ePO Sustaining Statement
Date: September 11, 2018
This document describes Sustaining position relative to the support of a Trellix-branded application. Response to OpenSSL vulnerabilities CVE-2018-0732 and CVE-2018-0737.
Overview
This document addresses concerns about ePO and the OpenSSL vulnerabilities.
The OpenSSL Security Advisory are published at the following locations:
Description
- CVE-2018-0732:
During key agreement, in a TLS handshake using a DH(E)-based cipher suite, a malicious server can send a large prime value to the client. This action causes the client to spend an unreasonably long time generating a key for this prime, resulting in a hang until the client has finished.
This process can be exploited in a Denial-of-Service attack.
- CVE-2018-0737:
The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process can recover the private key.
Research and Conclusions
The ePO Engineering team has researched these vulnerabilities and determined that it does
not affect ePO.
- CVE-2018-0732 - ePO does not make any TLS connection to a malicious server running on OpenSSL and hence the CVE isn't applicable.
- CVE-2018-0737 - ePO relies on the underlying RSA BSAFE crypto provider for RSA key generation and does not use OpenSSL.
