Loading...

Knowledge Center


McAfee Security Bulletin - McAfee Email Gateway update fixes access control bypass
Security Bulletins ID:  SB10009
Last Modified:  09/20/2011

Summary

 
 Who should read this document: Technical and Security Personnel
 Impact of Vulnerability: Access control bypass
 CVE Number:  
 Severity Rating: Medium
 Overall CVSS Rating: 4.7
 Recommendations: Install McAfee Email Gateway 6.7.2 Hotfix 3.
 Security Bulletin Replacement: None
 Caveats: None
 Affected Software: IronMail 6.7.1 and McAfee Email Gateway 6.7.2 HF2
 Location of updated software: https://supportcenter.securecomputing.com/

Description

This update fixes an issue reported in McAfee Email Gateway (formerly IronMail). The issue covers an access control bypass in the web user interface. This could allow users to gain write level access when read level is what should be specified. The patch completely mitigates these attacks.

This issue affects the web-based user interface. By manipulating input variables, users who should only be able to read specific values would now be able to write values as well. This was caused by improper access control mechanics in specific input forms. This is partly mitigated by the fact that an attacker must have a valid login to the web interface for this attack to be possible.

Remediation

McAfee Email Gateway 6.7.2 Hotfix 3 download instructions

If the appliance has connectivity to the update server, perform the steps below:

  1. Log into the McAfee Email Gateway console.
  2. Navigate to System, Updates.
  3. Under Select Update Types, select Hotfix.
  4. Click Select for Hotfix 3 in the Available Updates section, then click Submit. The installation for Hotfix 3 should begin.
If the appliance does not have connectivity to the update server, perform the steps below: 
  1. Log into https://supportcenter.securecomputing.com/. If you do not have an account, there is a link to request one.
  2. Navigate to Releases and Hotfixes, then click IronMail.
  3. In the Availability column, right-click 6.7.2 Hotfix 3 and save it to your desktop.
  4. Log into the McAfee Email Gateway console.
  5. Navigate to System, Updates.
  6. Under Select Update Types, select Hotfix.
  7. In the Load a Package section, browse to the Hotfix 3 ZIP file and click Upload.
  8. When the upload is complete, click Select for Hotfix 3 in the Available Updates section, then click Submit. The installation for Hotfix 3 should begin.

Acknowledgements

McAfee credits Nahuel Grisolía of CYBSEC S.A for reporting this flaw.

Support

Corporate Technical Support:

Frequently Asked Questions (FAQs)

Who is affected by this security vulnerability?
IronMail 6.7.1 and McAfee Email Gateway 6.7.2 HF2 are affected.
McAfee recommends that all customers verify that they have applied the latest updates.

Does this vulnerability affect McAfee enterprise products?
Yes, McAfee Email Gateway (formerly IronMail) is an enterprise product.

How do I know if my IronMail Server is vulnerable or not?
To ensure the server is not vulnerable, ensure Hotfix 3 is installed under SystemUpdatesHotfix under the Installed Updates section.

What is CVSS?
CVSS, or Common Vulnerability Scoring System, is the result of the National Infrastructure Advisory Council’s effort to standardize a system of assessing the criticality of a vulnerability. This system offers an unbiased criticality score that customers can use to judge how critical a vulnerability is and plan accordingly. For more information, please visit the CVSS website at: http://www.first.org/cvss/


What are the CVSS scoring metrics that have been used? 
 

 Base Score  6
 Access Vector  Remote
 Access Complexity  Low
 Authentication  Required
 Confidentiality Impact  Complete
 Integrity Impact  Complete
 Availability Impact  Complete
 Adjusted Temporal Score  4.7
 Exploitability  Proof of Concept
 Remediation Level  Official Fix
 Report Confidence  Confirmed



What has McAfee done to resolve the issue?
McAfee has released a hotfix to address this security flaw.

Where do I download the fix?
The fix can be downloaded from:  https://supportcenter.securecomputing.com/
You may need to provide the Grant Number to initiate the download.

How does McAfee respond to this and any other security flaws?
McAfee’s key priority is the security of our customers. In the event that a vulnerability is found within any of McAfee’s software, we work closely with the relevant security research group to ensure rapid and effective development of a fix and communication plan. McAfee is an active member of the Organization for Internet Safety (OIS), which is dedicated to developing guidelines and best practices for the reporting and fixing of software vulnerabilities.

Resources

To download new Beta software or to read about the latest Beta information, go to: http://www.mcafee.com/us/downloads/beta-programs/index.aspx
 
To submit Beta feedback on any McAfee product, email: mcafee_beta@mcafee.com
 
For contact information, go to: http://www.mcafee.com/uk/about/contact-us.aspx
 
For copyright, trademark attributions, and license information, go to: http://us.mcafee.com/root/aboutUs.asp?id=copyright
 
For patents protecting this product, see your product documentation.

Disclaimer

The information provided in this security bulletin is provided as is without warranty of any kind. McAfee disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall McAfee or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if McAfee or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Rate this document

Did this article resolve your issue?

Please provide any comments below

Glossary of Technical Terms


Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.
United States - English
© 2003-2013 McAfee, Inc.