cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
pierce
Level 13
Report Inappropriate Content
Message 1 of 66
‎04-09-2014 02:26 AM

ePO - OpenSSL versions (CVE-2014-0160)

Jump to solution

Hi All,

can anyone confirm if accessing this file on ePO (4.6.4 here) Is a good way to see easily what version of openSSL you have?

C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Apache2\OPENSSL-README.txt

ePo 4.6.4 shows the OpenSSL readme and talking about version 1.0.0.d which is not vulnerable, which also matches what i see from various scanning tools that have appeared.

As always if in doubt shut down your agent handler in the DMZ for time being.... Thats what we did the last time there was an issue like this that could be remotely expolited.

thanks,

Pierce

Reply
1 Solution

Accepted Solutions
Namster
Level 10
Report Inappropriate Content
Message 39 of 66
‎04-11-2014 08:23 PM

Re: ePO - OpenSSL versions (CVE-2014-0160)

Jump to solution

Hey everyone, I'll try to simplify the steps for you all:

  1. Download the Hotfix
  2. Backup your ePO server KB71825
    1. Make sure you follow the KB
  3. Update the ePO server KB71825
    1. Update the Agent Handler(s) if applicable
  4. Change the SQL Password, and update on ePO and AH with the new passwords.
  5. Create new agent-server communication keys KB81674
  6. Create a daily task for MA - Product Update - "ePO Agent Key Updater"
    1. Monitor, backup and retire old keys accordingly.
    2. Create new agent package for distribution, retire any old copies.

View solution in original post

Reply
65 Replies
robert_dearbyte
Level 10
Report Inappropriate Content
Message 2 of 66
‎04-09-2014 03:55 AM

Re: ePO - OpenSSL versions (CVE-2014-0160)

Jump to solution

On your ePO server, open a command prompt. Go to program files (x86)\mcafee\epolicy orchestrator\apache2\bin

type OpenSSL Version

This will give you the version op OpenSLL running on Apache. I believe ePO 4.6.4 uses 1.0.1d. That version is vulnerable.

0 Kudos
Reply
pierce
Level 13
Report Inappropriate Content
Message 3 of 66
‎04-09-2014 03:58 AM

Re: ePO - OpenSSL versions (CVE-2014-0160)

Jump to solution

Just did that and get 1.0.0d which is the same as the readme file I found.

Looks like ePo 4.6.4 is safe

0 Kudos
Reply
robert_dearbyte
Level 10
Report Inappropriate Content
Message 4 of 66
‎04-09-2014 04:00 AM

Re: ePO - OpenSSL versions (CVE-2014-0160)

Jump to solution

Good to know! ePO 4.6.4 shows version 1.0.1e so that version is vulnerable.

0 Kudos
Reply
pierce
Level 13
Report Inappropriate Content
Message 5 of 66
‎04-09-2014 04:02 AM

Re: ePO - OpenSSL versions (CVE-2014-0160)

Jump to solution

how do we have same version of ePO with different versions of openSSL...? No wonder by ePO wont upgrade...

0 Kudos
Reply
robert_dearbyte
Level 10
Report Inappropriate Content
Message 6 of 66
‎04-09-2014 04:07 AM

Re: ePO - OpenSSL versions (CVE-2014-0160)

Jump to solution

Sorry.. I meant ePO 4.6.6!

0 Kudos
Reply
richasto
Level 7
Report Inappropriate Content
Message 7 of 66
‎04-09-2014 05:12 AM

Re: ePO - OpenSSL versions (CVE-2014-0160)

Jump to solution

We're currently running 4.6.7 (Build 278) and have OpenSSL 1.0.1e.

Pretty disappointed in lack of information from McAfee so far.

0 Kudos
Reply
mgg
Level 7
Report Inappropriate Content
Message 8 of 66
‎04-09-2014 08:13 AM

Re: ePO - OpenSSL versions (CVE-2014-0160)

Jump to solution

ePO4.6.6 (build 176) uses 1.0.1e. wich is impacted. ->

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160

on the exposure side it would be limited to internal traffic since ePO hosting servers should only be internal. Not saying there is not impact just severity ought to be lower than for those apps are Internet facing.

0 Kudos
Reply
richasto
Level 7
Report Inappropriate Content
Message 9 of 66
‎04-09-2014 08:27 AM

Re: ePO - OpenSSL versions (CVE-2014-0160)

Jump to solution

Our ePO is only accessible internally, but our agent handler is accessible externally. It's also running 1.0.1e so we've had to close that off from external access until a patch is released.

0 Kudos
Reply
jickfoo
Level 11
Report Inappropriate Content
Message 10 of 66
‎04-09-2014 09:52 AM

Re: ePO - OpenSSL versions (CVE-2014-0160)

Jump to solution

Yea, we are in the same boat as Richasto. We have the ePO agent handler in the dmz. It's public facing and showing up as vulnerable. What do we do ?

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Consumer Support   |   Enterprise Support   |   McAfee.com

Legal   |   Privacy   |   Copyright © 2020 McAfee, LLC