5 Replies Latest reply on Jun 6, 2014 2:11 PM by Jon Scholten

    Open SSL Vulnerability

    apellepa

      Does MWG affected (or i need to open SR to get answer) ?

      https://www.openssl.org/news/secadv_20140605.txt

        • 1. Re: Open SSL Vulnerability
          andyclements

          The version I have running in my lab (7.3.2.9.0) is running openssl version 1.0.1e, which according to that link would be vulnerable. I don't know quite how to test this vulnerability, so I can't confirm anything.

           

          From a Google engineer: "these attacks need man-in-the-middle position against the victim and that non-OpenSSL clients (IE, Firefox, Chrome on Desktop and iOS, Safari etc) aren't affected".   From that I would think that it is rather hard to inflict damage upon a client.  A server would be easier, but that generally won't be an issue as MWG usually only sits on the client-side.  Those with reverse proxies may need to look into this a bit further.

          • 2. Re: Open SSL Vulnerability
            malware-alerts

            According to McAfee's release notes for MWG 7.3.2.8:

             

            https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/ 25000/PD25155/en_US/mwg_7328_rn_c00_en-us.pdf

             

            When you have upgraded to version 7.3.2.8 and completed the additional activities, you can

            verify that your Web Gateway appliance is protected against the vulnerability. For this

            purpose, you need to check the OpenSSL version that is then in use.

             

            1 Log on to the appliance from a local system console or remotely, using SSH.

            2 Run the following command:

            rpm -q openssl

             

            You should see these two lines as output:

            openssl-1.0.1e-10.mlos2.x86_64

            openssl-1.0.1e-10.mlos2.i686

             

            These lines show the OpenSSL version that is used by the MLOS 2 (McAfee Linux

            Operating System 2) operating system for Web Gateway.

             

            If the version is openssl-1.0.1e-10.mlos2, as shown here, or later, for example,

            openssl-1.0.1e-11.mlos2, your appliance is protected. openssl-1.0.1e-10.mlos2

            includes the fix that was implemented to address the vulnerability.

             

            I too wondered what was up when I noticed the OpenSSL library version was the same from 7.3.2.7 to 7.3.2.8 but looking at the upgrade logs clearly show the files were changed.

             

            Message was edited by: malware-alerts on 6/5/14 12:47:29 PM CDT
            • 3. Re: Open SSL Vulnerability
              andyclements

              apellepa was refenceing a CVE that came out today, a man in the middle attack with remote code execution potential.  The release notes for 7.3.2.8 are addressing the previous issue, the heartbleed vulerability.

               

              A SNS just went out that McAfee is looking into the matter, with more information to be forthcoming:

              McAfee is aware of the June 5, 2014 CERT announcement (CVE-2014-0224) regarding OpenSSL vulnerabilities and subsequent OpenSSL releases for versions 0.9.8, 1.0.0, and 1.0.1 These releases address several security issues.

               

              McAfee Response

              The security of our customers is paramount at McAfee. Upon learning of possible security issues with OpenSSL, McAfee began its investigation into which products might require the newly-released patched versions of OpenSSL.

               

              McAfee Products Not Using OpenSSL

              Under review — we will provide an updated SNS as soon as possible.

               

              Continuing Information

              McAfee will provide information on any impacted products as soon as that information becomes available. The following independent organizations are providing incident information:

               

                  CERT — http://www.kb.cert.org/vuls/id/978508

                  OpenSSL.org — https://www.openssl.org/news/secadv_20140605.txt

              • 4. Re: Open SSL Vulnerability
                malware-alerts

                Yes just realised that, my bad.

                 

                Hopefully they'll be more proactive than with the HB vuln. where they took weeks to confirm products affected...

                • 5. Re: Open SSL Vulnerability
                  Jon Scholten

                  Hi All,

                   

                  This is addressed in 7.3.2.10 and 7.4.2.1. Both are available for download now.

                   

                  Web Gateway 7.3.2.10 build 17592 Release Notes - https://kc.mcafee.com/corporate/index?page=content&id=PD25231

                  Web Gateway 7.4.2.1 build 17593 Release Notes - https://kc.mcafee.com/corporate/index?page=content&id=PD25232

                   

                  For other McAfee Products check out the general Security Bulletin:

                  McAfee Security Bulletin – Seven OpenSSL vulnerabilities patched in McAfee products - https://kc.mcafee.com/corporate/index?page=content&id=SB10075

                   

                  Best!

                  Jon