Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2014.0069.2 Multiple vulnerabilities in OpenSSL have been discovered within various McAfee products 12 June 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: McAfee ePolicy Orchestrator (ePO) McAfee Web Gateway (MWG) McAfee Security Information and Event Management (SIEM) / Nitro Operating System: Windows Network Appliance Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Access Privileged Data -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Provide Misleading Information -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2014-3470 CVE-2014-0224 CVE-2014-0221 CVE-2014-0198 CVE-2014-0195 CVE-2014-0076 CVE-2010-5298 Member content until: Saturday, July 12 2014 Revision History: June 12 2014: Updated title June 12 2014: Initial Release OVERVIEW Multiple vulnerabilities in OpenSSL have been discovered within various McAfee products. [1] IMPACT The vendor has provided the following details on the vulnerabilities: "CVE-2014-0224: Man-in-the-Middle (MITM) attack An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server. The attack can only be performed between a vulnerable client *and* server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0224 CERT/CC Vulnerability Note VU#978508 OpenSSL is vulnerable to a man-in-the-middle attack http://www.kb.cert.org/vuls/id/978508 How I discovered CCS Injection Vulnerability (Lepidum Engineers' Blog) http://ccsinjection.lepidum.co.jp/blog/2014-06-05/CCS-Injection-en/index.html https://www.imperialviolet.org/2014/06/05/earlyccs.html NET SECURITY Article http://www.net-security.org/secworld.php?id=16966 CVE-2014-0221: DoS attack By sending an invalid DTLS handshake to an OpenSSL DTLS client the code can be made to recurse eventually crashing in a DoS attack. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0221 CVE-2014-0195: Arbitrary code execution on a vulnerable client or server A buffer overrun attack can be triggered by sending invalid DTLS fragments to an OpenSSL DTLS client or server. This is potentially exploitable to run arbitrary code on a vulnerable client or server. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0195 CVE-2014-0198: DoS attack A flaw in the do_ssl3_write function can allow remote attackers to cause a denial of service via a NULL pointer dereference. This flaw only affects OpenSSL 1.0.0 and 1.0.1 where SSL_MODE_RELEASE_BUFFERS is enabled, which is not the default and not common. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0198 CVE-2010-5298: DoS attack or session injection A race condition in the ssl3_read_bytes function can allow remote attackers to inject data across sessions or cause a denial of service. This flaw only affects multithreaded applications using OpenSSL 1.0.0 and 1.0.1, where SSL_MODE_RELEASE_BUFFERS is enabled, which is not the default and not common. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-5298 CVE-2014-3470: DoS attack OpenSSL TLS clients enabling anonymous ECDH ciphersuites are subject to a denial-of-service attack. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3470 CVE-2014-0076: Side-channel Attack The Montgomery ladder implementation in OpenSSL through 1.0.0l does not ensure that certain swap operations have a constant-time behavior, which makes it easier for local users to obtain ECDSA nonces via a FLUSH+RELOAD cache side-channel attack. (Fixed earlier in OpenSSL 1.0.1g) http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0076" [1] MITIGATION The vendor recommends applying the available patches or hotfixes for the relevant product. [1] REFERENCES [1] McAfee Security Bulletin - Seven OpenSSL vulnerabilities patched in McAfee products https://kc.mcafee.com/corporate/index?page=content&id=SB10075 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBU5kwsBLndAQH1ShLAQJhGg//Syqyx8+RAuQ7rLCqp4ZUlpTR/PIl+AS4 vO0Vaer94NuoNY42glNetXKfq3qotgE9eW3q/ZsW+1YxRaCVsqUQdtUGOvxfYmWi 5zvL6QXy2w8D4kdQ9BctZV6Lc42U3P210ell3BhwHTAL7+c9anC3Jz5zkLA0Fd5Q MzQ899VWvETSFbC4qUe4WfF7BfMaQT22KI9vGLp+37g8a5xy9DvcBGf1KmweLneB 7uyeVoKMzX9CrwSMTSptWD9VBX5CGkCO7Ac/YwHpXWl8j8ayEm6O43l6T1g5gaMb 9nVUtqGbeo7VEX8yXI9S31whMb6shS/9tsMubofWqXrn7MO5FhNsFK0YxyXu0eUp tifjw+cJwPZ4Wm20IPnTu8O5ySuJN9sTO0mZ1ko7KSDTjpnltxN2ZDosJO16DZI0 lU8bb4LlteMjawf0syDBDkBc5nOXlzrQFRBYfsha8Tn17Lby8IVAKpnMOqap4t/k 4qCuKa9Q3CnaNPntsX7u4hxFh8wGxd8Jabq+MOHa12H8Y4BmGHM5Q+RSKnqR6NC4 CiJXVddEJtteVIbTDstQn/1QGRENv+0U+iHNkbSsTEXJ7SZYJfRG1C8nuNKBFIwk FWMEqzFw7Uq90fN0t/dvn0Y/t2WCmH/m/7nOLushHf2ipTaJUJTMtWgqcfKJ161B hYLK9A/VmNE= =HAGR -----END PGP SIGNATURE-----