2109
    The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in the ASN.1 BIO implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (memory consumption) via a short invalid encoding.

    "When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio()a short invalid encoding can cause allocation of large amounts of memory potentially consuming excessive resources or exhausting memory."

    CVE-2016-2109
    ASN.1 BIO excessive memory allocation
    http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2109

    CWE-399
    Weaknesses in this category are related to improper management of system resources.
    http://cwe.mitre.org/data/definitions/399.html
     
  • CVE-2016-2176
    This vulnerability allows remote attackers to obtain sensitive information from process stack memory or cause a denial of service (buffer over-read) using crafted EBCDIC ASN.1 data.

    "ASN1 Strings that are over 1024 bytes can cause an overread in applications using the X509_NAME_oneline() function on EBCDIC systems. This could result in arbitrary stack data being returned in the buffer."

    CVE-2016-2176
    EBCDIC overread
    http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2176

    CWE-119
    The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.
    http://cwe.mitre.org/data/definitions/119.htm
 
McAfee Product Vulnerability Status

Investigation into all McAfee products is ongoing. This security bulletin will be updated as additional information is available. Products not on these lists list are being investigated.
 
Vulnerable and Updated
  1. Active Response (MAR)
  2. Network Security Platform (NSP) Sensor
  3. McAfee GTI Cloud Server (GTI)
  4. Network Data Loss Prevention (NDLP)
 
Vulnerable and Not Yet Updated
  1. Advanced Threat Defense (ATD)
  2. Data Exchange Layer Framework (DXL)
  3. McAfee Vulnerability Manager (MVM)
  4. McAfee Web Gateway (MWG)
  5. Network Security Manager (NSM)
  6. Network Threat Behavior Analysis (NTBA)
  7. Threat Intelligence Exchange (TIE)
For a description of each product, see: http://www.mcafee.com/us/apps/products-az.aspx.

Remediation

Go to the Product Downloads site and download the applicable product patch/hotfix files:
 
Product Type Version with fix
(or use a later version)
Release Date
(Check the Product Downloads site or contact Technical Support for availability)
McAfee GTI Cloud Server      5.0.2 June 6, 2016
MAR 1.1.0           Hotfix 1.1.0.185 May 18, 2016
NDLP (4400 and 5500 platforms) Hotfix 9.3.4.1.2 July 7, 2016
Network Security Manager Software Hotfix 8.1.7.82.1
8.1.19.15.13
July 13, 2016
July 18, 2016
NS-series: 8.1 Hotfix 8.1.5.177 May 27, 2016
NS-series: 8.1 FIPS Hotfix 8.1.17.27 August 16, 2016
NS-series: 8.2 Hotfix 8.2.5.x Upgrade to 8.3 for Compliance
NS-series: 8.3 Maintenance Release 8.3.5.11 (NS-9x00, NS-7x00)
8.3.5.15 (NS5x00, NS3x00)
June 14, 2016
August 1, 2016
M-series: 8.1            Hotfix 8.1.3.102 June 23, 2016
M-series: 8.1 FIPS Hotfix 8.1.15.x Expected September 2016
M-series: 8.2 Hotfix 8.2.3.x Upgrade to 8.3 for Compliance
M-series: 8.3            Maintenance 8.3.3.9 June 14, 2016
VM-series: 8.1 Hotfix 8.1.7.38 August 11, 2016
VM-series: 8.2 Hotfix 8.2.7.x Upgrade to 8.3 for Compliance
VM-series: 8.3           Maintenance 8.3.7.6 June 14, 2016
NTBA 8.1 Hotfix 8.1.3.22 July 28, 2016
NTBA 8.2 Hotfix 8.2.7.45 June 14, 2016
NTBA 8.3 Hotfix 8.3.3.51 June 30, 2016
TIE    Release 1.4.0 Expected September 2016   

Download and Installation Instructions
See KB56057 for instructions on how to download McAfee products, documentation, security updates, patches, and hotfixes. Review the Release Notes and the Installation Guide, which you can download from the Documentation tab, for instructions on how to install these updates.

Product Specific Notes

Active Response
You can download Active Response Hotfix 1.1.0.185 using the ePO Software Manager or from the Product Downloads site at: http://www.mcafee.com/us/downloads/downloads.aspx.

For more information, see PD26507 - Active Response Hotfix 1.1.0.185 Release Notes.

McAfee GTI Cloud Server
The update for GTI Cloud Server 5.0.2 includes an update to OpenSSL 1.0.2h.  No client side remediation is necessary because this is a server side update only.

NDLP
The affected versions are NDLP 9.3.4.1.1 and earlier.

Network Security Platform
Install or update to the Network Security Platform software versions listed in the Remediation table. Fixes are provided only for the 8.1, 8.2, and 8.3 releases.

Network Security Manager
Install or update to Network Security Manager software version 8.1.7.82.1 [non-FIPS image]. The 8.1.19.x [FIPS image] is expected in June 2016. Network Security Manager versions 8.2 and 8.3 are not impacted.

Network Threat Behavior Analysis
Install or update to the Network Threat Behavior Analysis software versions listed in the Remediation table. Fixes are provided only for the 8.1, 8.2, and 8.3 releases.

Threat Intelligence Exchange
Install or update to Threat Intelligence Exchange Server 1.4.0 or later.

Workaround

None. Install the platform specific hotfix/Maintenance Release software updates.

Mitigations

None. Install the platform specific hotfix/Maintenance Release software updates.

Frequently Asked Questions (FAQs)

How do I know whether my McAfee product is vulnerable or not?

For Endpoint products:
Use the following instructions for endpoint or client based products:
  1. Right-click on the McAfee tray shield icon on the Windows task bar.
  2. Select Open Console.
  3. In the console, select Action Menu.
  4. In the Action Menu, select Product Details. The product version is displayed.
For Appliances:
Use the following instructions for Appliance-based products:
  1. Open the Administrator's User Interface (UI).
  2. Click the About link. The product version is displayed.
What is CVSS?
CVSS, or Common Vulnerability Scoring System, is the result of the National Infrastructure Advisory Council’s effort to standardize a system of assessing the criticality of a vulnerability. This system offers an unbiased criticality score between 0 and 10 that customers can use to judge how critical a vulnerability is and plan accordingly. For more information, please visit the CVSS website at: http://www.first.org/cvss/.

When calculating CVSS scores, McAfee has adopted a philosophy that fosters consistency and repeatability. Our guiding principle for CVSS scoring is to score the exploit under consideration by itself. We consider only the immediate and direct impact of the exploit under consideration. We do not factor into a score any potential follow-on exploits that might be made possible by successful exploitation of the issue being scored.

What are the CVSS scoring metrics that have been used?
 
CVE-2016-2105: EVP_EncodeUpdate overflow
 
 Base Score 7.5
 Attack Vector (AV) Network (N)
 Attack Complexity (AC) Low (L)
 Privileges Required (PR) None (N)
 User Interaction (UI) None (N)
 Scope (S) Unchanged (U)
Confidentiality (C) None (N)
Integrity (I) None (N)
Availability (A) High (H)

NOTE: The below CVSS version 3.0 vector was used to generate this score.
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
 
CVE-2016-2106: EVP_EncodeUpdate overflow
 
 Base Score 7.5
 Attack Vector (AV) Network (N)
 Attack Complexity (AC) Low (L)
 Privileges Required (PR) None (N)
 User Interaction (UI) None (N)
 Scope (S) Unchanged (U)
Confidentiality (C) None (N)
Integrity (I) None (N)
Availability (A) High (H)

NOTE: The below CVSS version 3.0 vector was used to generate this score.
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
 
CVE-2016-2107: Padding oracle in AES-NI CBC MAC check vulnerability 
 
 Base Score 5.9
 Attack Vector (AV) Network (N)
 Attack Complexity (AC) High (H)
 Privileges Required (PR) None (N)
 User Interaction (UI) None (N)
 Scope (S) Unchanged (U)
Confidentiality (C) High (H)
Integrity (I) None (N)
Availability (A) None (N)

NOTE: The below CVSS version 3.0 vector was used to generate this score.
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
 
CVE-2016-2108: Allows remote attackers to execute arbitrary code or cause a denial of service 
 
 Base Score 4.8
 Attack Vector (AV) Network (N)
 Attack Complexity (AC) High (H)
 Privileges Required (PR) None (N)
 User Interaction (UI) None (N)
 Scope (S) Unchanged (U)
Confidentiality (C) High (H)
Integrity (I) None (N)
Availability (A) None (N)

NOTE: The below CVSS version 3.0 vector was used to generate this score.
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
 
CVE-2016-2109: ASN.1 BIO excessive memory allocation
 
 Base Score 7.5
 Attack Vector (AV) Network (N)
 Attack Complexity (AC) Low (L)
 Privileges Required (PR) None (N)
 User Interaction (UI) None (N)
 Scope (S) Unchanged (U)
Confidentiality (C) None (N)
Integrity (I) None (N)
Availability (A) High (H)

NOTE: The below CVSS version 3.0 vector was used to generate this score.
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
 
CVE-2016-2176: EBCDIC overread
 
 Base Score 8.2
 Attack Vector (AV) Network (N)
 Attack Complexity (AC) Low (L)
 Privileges Required (PR) None (N)
 User Interaction (UI) None (N)
 Scope (S) Unchanged (U)
Confidentiality (C) Low (L)
Integrity (I) None (N)
Availability (A) High (H)

NOTE: The below CVSS version 3.0 vector was used to generate this score.
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
 
Where can I find a list of all security bulletins or how do I report a product vulnerability?
To find a list of all security bulletins, or if you have information about a security issue or vulnerability with a McAfee product, please visit our product security website at: http://www.mcafee.com/us/threat-center/product-security-bulletins.aspx.

Resources

To contact Technical Support, log on to the ServicePortal and go to the Create a Service Request page at https://support.mcafee.com/ServicePortal/faces/serviceRequests/createSR:
  • If you are a registered user, type your User Id and Password, and then click Log In.
  • If you are not a registered user, click Register and complete the required fields. Your password and logon instructions will be emailed to you.

Disclaimer

The information provided in this security bulletin is provided as is without warranty of any kind. McAfee disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall McAfee or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits, or special damages, even if McAfee or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
 
Any future product release dates mentioned in this security bulletin are intended to outline our general product direction and they should not be relied on in making a purchasing decision. The product release dates are for information purposes only, and may not be incorporated into any contract. The product release dates are not a commitment, promise, or legal obligation to deliver any material, code, or functionality. The development, release, and timing of any features or functionality described for our products remains at our sole discretion and may be changed or cancelled at any time.

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.