A vulnerability in ePolicy Orchestrator (ePO) has been discovered and resolved.
AFFECTED SOFTWARE
See SB10197 for remediation instructions.
IMPACT
CVE-2016-2183 (CVSS: 5.3 / 4.8; Severity: Medium) The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, also known as a "Sweet32" attack.
RECOMMENDATION
McAfee recommends that all customers verify that they have applied the latest updates. Impacted users should install the relevant patches or hotfixes. For full instructions and information, see Knowledge Base article SB10197, McAfee Security Bulletin - ePolicy Orchestrator is vulnerable to Sweet32 vulnerability (CVE-2016-2183) (https://kc.mcafee.com/corporate/index?page=content&id=SB10197)
AFFECTED SOFTWARE
- ePO 5.1.3 and earlier
- ePO 5.3.2 and earlier
- ePO 5.9.0 and earlier
See SB10197 for remediation instructions.
IMPACT
CVE-2016-2183 (CVSS: 5.3 / 4.8; Severity: Medium) The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, also known as a "Sweet32" attack.
RECOMMENDATION
McAfee recommends that all customers verify that they have applied the latest updates. Impacted users should install the relevant patches or hotfixes. For full instructions and information, see Knowledge Base article SB10197, McAfee Security Bulletin - ePolicy Orchestrator is vulnerable to Sweet32 vulnerability (CVE-2016-2183) (https://kc.mcafee.com/corporate/index?page=content&id=SB10197)