Community Help Hub

apellepa · ‎06-05-2014

Does MWG affected (or i need to open SR to get answer) ?

https://www.openssl.org/news/secadv_20140605.txt

jscholte · ‎06-06-2014

Hi All,

This is addressed in 7.3.2.10 and 7.4.2.1. Both are available for download now.

Web Gateway 7.3.2.10 build 17592 Release Notes - https://kc.mcafee.com/corporate/index?page=content&id=PD25231

Web Gateway 7.4.2.1 build 17593 Release Notes - https://kc.mcafee.com/corporate/index?page=content&id=PD25232

For other McAfee Products check out the general Security Bulletin:

McAfee Security Bulletin – Seven OpenSSL vulnerabilities patched in McAfee products - https://kc.mcafee.com/corporate/index?page=content&id=SB10075

Best!

Jon

View solution in original post

andyclements · ‎06-05-2014

The version I have running in my lab (7.3.2.9.0) is running openssl version 1.0.1e, which according to that link would be vulnerable. I don't know quite how to test this vulnerability, so I can't confirm anything.

From a Google engineer: "these attacks need man-in-the-middle position against the victim and that non-OpenSSL clients (IE, Firefox, Chrome on Desktop and iOS, Safari etc) aren't affected". From that I would think that it is rather hard to inflict damage upon a client. A server would be easier, but that generally won't be an issue as MWG usually only sits on the client-side. Those with reverse proxies may need to look into this a bit further.

malware-alerts · ‎06-05-2014

According to McAfee's release notes for MWG 7.3.2.8:

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/25000/PD25155/en_US/...

When you have upgraded to version 7.3.2.8 and completed the additional activities, you can

verify that your Web Gateway appliance is protected against the vulnerability. For this

purpose, you need to check the OpenSSL version that is then in use.

1 Log on to the appliance from a local system console or remotely, using SSH.

2 Run the following command:

rpm -q openssl

You should see these two lines as output:

openssl-1.0.1e-10.mlos2.x86_64

openssl-1.0.1e-10.mlos2.i686

These lines show the OpenSSL version that is used by the MLOS 2 (McAfee Linux

Operating System 2) operating system for Web Gateway.

If the version is openssl-1.0.1e-10.mlos2, as shown here, or later, for example,

openssl-1.0.1e-11.mlos2, your appliance is protected. openssl-1.0.1e-10.mlos2

includes the fix that was implemented to address the vulnerability.

I too wondered what was up when I noticed the OpenSSL library version was the same from 7.3.2.7 to 7.3.2.8 but looking at the upgrade logs clearly show the files were changed.

Message was edited by: malware-alerts on 6/5/14 12:47:29 PM CDT

andyclements · ‎06-05-2014

apellepa was refenceing a CVE that came out today, a man in the middle attack with remote code execution potential. The release notes for 7.3.2.8 are addressing the previous issue, the heartbleed vulerability.

A SNS just went out that McAfee is looking into the matter, with more information to be forthcoming:

McAfee is aware of the June 5, 2014 CERT announcement (CVE-2014-0224) regarding OpenSSL vulnerabilities and subsequent OpenSSL releases for versions 0.9.8, 1.0.0, and 1.0.1 These releases address several security issues.

McAfee Response

The security of our customers is paramount at McAfee. Upon learning of possible security issues with OpenSSL, McAfee began its investigation into which products might require the newly-released patched versions of OpenSSL.

McAfee Products Not Using OpenSSL

Under review — we will provide an updated SNS as soon as possible.

Continuing Information

McAfee will provide information on any impacted products as soon as that information becomes available. The following independent organizations are providing incident information:

CERT — http://www.kb.cert.org/vuls/id/978508

OpenSSL.org — https://www.openssl.org/news/secadv_20140605.txt