Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2018.0221 McAfee Security Bulletin - Multiple McAfee product updates fix Linux kernel vulnerability "SegmentSmack" (CVE-2018-5390) 21 September 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Multiple McAfee products Operating System: Linux variants Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2018-5390 Member content until: Sunday, October 21 2018 Reference: ESB-2018.2275 ESB-2018.2271 OVERVIEW Multiple McAfee products are affected by the Linux kernel vulnerability "SegmentSmack". McAfee has provided a list of vulnerable and non-vulnerable products: "Vulnerable and Updated o McAfee Active Response (MAR) o McAfee Linux Operating System (MLOS) o Network Security Manager (NSM) Linux o McAfee Web Gateway (MWG) Vulnerable and Not Yet Updated o Advanced Threat Defense (ATD) o Data Exchange Layer (DXL) Streaming o Network Data Loss Prevention Monitor (DLPM) 11.0 o Network Data Loss Prevention Prevent (DLPP) 10.x, 11.0 o McAfee Email Gateway (MEG) o Network Security Platform (NSP) Azure VM o SIEM o Threat Intelligence Exchange (TIE) Server Not Vulnerable o Data Loss Prevention Endpoint (DLP Endpoint) / Host Data Loss Prevention (HDLP) o Data Exchange Layer (DXL) Messaging o Endpoint Security (ENS) o ePolicy Orchestrator (ePO) o Host Intrusion Prevention Services (Host IPS) o McAfee Agent (MA) o Network Security Platform (NSP) Hardware Appliances o Network Threat Behavior Analysis (NTBA) o VirusScan Enterprise for Storage (VSES) o Other McAfee products that do not ship with a Linux operating system" [1] IMPACT McAfee has provided the following details regarding the vulnerabilities: "Vulnerability Description A Linux kernel flaw known as SegmentSmack allows remote attackers to cause a denial of service using specially crafted TCP packets. A continuous two-way TCP session to a reachable open port is required to maintain the denial of service condition; therefore, a spoofed IP address cannot be used to carry out the attack. CVE-2018-5390 Linux kernel versions 4.9+ can be forced to make very expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for every incoming packet, which can lead to a denial of service. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5390 https://nvd.nist.gov/vuln/detail/CVE-2018-5390" [1] MITIGATION McAfee advises: "To remediate this issue, go to the Product Downloads site and download the applicable product patch/hotfix files: +-------+----------------------+-----------+------------------------------------+---------+ |Product|Versions |Type |File Name |Release | | | | | |Date | +-------+----------------------+-----------+------------------------------------+---------+ | |MAR 2.3.0 HF3 (MAR | | | | | |Server Bundle version | | | | |MAR |2.3.0.171 - includes |Hotfix |MAR-Server-Bundle_2.3.0_Build_171_ |September| | |MAR Server and | |(ENU-RELEASE-MAIN).zip |4, 2018 | | |Platform packages | | | | | |2.3.0.243) | | | | +-------+----------------------+-----------+------------------------------------+---------+ |MLOS2 |MLOS2 kernel-4.9.116 |Maintenance|kernel-4.9.116-1.mlos2.x86_64.rpm |August 3,| | | |Release | |2018 | +-------+----------------------+-----------+------------------------------------+---------+ |MLOS3 |MLOS3 kernel-4.9.116 |Maintenance|kernel-4.9.116-1.mlos3.x86_64.rpm |August 3,| | | |Release | |2018 | +-------+----------------------+-----------+------------------------------------+---------+ |MWG |7.7.2.17 build 26804 |Main |mwgappl-7.7.2.17.0-26803-x.86_64.iso|September| | | |Release | |11, 2018 | +-------+----------------------+-----------+------------------------------------+---------+ |MWG |7.8.2.2 build 26803 |Controlled |mwgappl-7.8.2.2.0-26805-x.86_64.iso |September| | | |Release | |11, 2018 | +-------+----------------------+-----------+------------------------------------+---------+ |NSM |NSM_MLOS-3.5.0.9465_V1|Hotfix |NSM_MLOS-3.5.0.9465_V1.bsx |August | |Linux |Version 3.30 | | |31, 2018 | +-------+----------------------+-----------+------------------------------------+---------+ Download and Installation Instructions See KB56057 for instructions on how to download McAfee products, documentation, security updates, updates, and hotfixes. Review the Release Notes and the Installation Guide, which you can download from the Documentation tab, for instructions on how to install these updates." [1] McAfee also released a workaround (script) that can be implemented to mitigate SegmentSmack. [1] REFERENCES [1] McAfee Security Bulletin - Multiple McAfee product updates fix Linux kernel vulnerability "SegmentSmack" (CVE-2018-5390) https://kc.mcafee.com/corporate/index?page=content&id=SB10249 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBW6RabWaOgq3Tt24GAQhhkhAAoAvMSETqWBf63WNfzz9SzQDC/P+EdbbR mAc4IHrPKfQFn5hAO4vDk2cQqRJWlXz7SRk6uNs8xQ+gccIrVRam6uGFU6Wv2sqN 199RWgDfs13BZX/VH3OeBuUhI0eiDRUwm1U0iWV0++WJ2irGx1+4wziZrdwJ0UE2 pCCFwAWFTrweVrfu4H+83JYOnnZcSkkP1CS7Di14uwJllujGMtJcpuAo1v5doslt DgQNasM5Eab/SmQ8wQs6nLr6/pqJBA9LTOAIilY7RmgaGbBVSXFA8a0ZJ3lqluFy xfrKfa/K6VjRNaQxkTHX0sfs2uvPpgQUa6BbwRiNkyfEBo/EmkFu5jLgpwo97sfU zKbZB3W0Wd+ZdssAxqgsoNuImdZbR/3nGYIM/LbBsZbveayjnIdfoz2Log8ymTuO lMHoTYX6oeWpWmoQtj+njgDgAfNp0T8euJcdfYcPZb03mF4I5gYGYe7bfw27AnBT uMMn6TgBsM0h0eSrNJT/rt0x/SULwW/mSm7gx+IOBdcZFeugRl+HxBNM9P+/FaMF JnC3kHodbM8AqUMe3nSps80Xwqeg1Z0F0Q+sygRRLyepDKQ5lyKlEWZ9Fz0tl/tk H9JTw3gT/WkfoWgecbwOItEvW5rkndSSbf/2B54tbQ4ObAeszVRZULWgh3S5dAC+ idLLG+iPIQI= =ILTP -----END PGP SIGNATURE-----