4 Replies Latest reply on Apr 18, 2014 12:12 PM by acwon

    MVM FSL check for heartbleed?

    gbos

      Do we have an ETA when MVM (Foundstone) will have a content update for the Heartbleed bug (CVE-2014-0160)?  Some of my departments have asked.  Thanks!

        • 1. Re: MVM FSL check for heartbleed?
          gbos

          Answering my own question:

           

          It is NOT in todays FSL release which just came out (see here).  There was a separate SNS note minutes after the FSL content update.  It said:

           

          McAfee is aware of the Heartbleed Vulnerability (CVE-2014-0160). This is a vulnerability in OpenSSL that could allow an attacker to gain access to system memory (in 64K chunks) which potentially could contain sensitive information or communications.

           

          McAfee is investigating affected products and will be provide additional information via SNS today.

          • 2. Re: MVM FSL check for heartbleed?
            gbos

            Well, the SNS notice was disappointing:

             

             

            McAfee is identifying those products impacted by the vulnerable OpenSSL versions and updating them to a remediated OpenSSL version.  A consolidated Security Bulletin will be published on the McAfee Knowledge Center (support.mcafee.com) and list all affected products. This document will be updated daily as new hotfixes and patches are posted for customer download.

            An SNS Notice will be sent advising when the Security Bulletin is available, and additional SNS messages will be sent as updates occur.


            Update to original notification send Wed Apr 9 at approx. 10:15 am CDT

             

            I've asked our VAR to open a ticket with McAfee on when MVM (Foundstone) will have a content update for the Heartbleed bug (CVE-2014-0160)

            • 3. Re: MVM FSL check for heartbleed?
              gbos

              It was in the second FSL update released yesterday (RedHat entry used as example):

               

              140438 - Red Hat Enterprise Linux RHSA-2014-0376 Update Is Not Installed

              Category: SSH Module -> NonIntrusive -> Red Hat Enterprise Linux Patches and Hotfixes

              Risk Level: Medium

              CVE: CVE-2014-0160

              Description

              The scan detected that the host is missing the following update: RHSA-2014-0376

              Observation

              Updates often remediate critical security problems that should be quickly addressed.

              For more information see:

              https://rhn.redhat.com/errata/RHSA-2014-0376.html

              • 4. Re: MVM FSL check for heartbleed?
                acwon

                In MVM , Manage -> FASL Scripts, I reviewed the "OpenSSL TLS DTLS Heartbeat Extension Packets Information Disclosure" and in "View Script" I found some statement as follows:

                 

                    

                FASL.vulnID     = 16505;

                FASL.attackType = ATTACK_NONINTRUSIVE;

                FASL.os         = OS_ANY;

                FASL.protocol   = PROTOCOL_TCP;

                FASL.filters = [ 443, 465, 990, 993, 994, 995, 563, 636, 992, 3713, 5061, 6514, 10161, 10162 ];

                 

                Does "FASL.filters" mean this check will only checking TCP ports in the group of "443, 465, 990, 993, 994, 995, 563, 636, 992, 3713, 5061, 6514, 10161, 10162"?   Or this check will cheking based on the IPs specified in  MVM, Settings -> Services -> TCP Scanning?

                 

                Thanks.

                 

                AL