SuperScan response to Cross Site Scripting (XSS) vulnerability CVE-2013-4884
Technical Articles ID:
KB78992
Last Modified: 5/11/2017
Last Modified: 5/11/2017
SuperScan response to Cross Site Scripting (XSS) vulnerability CVE-2013-4884
Technical Articles ID:
KB78992
Last Modified: 5/11/2017 Environment
McAfee SuperScan 4.0
Summary
SuperScan is a free McAfee tool used by customers to quickly scan their networks for system level information. It is possible to inject a Cross Site Script (XSS) payload into the SuperScan HTML report, based on the response from the host. The precondition to successfully exploit this vulnerability is that the attacker must already have a compromised server executing on the scan target network. Therefore, this XSS attack does not give the attacker further privilege escalation or similar advantage. The attack is against the browser when reading a SuperScan report in an HTML browser. This update resolves the vulnerability, whereby the attacker can no longer submit code within the data channel to the HTML report output. CVE-2013-4884 Cross-site scripting (XSS) vulnerability in McAfee SuperScan 4.0 allows remote attackers to inject arbitrary web script or HTML via UTF-7 encoded sequences in a server response, which is not properly handled in the SuperScan HTML report. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4884 Solution
All of these issues are resolved in SuperScan 4.1, which was released to the McAfee Downloads site on July 31, 2013.
SuperScan download Instructions.
For instructions on how to install/upgrade this new version of SuperScan, review the Release Notes and the Installation Guide (which can be downloaded from the Documentation tab) following the same steps above. Workaround
If using a vulnerable version of SuperScan, users are advised to scan only trusted hosts on protected networks. Further, users should be cautious of a URL or other unexpected HTML in a scan report. Do not click on unknown URLs.
Related Information
McAfee credits Piotr Duszynski from Trustwave for reporting this flaw. Frequently Asked Questions (FAQs) For more information on the CVSS scoring for this issue, see http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N/E:F/RL:O/RC:C). What is affected by this security vulnerability? McAfee SuperScan 4.0 and earlier. Affected versions:
What issues do this hotfix / patch address? This update resolves the vulnerability where an attacker can inject a XSS payload into the SuperScan HTML report. Does this vulnerability affect McAfee enterprise products? No, SuperScan 4.0 is a free network scanning product. How do I know if my SuperScan is vulnerable or not? Right-click on the SuperScan.exe icon, and click Properties, Details. You can now see the product version. Affected ProductsGlossary of Technical Terms |
|