Doc ID                : ADV236
Version              : 3.0
Status                : Published
Published date : 2/16/2015
Categories  : Security Issue
Foxboro Evo
I/A Series
FCS
InFusion
Last Modified date : 4/3/2015

Customer Advisory
Advisory for McAfee ePO POODLE Vulnerability and Mitigation
April 3, 2015

 

Schneider Electric is committed to ensuring that our customers and employees are kept current on issues that might affect or improve product, system or process operation. We are dedicated to providing product and application reliability, and exceptional client service.   

Customer Advisories are intended to inform you of the possibility of a situation occurring at system installations, and the identified resolution. Schneider-Electric recommends that our customers consider taking action to help prevent occurrence of the identified situation during your production process.

Potential Security Vulnerability:

It is recognized that the global threat environment is constantly changing and we are committed to helping our customers protect the security of their installations.  We have reviewed the issue described in this Customer Advisory and determined that, if no action is taken, there is potential security vulnerability that could allow an attacker to compromise the integrity, availability, or confidentiality of a product.  We strongly advise customers to take note of the actions recommended, to test such actions or patches on non-production systems as able, prior to deployment into production environments. This approach is recommended in order to minimize risk and exposure to announced vulnerabilities.

SITUATION

In October 2014, three researchers from Google published findings about a vulnerability in SSL 3.0, a cryptographic protocol designed to provide secure communication over the internet. Although SSL 3.0 is nearly 15 years old, it is still used widely, including browsers, VPNs, and email clients. It is used in Tomcat 5.5.x and other products. 

POODLE (Padding Oracle On Downgraded Legacy Encryption) is the attack that exploits this vulnerability (CVE-2014-3566). It allows an attacker to steal information over time by altering communications between the SSL client and the server (also known as a man in the middle attack, or MITM). 

McAfee’s ePO 5.0 and later versions disable SSLv3 by default, so the vulnerability is mitigated in those versions.  However, ePO 4.6.6 versions are vulnerable to this issue. Since they run on Tomcat 5.5.x, this issue can be mitigated by editing the server.xml file as described below. 

SYMPTOMS

This McAFee ePO software may be used in Schneider Electric's secure Foxboro Evo control networks. There are no known exploits of this vulnerability on Foxboro Evo systems at this time.

ACTIONS OR RESOLUTIONS

Prior to making the changes, run the following NMAP script at a command prompt (or use ZenMap) on a separate MESH network connected computer to verify that the ePO server is vulnerable:

NMAP is available at: http://nmap.org

The Poodle script is available at  http://nmap.org/nsedoc/scripts/ssl-poodle.html

          nmap -sV -v --script ssl-poodle <IP Address>

The <IP Address> is of the EPO server computer.

You should receive the following results for Port 8443:

If the vulnerability exists, edit the server.xml file, as follows:

  1. Navigate to <ePO_installation_directory> typically C:\Program Files\McAfee\ePolicy Orchestrator\server\conf.
  2. Create a backup copy of the server.xml file.
  3. Edit server.xml file using WordPad.
  4. Search for <Connector to find Connector elements (make sure to include the < character at the beginning of the search string).  Perform this step for both Tomcat listening ports 8443 and 8444.
  5. Within each Connector element, modify the sslProtocol and protocols attributes as illustrated in the following example:

    ePO 4.6 example:

    <Connector id="orion.server.https"
     port="8443" maxHttpHeaderSize="8192"
     maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
     enableLookups="false" disableUploadTimeout="true"
     acceptCount="100" scheme="https" secure="true"
     clientAuth="want"  sslProtocol="TLSv1.2"
     protocols="TLSv1,TLSv1.1,TLSv1.2"


    NOTE: If the protocols attribute does not exist, add this line immediately following the sslProtocol attribute.
  6. Restart the McAfee ePolicy Orchestrator 4.6.6 Application Server service.  Restarting this service will require a restart of two other McAfee services which will be in a popup, then select 'yes'.

After making these changes, run the following NMAP script again to verify that the ePO server is not vulnerable:

nmap -sV -v --script ssl-poodle <IP Address>

You should receive the following results for port 8443:

FOR INFORMATION

If you have any questions regarding this article, please contact your local Service Representative or an Schneider Electric Support Center at:  
 

GCS Center

America's GCS

Asia Pacific GCS

EMEA GCS

Location

Foxboro MA USA

Shanghai

Baarn NL

Phone

+1-866-746-6477

+86 21 37180086 

+31-3554-84125

Internationally

+1-508-549-2424

 

 

Fax

+1-508-549-4999

+86 21 37180196

+31-3554-84230

Email

America's GCS

Asia Pacific GCS

EMEA GCS

 

Regards,

John Petty
Director,
Global Customer Support


Distribution to Schneider Electric Customers and Internal Personnel Only
DO NOT REPRODUCE.
All trademarks are registered to their respective owners.
All brand names are property of their respective owners.


Advisory #: 2015013abi Rev 3

©Schneider Electric. All rights reserved