cancel
Showing results for 
Search instead for 
Did you mean: 
sthe
Level 9

OpenSSL CVE-2014-0160

Jump to solution

Hello

Is Mcafee Web Gateway 7.3.2.7 vulnerable? As I see it uses OpenSSL 1.0.1e which is vulnerable.

Details

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160

http://www.kb.cert.org/vuls/id/720951

https://www.openssl.org/news/secadv_20140407.txt

http://heartbleed.com/

Stefan

Message was edited by: sthe on 4/8/14 10:41:49 AM CEST

Message was edited by: sthe on 4/8/14 10:42:27 AM CEST
0 Kudos
1 Solution

Accepted Solutions
sthe
Level 9

Re: OpenSSL CVE-2014-0160

Jump to solution

Hello

Now this is the definitive answer:

Security Bulletin

https://kc.mcafee.com/corporate/index?page=content&id=SB10071

"What to do after upgrading Web Gateway to combat Heartbleed"

https://kc.mcafee.com/corporate/index?page=content&id=KB81669

Well a lot of work to do...

0 Kudos
26 Replies
asabban
Level 17

Re: OpenSSL CVE-2014-0160

Jump to solution

Hello,

it is possible that MWG is vulnerable, but investigations are currently on-going. There should be an official announcement later. If you need some official information immediately I recommend to file a service request with technical support.

Best,

Andre

0 Kudos
sthe
Level 9

Re: OpenSSL CVE-2014-0160

Jump to solution

Hello Andre

Thank you for your fast reply. I would appreciate any further details as soon as they are available.

If MWG is vulnerable there are some more questions to come...

Thanks

Stefan

0 Kudos
asabban
Level 17

Re: OpenSSL CVE-2014-0160

Jump to solution

Hello,

further details are available. Since this is security related we would like to prevent discussing details on a public space. Please file a service request with technical support, they will provide you with the latest available information. I have talked to them and they are awaiting you :-)

Best,

Andre

0 Kudos
sthe
Level 9

Re: OpenSSL CVE-2014-0160

Jump to solution

Hello Andre

SR is filed

I am not going to post details about the answer I get. I keep it confidential.

Can you update the post when official information is available?

I think other people are also interested.

Best

Stefan

0 Kudos
asabban
Level 17

Re: OpenSSL CVE-2014-0160

Jump to solution

Thank you,

I talked to the support manager and there will be an official response in form of a SNS (support notification service). I encourage every customer to subscribe, as important official information is provided through this channel. You can find more details on

https://kc.mcafee.com/corporate/index?page=content&id=KB67828

Please look out for the SNS which will contain all necessary information. I am not allowed to give any kind of official response, so please follow the notification. In case questions remain I still recommend to file an SR with support to have some official response and updates.

Besides that certainly I am happy to help :-)

Best,

Andre

0 Kudos
jbmartin6
Level 9

Re: OpenSSL CVE-2014-0160

Jump to solution

We're still waiting for an SNS. How hard is it to test the products and let customers know which components are vulnerable so they can make appropriate risk decisions? By all means, let all your customers test individually, customer's time has no value right?

pwn3r
Level 7

Re: OpenSSL CVE-2014-0160

Jump to solution

I had to create an account just to throw this out there. This product IS vulnerable. I have tested with a copy of a tool internally and externally against this product. It IS vulnerable and it took me less than 10 minutes to prove that. Let's get some action here McAfee... some of us have certs that we would rather not have to re-issue, and replace on hundreds or thousands of devices.

0 Kudos
jbmartin6
Level 9

Re: OpenSSL CVE-2014-0160

Jump to solution

What aspect of MWG is vulnerable? I ran exploit against the management console and it wasn't vulnerable. Do you mean the proxy's SSL interception function is vulnerable?

0 Kudos
dbledge
Level 7

Re: OpenSSL CVE-2014-0160

Jump to solution

I did the same.  The response I got was "Server returned error, likely not vulnerable"

0 Kudos