cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
apellepa
Level 9
Report Inappropriate Content
Message 1 of 6

Open SSL Vulnerability

Jump to solution

Does MWG affected (or i need to open SR to get answer) ?

https://www.openssl.org/news/secadv_20140605.txt

1 Solution

Accepted Solutions
jscholte
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 6

Re: Open SSL Vulnerability

Jump to solution

Hi All,

This is addressed in 7.3.2.10 and 7.4.2.1. Both are available for download now.

Web Gateway 7.3.2.10 build 17592 Release Notes - https://kc.mcafee.com/corporate/index?page=content&id=PD25231

Web Gateway 7.4.2.1 build 17593 Release Notes - https://kc.mcafee.com/corporate/index?page=content&id=PD25232

For other McAfee Products check out the general Security Bulletin:

McAfee Security Bulletin – Seven OpenSSL vulnerabilities patched in McAfee products - https://kc.mcafee.com/corporate/index?page=content&id=SB10075

Best!

Jon

View solution in original post

5 Replies

Re: Open SSL Vulnerability

Jump to solution

The version I have running in my lab (7.3.2.9.0) is running openssl version 1.0.1e, which according to that link would be vulnerable. I don't know quite how to test this vulnerability, so I can't confirm anything.

From a Google engineer: "these attacks need man-in-the-middle position against the victim and that non-OpenSSL clients (IE, Firefox, Chrome on Desktop and iOS, Safari etc) aren't affected".   From that I would think that it is rather hard to inflict damage upon a client.  A server would be easier, but that generally won't be an issue as MWG usually only sits on the client-side.  Those with reverse proxies may need to look into this a bit further.

malware-alerts
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 3 of 6

Re: Open SSL Vulnerability

Jump to solution

According to McAfee's release notes for MWG 7.3.2.8:

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/25000/PD25155/en_US/...

When you have upgraded to version 7.3.2.8 and completed the additional activities, you can

verify that your Web Gateway appliance is protected against the vulnerability. For this

purpose, you need to check the OpenSSL version that is then in use.

1 Log on to the appliance from a local system console or remotely, using SSH.

2 Run the following command:

rpm -q openssl

You should see these two lines as output:

openssl-1.0.1e-10.mlos2.x86_64

openssl-1.0.1e-10.mlos2.i686

These lines show the OpenSSL version that is used by the MLOS 2 (McAfee Linux

Operating System 2) operating system for Web Gateway.

If the version is openssl-1.0.1e-10.mlos2, as shown here, or later, for example,

openssl-1.0.1e-11.mlos2, your appliance is protected. openssl-1.0.1e-10.mlos2

includes the fix that was implemented to address the vulnerability.

I too wondered what was up when I noticed the OpenSSL library version was the same from 7.3.2.7 to 7.3.2.8 but looking at the upgrade logs clearly show the files were changed.

Message was edited by: malware-alerts on 6/5/14 12:47:29 PM CDT

Re: Open SSL Vulnerability

Jump to solution

apellepa was refenceing a CVE that came out today, a man in the middle attack with remote code execution potential.  The release notes for 7.3.2.8 are addressing the previous issue, the heartbleed vulerability.

A SNS just went out that McAfee is looking into the matter, with more information to be forthcoming:

McAfee is aware of the June 5, 2014 CERT announcement (CVE-2014-0224) regarding OpenSSL vulnerabilities and subsequent OpenSSL releases for versions 0.9.8, 1.0.0, and 1.0.1 These releases address several security issues.

McAfee Response

The security of our customers is paramount at McAfee. Upon learning of possible security issues with OpenSSL, McAfee began its investigation into which products might require the newly-released patched versions of OpenSSL.

McAfee Products Not Using OpenSSL

Under review — we will provide an updated SNS as soon as possible.

Continuing Information

McAfee will provide information on any impacted products as soon as that information becomes available. The following independent organizations are providing incident information:

    CERT — http://www.kb.cert.org/vuls/id/978508

    OpenSSL.org — https://www.openssl.org/news/secadv_20140605.txt

malware-alerts
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 5 of 6

Re: Open SSL Vulnerability

Jump to solution

Yes just realised that, my bad.

Hopefully they'll be more proactive than with the HB vuln. where they took weeks to confirm products affected...

jscholte
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 6

Re: Open SSL Vulnerability

Jump to solution

Hi All,

This is addressed in 7.3.2.10 and 7.4.2.1. Both are available for download now.

Web Gateway 7.3.2.10 build 17592 Release Notes - https://kc.mcafee.com/corporate/index?page=content&id=PD25231

Web Gateway 7.4.2.1 build 17593 Release Notes - https://kc.mcafee.com/corporate/index?page=content&id=PD25232

For other McAfee Products check out the general Security Bulletin:

McAfee Security Bulletin – Seven OpenSSL vulnerabilities patched in McAfee products - https://kc.mcafee.com/corporate/index?page=content&id=SB10075

Best!

Jon

View solution in original post

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community