1 Reply Latest reply on Jul 16, 2014 2:51 PM by dsabulsky

    MOVE + VSEL + Heartbleed




      I just saw on the KB site for the Heartbleed vulnerability that VirusScan Enterprise for Linux is vulnerable. Does this affect MOVE 3.0? because it uses VSEL as it's core.


      Thanks for the update.



        • 1. Re: MOVE + VSEL + Heartbleed

          McAfee® MOVE AV Agentless v3.0 - OpenSSL Vulnerability Hotfix


          Download this HotFix (MOVEHF101000.zip) to resolve this issue. CVE-2014-0224 from the McAfee Download site using your grant number.  This hotfix is also availabe on the McAfee ServicePortal as well.


          OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCSInjection" vulnerability.




          Updated by: dsabulsky on 7/16/14 2:51:24 PM CDT