Last Modified: 1/16/2019
Rated:





Summary
Who Should Read This Document: | Technical and Security Personnel |
Impact of Vulnerability: | Cryptographic issues (CWE-310) |
CVE Number: | CVE-2014-3566 |
US CERT Number: | OpenSSL Security Advisory 20141015 Microsoft Security Advisory 3009008 Red Hat Article 1232123 |
Severity Rating: | Medium |
Base / Overall CVSS Score: | 4.3/3.7 |
Recommendations: | Deploy the remediation signatures/rules first. Update product patches/hotfixes. |
Security Bulletin Replacement: | Related to SB10091 |
Caveats: | None |
Affected Software: | See the McAfee Product Vulnerability Status lists below. |
Location of Updated Software: | http://www.mcafee.com/us/downloads/downloads.aspx |
- Vulnerability Description
- McAfee Product Vulnerability Status
- Remediation
- Product Specific Notes
- Workaround
- McAfee Mitigations
- Acknowledgements
- Contacting Support
- Frequently Asked Questions (FAQs)
- Resources
- Disclaimer
Description
This vulnerability is not tied to OpenSSL. It is in the protocol and CBC cypher algorithm. It requires a Man-In-The-Middle attack first to break into a closed system.
See SB10091 for information on three SSLv3 vulnerabilities released at the same time as POODLE.
OpenSSL Security Advisory
https://www.openssl.org/news/secadv_20141015.txt
CVE-2014-3566 - SSL 3.0 Fallback protection (POODLE)
The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue.
OpenSSL has added support for TLS_FALLBACK_SCSV to allow applications to block the ability for a MITM attacker to force a protocol downgrade.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566
https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00
https://www.openssl.org/~bodo/ssl-poodle.pdf
Common Weakness ID
CWE-310
Cryptographic issues
Detecting Vulnerability
You can use the script below from Red Hat to manually detect the vulnerability:
export hostname=XXXXXXX
if echo Q | openssl s_client -connect $(hostname):443 -ssl3 2> /dev/null | grep -v "Cipher.*0000"; then echo "SSLv3 enabled"; else echo "SSLv3 disabled"; fi
Operating System Vendor Advisories
Microsoft Security Advisory 3009008
https://technet.microsoft.com/en-us/library/security/3009008.aspx
Red Hat Advisory
POODLE: SSLv3 vulnerability (CVE-2014-3566)
https://access.redhat.com/articles/1232123
Additional Information
http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html
Threat Post Article - New POODLE SSL 3.0 Attack Exploits Protocol Fallback Issue:
https://threatpost.com/new-poodle-ssl-3-0-attack-exploits-protocol-fallback-issue/108844#sthash.cUN3YahS.dpuf
The Register - Early Warning:
http://www.theregister.co.uk/2014/10/14/nasty_ssl_30_vulnerability_to_drop_tomorrow/
McAfee Product Vulnerability Status
The distinction between vulnerable hosts and truly exposed hosts matters with this issue. Products that are vulnerable but have minimal or no exposure are in the Vulnerable but Low Risk list below. Justifications for being in this list are explained in the Product Specific Notes section below.
Vulnerable and Updated
- Content Security Reporter (CSR)
- Database Activity Monitoring (DAM)
- Database Vulnerability Manager (DVM)
- ePolicy Orchestrator (ePO)
- Email and Web Security (EWS)
- GTI Proxy 2.0
- McAfee Email Gateway (MEG)
- McAfee Vulnerability Manager (MVM)
- McAfee Web Gateway (MWG)
- Network Security Manager (NSM)
- SaaS Account Management (SaaS AM)
- SaaS Email Archiving (SaaS Archiving)
- SaaS Email Protection and Continuity (SaaS Email)
- SaaS Web Protection (SaaS Web)
- VirusScan Enterprise Linux (VSEL)
- Global Threat Intelligence (GTI) / GTI Cloud Server (CS) / Artemis
- McAfee Quarantine Manager (MQM)
- McAfee Real Time Command (RTC)
- McAfee Real Time for ePO (RTE)
- McAfee Security for App Store - Cloud (MSAS)
- Mobile Cloud (MC)
- Network Data Loss Prevention (NDLP)
- McAfee Asset Manager (MAM)
Not Vulnerable
- Advanced Threat Defense (ATD)
- Boot Attestation Service (BAS) / Open Virtual Appliance (OVA)
- Drive Encryption (DE)
- Endpoint Intelligence Agent (EIA)
- Endpoint Protection for Mac (EPM)
- Endpoint Encryption for Files and Folders (EEFF)
- Endpoint Encryption for Removable Media (EERM)
- Endpoint Encryption for PCs (EEPC)
- Endpoint Encryption Manager (EEM)
- File and Removable Media Protection (FRP)
- McAfee Agent (MA) / Common Management Agent (CMA)
- McAfee MOVE AntiVirus Security Virtual Appliance (MOVE SVA)
- McAfee MOVE AntiVirus Security Virtual Appliance Manager (MOVE SVA Manager)
- McAfee MOVE Firewall (MOVE Firewall)
- Network Security Platform (NSP) Sensor
- Network Threat Behavior Analysis (NTBA)
- VirusScan for Mac (VSMac)
- Trusted Source Software Development Kit (TS-SDK)
Remediation
Product | Type | Patch Version | File Name | Release Date |
CSR | Hotfix | 2.1.0 build 291 | Content Security Reporter 2.1.0 (build 291) | November 4, 2014 |
DAM | Config | N/A | See the configuration settings in the Product Specific Notes section below. | October 22, 2014 |
DVM | Config | N/A | See the configuration settings in the Product Specific Notes section below. | October 22, 2014 |
ePO | Config | 5.x | See the configuration settings in the Product Specific Notes section below. | November 14, 2014 |
EWS | Hotfix | 5.6 | EWS-5.6h1014814-2964.109 | |
GTI Proxy 2.0 | Cloud Update | MLOS Update for GTI Proxy 2.0. | November 24, 2014 | |
MEG | Version Update | 7.6.x 7.5.x 7.0.x |
MEG-7.6.2h1014803-3044.120 or MEG-7.6.3RTW1-3173.100 MEG-7.5.4h1014806-3088.113 MEG-7.0.5h1014812-2934.114 |
November 3, 2014 |
MVM | Version Update | 7.5.8 | February 9, 2015 | |
MWG | Patch | 7.3.x 7.4.x 7.5.x |
MWG 7.3.2.12 Build 18436 MWG 7.4.2.4 Build 18437 MWG 7.5.0.1 Build 18435 |
October 29, 2014 |
NSM | Hotfix | 7.1.5.15.5, 7.5.5.10.8, 8.1.7.13, 8.2.7.5 | November 26, 2014 | |
VSEL | Hotfix | 1.7.1 | HF1017268 | November 17, 2014 |
VSEL | Hotfix | 1.9.0 | HF1017264 | November 17, 2014 |
VSEL | Hotfix | 2.0.1 | HF1017258 | November 17, 2014 |
- CSR
CSR is vulnerable to POODLE. By default, SSLv2 and SSLv3 are enabled on the underlying JBoss application server. Various client components are vulnerable as well.
A hotfix has been released to fix POODLE. See KB83301.
- DAM / DVM
Both DAM and DVM are vulnerable. To mitigate this vulnerability, see KB83282.
- ePO
ePO 5.0.1 versions and later may become vulnerable, if they have been upgraded from a previous ePO 4.x version. This is due to a non-migrated Java security setting introduced in ePO 5.0.1. You can mitigate the vulnerability with ePO 5.0.1 and later by applying the following mitigation steps. ePO 5.1.2 and later has the appropriate Java security setting applied by default.
Mitigation:
See KB83240 for details on what manual steps are needed to protect ePO 5.0.1 and later servers against SSLv3 POODLE attacks.
- EWS
EWS 5.6 is vulnerable. A patch is available for download.
- GTI Cloud / TS-SDK
GTI Cloud and the TS SDK are both vulnerable. They will be patched after the MWG product is patched.
McAfee GTI Proxy 2.0 provides an SSH interface for administration. The OpenSSL associated with SSH is susceptible to CVE-2014-3566 (POODLE). OpenSSL enabled communication channels for GTI File Reputations (through DTLS channels) are not susceptible to CVE-2014-3566 (POODLE). An appliance operating system update is available.
- MAM
MAM 6.6 is vulnerable to POODLE. MAM uses Debian Linux. Debian has not yet patched CVE-2014-3566. See https://security-tracker.debian.org/tracker/CVE-2014-3566.
- MEG
- MEG 7.0 is vulnerable. McAfee is investigating a workaround.
- MEG 7.5 and MEG 7.6 are configured to use SSL 3.0 by default. Customers can change the configuration value to disable SSL v3.
- Patches for MEG 7.3.x, 7.4.x, and 7.5.x are available for download.
- MEG 7.6.3 has been fully released. It contains a fix for the POODLE vulnerability. For a full list of changes and upgrade instructions, see the Release Notes in PD25527. For a list of known issues, see KB81276.
- Mobile Cloud
The Mobile Cloud web services SSL/TLS connections are terminated at the load balancers (F5). MC is vulnerable to CVE-2014-3566. In addition, SSLv3 is currently enabled on the load balancers.
- MQM
MQM is currently using OpenSSL to provide secure SMTP access to a remote SMTP server when delivering reports and is vulnerable. v7.0.1 rollup-1 is vulnerable to CVE-2014-3566.
- MSAS
The MSAS web services SSL/TLS connections are terminated at the load balancers (F5). MSAS is vulnerable to CVE-2014-3566. In addition, SSLv3 is currently enabled on the load balancers.
- MVM
MVM is vulnerable to POODLE. By default, SSLv2 and SSLv3 are enabled on MVM Enterprise Manager. A fix is available in MVM 7.5.8.
- MWG
Some components are vulnerable to POODLE. Patches are available for download.
- NDLP
NDLP is vulnerable to POODLE. A fix is being developed.
- NSM
NSM was found vulnerable and is remediated with a hotfix. NSM's OpenSSL code was upgraded to 0.98zc (NSM v6.x) and 1.0.1j (NSM 7.x/8.x).
- SIEM
SIEM’s default HTTPS configuration does NOT support SSL-3, so CVE-2014-3566 (POODLE) does not apply to SIEM versions 9.1.4, 9.2.2, 9.3.2, or 9.4.x.
- VSEL
VSEL is vulnerable to POODLE. Hotfixes are available for download.
- Launch Internet Explorer.
- Navigate to: http://www.mcafee.com/us/downloads/downloads.aspx.
- Provide your valid McAfee Grant Number. *
- Click your product suite.
- Click the applicable product and click I Agree.
- Click the Patches tab and click the link to download the product .ZIP file under the Product column.
For instructions on how to download McAfee products, documentation, security updates, patches, or hotfixes, see: KB56057.
For instructions on how to install / upgrade these hotfixes / patches, please review the Release Notes and the Installation Guide (which can be downloaded from the Documentation tab) following the same steps above.
Workaround
In addition to patching products, McAfee recommends that customers disable SSL 3.0 by default. Disabling SSL 3.0 may cause compatibility and availability issues. You must choose between security and availability when it comes to using this weak and obsolete protocol.
Action can be taken on endpoint computers by reconfiguring the browser to disable SSL 3.0.
How to Disable SSL 3.0 in Microsoft Internet Explorer:
All supported versions of Microsoft Windows implement this protocol and are affected by this vulnerability.
Microsoft Security Advisory 3009008
https://technet.microsoft.com/en-us/library/security/3009008.aspx
How to Disable SSL 3.0 in Google Chrome:
Chrome users can disable SSLv3 by using the command line flag --ssl-version-min=tls1. (Chrome used to have an entry in the preferences for that, but users thought that “SSL 3.0” was a higher version than “TLS 1.0” and would mistakenly disable the latter.)
Mitigations
Several McAfee products have signatures to detect or help mitigate this vulnerability. These include:
- AV - AntiVirus
- Includes all McAfee AntiVirus products, including VSE, McAfee AntiVirus Plus, and MWG.
- 7573 DAT – Detects all payload samples seen from exploit of the Bash vulnerability
- Samples are detected as "Linux/Dingle"
- MVM – McAfee Vulnerability Manager
- FSL 17281 - SSLv3 Information Disclosure Vulnerability
- http://www.mcafee.com/us/resources/release-notes/foundstone/fsl_11_06_2014.pdf
- http://www.mcafee.com/us/resources/release-notes/foundstone/fsl_10_15_2014.pdf
- MWG – McAfee Web Gateway
- Protect against POODLE without manually disabling SSL 3.0 on all browsers, using the McAfee Web Gateway
- http://blogs.mcafee.com/business/protect-users-against-poodle
- https://community.mcafee.com/docs/DOC-6559
- NSP – Network Security Platform
- Download network detection signatures from within NSM, or from the Product Downloads site: http://www.mcafee.com/us/downloads/downloads.aspx.
- An Emergency Updated Detection Signature (UDS) for CVE-2014-3566 – POODLE will be released by October 16, 2014.
- UDS 7.6.41.5 – Legacy version
- UDS 8.6.41.5 – Current version
- SIEM – Security Information and Event Management
- Eight signature detection rules for the NitroGuard IPS / NitroSecurity IPS / McAfee NTP are available for download via the SIEM rule server
- Signatures:
- Two (2) for options in DHCP ACK messages
- Six (6) for web traffic, examining URIs, HTTP headers, cookies, bodies, and the HTTP Version number
Download the latest content for each and enable the checks if they are not enabled by default.
Acknowledgements
These vulnerabilities were first disclosed by the OpenSSL Project in a security advisory on October 15, 2014. See https://www.openssl.org/news/secadv_20141015.txt.
Support
1-800-338-8754
http://www.mcafee.com/us/about/contact-us.aspx#ht=tab-techsupport
Frequently Asked Questions (FAQs)
See the Product Specific Notes section above.
McAfee recommends that all customers verify that they have applied the latest updates.
Does this vulnerability affect McAfee enterprise products?
Yes. Several enterprise products are vulnerable. No consumer products are vulnerable.
How do I know if my McAfee product is vulnerable or not?
For Endpoint products:
Use the following instructions for endpoint or client based products:
- Right-click on the McAfee tray shield icon on the Windows task bar.
- Select Open Console.
- In the console, select Action Menu.
- In the Action Menu, select Product Details. The product version is displayed.
For ePO / Server products:
Use the following instructions for server based products:
- Check the version and build of ePO that is installed. For more information on how to check the version, see: KB52634.
- Or, create a query in ePO for the product version of the product installed within your organization.
For Appliances:
Use the following instructions for Appliance based products:
- Open the Administrator's User Interface (UI).
- Click the About link. The product version is displayed.
What is CVSS?
CVSS, or Common Vulnerability Scoring System, is the result of the National Infrastructure Advisory Council’s effort to standardize a system of assessing the criticality of a vulnerability. This system offers an unbiased criticality score between 0 and 10 that customers can use to judge how critical a vulnerability is and plan accordingly. For more information, please visit the CVSS website at: http://www.first.org/cvss/.
What are the CVSS scoring metrics that have been used?
Base Score | 4.3 |
Related exploit range (AccessVector) | Network |
Attack complexity (AccessComplexity) | Medium |
Level of authentication needed (Authentication) | None |
Confidentiality impact | Partial |
Integrity impact | None |
Availability impact | None |
Temporal Score | 3.7 |
Availability of exploit (Exploitability) | Unproven that exploit exists |
Type of fix available (RemediationLevel) | Temporary fix |
Level of verification that vulnerability exists (ReportConfidence) | Confirmed |
NOTE: CVSS version 2.0 was used to generate this score.
http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:P/I:N/A:N/E:U/RL:T/RC:C)
McAfee will be releasing several product updates to address this security flaw.
Where do I download the fix?
You can download the fix from: http://www.mcafee.com/us/downloads/downloads.aspx.
Users will need to provide their McAfee Grant Number to initiate the download.
How does McAfee respond to this and any other security flaws?
McAfee’s key priority is the security of our customers. In the event that a vulnerability is found within any McAfee software, we work closely with the relevant security research group to ensure rapid and effective development of a fix and communication plan.
Resources
To submit Beta feedback on any McAfee product, email: mcafee_beta@mcafee.com
For contact information, go to: http://www.mcafee.com/uk/about/contact-us.aspx
For copyright, trademark attributions, and license information, go to: http://us.mcafee.com/root/aboutUs.asp?id=copyright
For patents protecting this product, see your product documentation.
Disclaimer
Affected Products
Content Security Reporter 1.x - 2.x
Database Activity Monitoring 4.4.x (EOL)
Email Gateway 7.6
Known Issue/Product Defect
McAfee Quarantine Manager 7.x
Network Security Manager 8.1.x
VirusScan Enterprise for Linux 2.0.x
Vulnerability Manager Appliances (All models)
Vulnerability Manager for Databases 4.4.x (EOL)
Vulnerability Response
Languages:
Beta
Translate
with
Select a desired language below to translate this page.