Doc ID:    ADV223
Version:    1.0
Status:    Published
Published date:    8/26/2014
Categories:    Foxboro Evo
I/A Series



 

Customer Advisory

OpenSSL Vulnerabilities Patched in McAfee Products
August 26, 2014

 



Invensys, now a part of Schneider Electric, is committed to ensuring that our customers and employees are kept current on issues that might affect or improve product, system or process operation. We are dedicated to providing product and application reliability, and exceptional client service. 
  

Customer Advisories are intended to inform you of the possibility of a situation occurring at system installations, and the identified resolution. Invensys recommends that our customers consider taking action to help prevent occurrence of the identified situation during your production process.


Potential Security Vulnerability:

It is recognized that the global threat environment is constantly changing and we are committed to helping our customers protect the security of their installations.  We have reviewed the issue described in this Customer Advisory and determined that, if no action is taken, there is potential for a security vulnerability that could allow an attacker to compromise the integrity, availability, or confidentiality of a product.  We strongly advise customers to take note of the actions recommended, to test such actions or patches on non-production systems as able, prior to deployment into production environments. This approach is recommended in order to minimize risk and exposure to announced vulnerabilities.

 


SITUATION

McAfee ePolicy Orchestrator (ePO) is vulnerable to seven (7) OpenSSL vulnerabilities published post-Heartbleed.

  CVE-2014-0224 An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server.
  CVE-2014-0221 By sending an invalid DTLS handshake to an OpenSSL DTLS client the code can be made to recurse eventually crashing in a DoS attack.
  CVE-2014-0195 A buffer overrun attack can be triggered by sending invalid DTLS fragments to an OpenSSL DTLS client or server. This is potentially exploitable to run arbitrary code on a vulnerable client or server.
  CVE-2014-0198 A flaw in the do_ssl3_write function can allow remote attackers to cause a denial of service via a NULL pointer dereference. This flaw only affects OpenSSL 1.0.0 and 1.0.1 where SSL_MODE_RELEASE_BUFFERS is enabled, which is not the default and not common.
  CVE-2010-5298 A race condition in the ssl3_read_bytes function can allow remote attackers to inject data across sessions or cause a denial of service. This flaw only affects multithreaded applications using OpenSSL 1.0.0 and 1.0.1, where SSL_MODE_RELEASE_BUFFERS is enabled, which is not the default and not common.
  CVE-2014-3470 OpenSSL TLS clients enabling anonymous ECDH ciphersuites are subject to a denial-of-service attack.
  CVE-2014-0076 The Montgomery ladder implementation in OpenSSL through 1.0.0l does not ensure that certain swap operations have a constant-time behavior, which makes it easier for local users to obtain ECDSA nonces via a FLUSH+RELOAD cache side-channel attack. (Fixed earlier in OpenSSL 1.0.1g)

 

 


SYMPTOMS

These vulnerabilities are not directly found in any Foxboro Evo, I/A Series, Foxboro Control Software, I/A Series SCADA and Triconex product.  However, it is present in the McAfee ePolicy Orchestrator (ePO) product which is supported by I/A Series (v8.5 and newer) and Foxboro Evo.


ACTIONS OR RESOLUTIONS

McAfee advises this update must be applied immediately to avoid a potential security breach, and to maintain a viable and supported product. Procedures for backing up the current version of McAfee ePO and for installing McAfee’s OpenSSL vulnerability hotfix is available at the following link:

https://support.ips.invensys.com/content/mcafee2/vscan2.asp  (Login Required)

FOR INFORMATION
If you have any questions regarding this notification, please contact your local Service Representative or an Invensys Support Center at: 
 
GCS Center America's GCS Asia Pacific GCS EMEA GCS
Location Foxboro MA USA Shanghai Baarn NL
Phone +1-866-746-6477 +86 21 37180086  +31-3554-84125
Internationally +1-508-549-2424    
Fax +1-508-549-4999 +86 21 37180196 +31-3554-84230
Email America's GCS Asia Pacific GCS EMEA GCS
 

Regards

John Petty
Director,
Global Customer Support


Distribution to Invensys Customers and Internal Personnel Only
DO NOT REPRODUCE.
All trademarks are registered to their respective owners.
All brand names are property of their respective owners.

All Rights Reserved.


           

          Advisory #: 2014040abi


©Copyright Invensys. All rights reserved