Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2018.0221
McAfee Security Bulletin - Multiple McAfee product updates fix Linux kernel
vulnerability "SegmentSmack" (CVE-2018-5390)
21 September 2018
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Multiple McAfee products
Operating System: Linux variants
Impact/Access: Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2018-5390
Member content until: Sunday, October 21 2018
Reference: ESB-2018.2275
ESB-2018.2271
OVERVIEW
Multiple McAfee products are affected by the Linux kernel vulnerability
"SegmentSmack".
McAfee has provided a list of vulnerable and non-vulnerable products:
"Vulnerable and Updated
o McAfee Active Response (MAR)
o McAfee Linux Operating System (MLOS)
o Network Security Manager (NSM) Linux
o McAfee Web Gateway (MWG)
Vulnerable and Not Yet Updated
o Advanced Threat Defense (ATD)
o Data Exchange Layer (DXL) Streaming
o Network Data Loss Prevention Monitor (DLPM) 11.0
o Network Data Loss Prevention Prevent (DLPP) 10.x, 11.0
o McAfee Email Gateway (MEG)
o Network Security Platform (NSP) Azure VM
o SIEM
o Threat Intelligence Exchange (TIE) Server
Not Vulnerable
o Data Loss Prevention Endpoint (DLP Endpoint) / Host Data Loss Prevention (HDLP)
o Data Exchange Layer (DXL) Messaging
o Endpoint Security (ENS)
o ePolicy Orchestrator (ePO)
o Host Intrusion Prevention Services (Host IPS)
o McAfee Agent (MA)
o Network Security Platform (NSP) Hardware Appliances
o Network Threat Behavior Analysis (NTBA)
o VirusScan Enterprise for Storage (VSES)
o Other McAfee products that do not ship with a Linux operating system" [1]
IMPACT
McAfee has provided the following details regarding the vulnerabilities:
"Vulnerability Description
A Linux kernel flaw known as SegmentSmack allows remote attackers to cause a
denial of service using specially crafted TCP packets. A continuous two-way TCP
session to a reachable open port is required to maintain the denial of service
condition; therefore, a spoofed IP address cannot be used to carry out the attack.
CVE-2018-5390
Linux kernel versions 4.9+ can be forced to make very expensive calls to
tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for every incoming packet,
which can lead to a denial of service.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5390
https://nvd.nist.gov/vuln/detail/CVE-2018-5390" [1]
MITIGATION
McAfee advises:
"To remediate this issue, go to the Product Downloads site and
download the applicable product patch/hotfix files:
+-------+----------------------+-----------+------------------------------------+---------+
|Product|Versions |Type |File Name |Release |
| | | | |Date |
+-------+----------------------+-----------+------------------------------------+---------+
| |MAR 2.3.0 HF3 (MAR | | | |
| |Server Bundle version | | | |
|MAR |2.3.0.171 - includes |Hotfix |MAR-Server-Bundle_2.3.0_Build_171_ |September|
| |MAR Server and | |(ENU-RELEASE-MAIN).zip |4, 2018 |
| |Platform packages | | | |
| |2.3.0.243) | | | |
+-------+----------------------+-----------+------------------------------------+---------+
|MLOS2 |MLOS2 kernel-4.9.116 |Maintenance|kernel-4.9.116-1.mlos2.x86_64.rpm |August 3,|
| | |Release | |2018 |
+-------+----------------------+-----------+------------------------------------+---------+
|MLOS3 |MLOS3 kernel-4.9.116 |Maintenance|kernel-4.9.116-1.mlos3.x86_64.rpm |August 3,|
| | |Release | |2018 |
+-------+----------------------+-----------+------------------------------------+---------+
|MWG |7.7.2.17 build 26804 |Main |mwgappl-7.7.2.17.0-26803-x.86_64.iso|September|
| | |Release | |11, 2018 |
+-------+----------------------+-----------+------------------------------------+---------+
|MWG |7.8.2.2 build 26803 |Controlled |mwgappl-7.8.2.2.0-26805-x.86_64.iso |September|
| | |Release | |11, 2018 |
+-------+----------------------+-----------+------------------------------------+---------+
|NSM |NSM_MLOS-3.5.0.9465_V1|Hotfix |NSM_MLOS-3.5.0.9465_V1.bsx |August |
|Linux |Version 3.30 | | |31, 2018 |
+-------+----------------------+-----------+------------------------------------+---------+
Download and Installation Instructions
See KB56057 for instructions on how to download McAfee products, documentation,
security updates, updates, and hotfixes.
Review the Release Notes and the Installation Guide, which you can download from the
Documentation tab, for instructions on how to install these updates." [1]
McAfee also released a workaround (script) that can be implemented to mitigate SegmentSmack. [1]
REFERENCES
[1] McAfee Security Bulletin - Multiple McAfee product updates fix
Linux kernel vulnerability "SegmentSmack" (CVE-2018-5390)
https://kc.mcafee.com/corporate/index?page=content&id=SB10249
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBW6RabWaOgq3Tt24GAQhhkhAAoAvMSETqWBf63WNfzz9SzQDC/P+EdbbR
mAc4IHrPKfQFn5hAO4vDk2cQqRJWlXz7SRk6uNs8xQ+gccIrVRam6uGFU6Wv2sqN
199RWgDfs13BZX/VH3OeBuUhI0eiDRUwm1U0iWV0++WJ2irGx1+4wziZrdwJ0UE2
pCCFwAWFTrweVrfu4H+83JYOnnZcSkkP1CS7Di14uwJllujGMtJcpuAo1v5doslt
DgQNasM5Eab/SmQ8wQs6nLr6/pqJBA9LTOAIilY7RmgaGbBVSXFA8a0ZJ3lqluFy
xfrKfa/K6VjRNaQxkTHX0sfs2uvPpgQUa6BbwRiNkyfEBo/EmkFu5jLgpwo97sfU
zKbZB3W0Wd+ZdssAxqgsoNuImdZbR/3nGYIM/LbBsZbveayjnIdfoz2Log8ymTuO
lMHoTYX6oeWpWmoQtj+njgDgAfNp0T8euJcdfYcPZb03mF4I5gYGYe7bfw27AnBT
uMMn6TgBsM0h0eSrNJT/rt0x/SULwW/mSm7gx+IOBdcZFeugRl+HxBNM9P+/FaMF
JnC3kHodbM8AqUMe3nSps80Xwqeg1Z0F0Q+sygRRLyepDKQ5lyKlEWZ9Fz0tl/tk
H9JTw3gT/WkfoWgecbwOItEvW5rkndSSbf/2B54tbQ4ObAeszVRZULWgh3S5dAC+
idLLG+iPIQI=
=ILTP
-----END PGP SIGNATURE-----