6 Replies Latest reply on May 29, 2013 8:52 AM by mtuma

    OpenSSL on the Firewall?

    cyberz

      Hi Community,

       

      I have a short question about the SSL-Encryption on the McAfee Firewall.

      We use the firewall version 8.2.1, does the firewall use openSSL? If yes, which version? Can I check that?

       

      Thanks in Advance.

       

      Regards

      Tim

        • 1. Re: OpenSSL on the Firewall?
          oreeh

          Sidewinder 8.2.1P08 uses openssl 0.9.7h - but I'm not sure if this is actually used for the SSL-Encryption.

           

          Edited to add: a simple "man openssl" will show the version at the end of the manpage. Executing one of the binaries is not possible. on 5/23/13 4:32:34 PM CEST
          • 2. Re: OpenSSL on the Firewall?
            sliedl

            Do you have a specific reason for asking about the version?  The packages installed on the firewall are modified from their original releases; components are removed or modified and Type Enforcement restrictions are put in place.

            • 3. Re: OpenSSL on the Firewall?
              cyberz

              Yes, becauce a design weakness (with renegotiation)

               

              http://www.h-online.com/open/news/item/Solution-for-SSL-TLS-design-weakness-in-s ight-902887.html

               

              In the current 1.0.1? version, this is probably fixed?

               

              0.9.7h  release date: 11. Oktober 2005

               

              Eight years ago. ;-)

               

              I think openssl can't update separately, correct?


               


              • 4. Re: OpenSSL on the Firewall?
                cyberz

                have anyone an idea? :-/ or should I open a case?

                 

                on 29.05.13 04:27:55 CDT
                • 5. Re: OpenSSL on the Firewall?
                  PhilM

                  You could raise a case, but sliedl has answered your question.

                   

                  The way that the underlying opertating system is modified, hardened and controlled by Type Enforcement means that generic notifications concerning possible vulnerabilities in commonly-known processes (bind, sendmail, etc...) are effectively not applicable in this product. Many vulnerabilities are used to provide a way in (through the vulnerable service) so that other services or data files can be accessed or compromised.

                   

                  So, even if the verision of a process contained known vulnerbilities, Type Enforcement makes them irrelevant.

                   

                  -Phil.

                  • 6. Re: OpenSSL on the Firewall?

                    The key to figuring out if a particular known vulnerability is applicable to the Firewall Enterprise is finding some sort of identification number (CVE-XXXX-XXXX for example). We have many knowledge base articles available at mysupport.mcafee.com addressing vulnerabilities (just search for the CVE number).

                     

                    After looking closer at your article and clicking on a few links, it appears that they are talking about "CVE-2009-3555". A quick search of this shows this article:

                     

                    Firewall Enterprise/Command Center Vulnerability CVE-2009-3555 KB69935

                     

                    The article shows hotfixes required for the 7.x version, but since this vulnerability (and KB article) is old and from before 8.x was released, we can assume that the vulnerability does not apply to 8.x versions.

                     

                    -Matt