OpenSSL Vulnerabilities Patched in McAfee Products
August 26, 2014
Invensys, now a part of Schneider Electric, is committed to ensuring that our customers and employees are kept current on issues that might affect or improve product, system or process operation. We are dedicated to providing product and application reliability, and exceptional client service.
Customer Advisories are intended to inform you of the possibility of a situation occurring at system installations, and the identified resolution. Invensys recommends that our customers consider taking action to help prevent occurrence of the identified situation during your production process.
Potential Security Vulnerability:
It is recognized that the global threat environment is constantly changing and we are committed to helping our customers protect the security of their installations. We have reviewed the issue described in this Customer Advisory and determined that, if no action is taken, there is potential for a security vulnerability that could allow an attacker to compromise the integrity, availability, or confidentiality of a product. We strongly advise customers to take note of the actions recommended, to test such actions or patches on non-production systems as able, prior to deployment into production environments. This approach is recommended in order to minimize risk and exposure to announced vulnerabilities.
McAfee ePolicy Orchestrator (ePO) is vulnerable to seven (7) OpenSSL vulnerabilities published post-Heartbleed.
|CVE-2014-0224||An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server.|
|CVE-2014-0221||By sending an invalid DTLS handshake to an OpenSSL DTLS client the code can be made to recurse eventually crashing in a DoS attack.|
|CVE-2014-0195||A buffer overrun attack can be triggered by sending invalid DTLS fragments to an OpenSSL DTLS client or server. This is potentially exploitable to run arbitrary code on a vulnerable client or server.|
|CVE-2014-0198||A flaw in the do_ssl3_write function can allow remote attackers to cause a denial of service via a NULL pointer dereference. This flaw only affects OpenSSL 1.0.0 and 1.0.1 where SSL_MODE_RELEASE_BUFFERS is enabled, which is not the default and not common.|
|CVE-2010-5298||A race condition in the ssl3_read_bytes function can allow remote attackers to inject data across sessions or cause a denial of service. This flaw only affects multithreaded applications using OpenSSL 1.0.0 and 1.0.1, where SSL_MODE_RELEASE_BUFFERS is enabled, which is not the default and not common.|
|CVE-2014-3470||OpenSSL TLS clients enabling anonymous ECDH ciphersuites are subject to a denial-of-service attack.|
|CVE-2014-0076||The Montgomery ladder implementation in OpenSSL through 1.0.0l does not ensure that certain swap operations have a constant-time behavior, which makes it easier for local users to obtain ECDSA nonces via a FLUSH+RELOAD cache side-channel attack. (Fixed earlier in OpenSSL 1.0.1g)|
These vulnerabilities are not directly found in any Foxboro Evo, I/A Series, Foxboro Control Software, I/A Series SCADA and Triconex product. However, it is present in the McAfee ePolicy Orchestrator (ePO) product which is supported by I/A Series (v8.5 and newer) and Foxboro Evo.
ACTIONS OR RESOLUTIONS
McAfee advises this update must be applied immediately to avoid a potential security breach, and to maintain a viable and supported product. Procedures for backing up the current version of McAfee ePO and for installing McAfee’s OpenSSL vulnerability hotfix is available at the following link:
|GCS Center||America's GCS||Asia Pacific GCS||EMEA GCS|
|Location||Foxboro MA USA||Shanghai||Baarn NL|
|Phone||+1-866-746-6477||+86 21 37180086||+31-3554-84125|
|Fax||+1-508-549-4999||+86 21 37180196||+31-3554-84230|
|America's GCS||Asia Pacific GCS||EMEA GCS|
Global Customer Support
Distribution to Invensys Customers and Internal Personnel Only
DO NOT REPRODUCE.
All trademarks are registered to their respective owners.
All brand names are property of their respective owners.
All Rights Reserved.