cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 51 of 66

Re: ePO - OpenSSL versions (CVE-2014-0160)

Jump to solution

Ran the hotfix this morning on the production epo server and everything looks fine. The readme file does mention other steps to do if you suspect that you were compromised by HeartBleed. How do you actually now whether you were comprised or not? It mentions regenerating the ePO agent client to server keys and changing the SQL password.

In our environment, I am not too sure if we need to do those extra steps like key regeneration. Our ePO server is not exposed to the Internet, port 443 is only allowed from clients inside our organisation. Also the SQL and Admin console (port 443) are only exposed to certain IP addresses. Are other people taking the extra steps of regenerating the agent keys and if so what are the dangers/risks of doing this? We are in a Non-AD environment and don't have the staff to fix systems that quit talking back to the ePO server after a key regeneration. Is just applying the hotfix good enough?

Highlighted
Level 7
Report Inappropriate Content
Message 52 of 66

Re: ePO - OpenSSL versions (CVE-2014-0160)

Jump to solution

Just did my backups as per KB66616 on my development server with ePO 4.6.7 and ran ePOHF960279.exe. Seem fine so far.

Highlighted

Re: ePO - OpenSSL versions (CVE-2014-0160)

Jump to solution

Though you may have to do the agent key update, there is no harm.  If someone had compromised your environment they could have sniffed your ePO server and acquired your private key. 

The best hacks go unrecognized.

Highlighted

Re: ePO - OpenSSL versions (CVE-2014-0160)

Jump to solution

FYI EPO 4.6.7

Installed on test VM server and production, no problems.

Thanks

Highlighted
Level 7
Report Inappropriate Content
Message 55 of 66

Re: ePO - OpenSSL versions (CVE-2014-0160)

Jump to solution

Hi

in the readme file you can check which epo console version is vulnerability and how to check if you are covered after apply the patch

https://kc.mcafee.com/corporate/index?page=content&id=PD25159

regards

Claudio

Highlighted
Level 7
Report Inappropriate Content
Message 56 of 66

Re: ePO - OpenSSL versions (CVE-2014-0160)

Jump to solution

the latest SNS sates: "FIPS 140-2 installs of ePO are NOT vulnerable"

- what does that specific ePO variation use instead of OpenSSL?

- is this ePO variation available to the wider consumers internationally?

any insight would be appreciated.

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 57 of 66

Re: ePO - OpenSSL versions (CVE-2014-0160)

Jump to solution

ePO installed in FIPS mode uses OpenSSL v 0.9.8, which is not vulnerable.

For full FIPS details, please see KB75739 .

(In my opionion FIPS mode is *not* a solution to this vulnerability - there are significant hurdles involved in getting a FIPS-mode installation, and the released hotfix would be the approach I would recommend.)

HTH -

Joe

Highlighted
Level 9
Report Inappropriate Content
Message 58 of 66

Re: ePO - OpenSSL versions (CVE-2014-0160)

Jump to solution
EPOHF960279-2.zip

April 11, 2014 (* reposted April 15, 2014)

What's wrong with the first version of the ePo hotfixes? All of them have been reposted on April 15th.

https://kc.mcafee.com/corporate/index?page=content&id=SB10071

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 59 of 66

Re: ePO - OpenSSL versions (CVE-2014-0160)

Jump to solution

Under certain circumstances the HF would install to the wrong directory, meaning that when you checked the version of ssleay32.dll as per the installation instructions, you would still see the vulnerable version.

Please see KB81713  for details.

HTH -

Joe

Highlighted
Level 9
Report Inappropriate Content
Message 60 of 66

Re: ePO - OpenSSL versions (CVE-2014-0160)

Jump to solution

I have an EPO Server running EPO 4.6.7 and  I Installed the Original Hotfix EPOHF960279 just this morning and also verified the ssleay32.dll File version 1.0.1.7 as stated in the release notes.

Do i still need to re-install the New Hotfix (EPOHF960279-2) release April 15th even though i have verified the file version and i never did any migration?

Can I just ignore this Hotfix EPOHF960279-2?


Thanks



You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community