cancel
Showing results for 
Search instead for 
Did you mean: 
pierce
Level 13
Report Inappropriate Content
Message 1 of 66

ePO - OpenSSL versions (CVE-2014-0160)

Jump to solution

Hi All,

can anyone confirm if accessing this file on ePO (4.6.4 here) Is a good way to see easily what version of openSSL you have?

C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Apache2\OPENSSL-README.txt

ePo 4.6.4 shows the OpenSSL readme and talking about version 1.0.0.d which is not vulnerable, which also matches what i see from various scanning tools that have appeared.

As always if in doubt shut down your agent handler in the DMZ for time being.... Thats what we did the last time there was an issue like this that could be remotely expolited.

thanks,

Pierce

1 Solution

Accepted Solutions
Namster
Level 10
Report Inappropriate Content
Message 39 of 66

Re: ePO - OpenSSL versions (CVE-2014-0160)

Jump to solution

Hey everyone, I'll try to simplify the steps for you all:

  1. Download the Hotfix
  2. Backup your ePO server KB71825
    1. Make sure you follow the KB
  3. Update the ePO server KB71825
    1. Update the Agent Handler(s) if applicable
  4. Change the SQL Password, and update on ePO and AH with the new passwords.
  5. Create new agent-server communication keys KB81674
  6. Create a daily task for MA - Product Update - "ePO Agent Key Updater"
    1. Monitor, backup and retire old keys accordingly.
    2. Create new agent package for distribution, retire any old copies.
65 Replies

Re: ePO - OpenSSL versions (CVE-2014-0160)

Jump to solution

On your ePO server, open a command prompt. Go to program files (x86)\mcafee\epolicy orchestrator\apache2\bin

type OpenSSL Version

This will give you the version op OpenSLL running on Apache. I believe ePO 4.6.4 uses 1.0.1d. That version is vulnerable.

pierce
Level 13
Report Inappropriate Content
Message 3 of 66

Re: ePO - OpenSSL versions (CVE-2014-0160)

Jump to solution

Just did that and get 1.0.0d which is the same as the readme file I found.

Looks like ePo 4.6.4 is safe

Re: ePO - OpenSSL versions (CVE-2014-0160)

Jump to solution

Good to know! ePO 4.6.4 shows version 1.0.1e so that version is vulnerable.

pierce
Level 13
Report Inappropriate Content
Message 5 of 66

Re: ePO - OpenSSL versions (CVE-2014-0160)

Jump to solution

how do we have same version of ePO with different versions of openSSL...? No wonder by ePO wont upgrade...

Re: ePO - OpenSSL versions (CVE-2014-0160)

Jump to solution

Sorry.. I meant ePO 4.6.6!

Re: ePO - OpenSSL versions (CVE-2014-0160)

Jump to solution

We're currently running 4.6.7 (Build 278) and have OpenSSL 1.0.1e.

Pretty disappointed in lack of information from McAfee so far.

mgg
Level 7
Report Inappropriate Content
Message 8 of 66

Re: ePO - OpenSSL versions (CVE-2014-0160)

Jump to solution

ePO4.6.6 (build 176) uses 1.0.1e. wich is impacted. ->

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160

on the exposure side it would be limited to internal traffic since ePO hosting servers should only be internal. Not saying there is not impact just severity ought to be lower than for those apps are Internet facing.

Re: ePO - OpenSSL versions (CVE-2014-0160)

Jump to solution

Our ePO is only accessible internally, but our agent handler is accessible externally. It's also running 1.0.1e so we've had to close that off from external access until a patch is released.

jickfoo
Level 11
Report Inappropriate Content
Message 10 of 66

Re: ePO - OpenSSL versions (CVE-2014-0160)

Jump to solution

Yea, we are in the same boat as Richasto. We have the ePO agent handler in the dmz. It's public facing and showing up as vulnerable. What do we do ?