Loading...

Knowledge Center


McAfee Security Bulletin - EWS 5.5, 5.6, and MEG 7 patches resolve multiple issues
Security Bulletins ID:  SB10020
Last Modified:  10/10/2013
Rated:


Summary

Who should read this document: Technical and Security Personnel
Impact of Vulnerability: Critical
Severity Rating: 6.9
Overall CVSS Rating: Critical
Recommendations: Update to Email and Web Security 5.5 Patch 6, Email and Web Security 5.6 Patch 3, McAfee Email Gateway 7.0 Patch 1.
Security Bulletin Replacement: None
Caveats: None
Affected Software: McAfee Email and Web Security 5.x
McAfee Email Gateway 7.0
Location of updated software: See Remediation section below.
Updated on: March 13, 2012

Description

This bulletin and patch cover seven individual issues, all fixed by the listed patches for Email and Web Security 5.5, Email and Web Security 5.6, and Email Gateway 7.0.

This update must be considered Critical. While the individual issues may not be considered that important, in combination they allow an attacker to take complete control and gain ownership of the Appliance. The first two issues could cause compromised logins; this would make several of the other issues that require an active login to the Appliance easier to exploit.

Each issue is explained in further detail below:

NGS00153 – Reflected XSS
McAfee Email and Web Security Appliance Software 5.x/ McAfee Email Gateway 7.0 is prone to reflective XSS allowing an attacker to gain session tokens and run arbitrary Javascript in the context of the administrators browser and the McAfee Security Appliance Management Console/Dashboard.

NGS00154 – Logout Failure
When an administrator closes the Management console/Dashboard without clicking logout and returns to the Dashboard later, they appear to be logged out, however, this is simply the state of the Javascript in his browser, and the session-token is still be active on the server-side. If an attacker gains a session-cookie (perhaps using XSS, or by some other means), they can make a dummy login attempt (with a dummy password) and simply edit the (failure) response. They will then be logged-in, and can use the Dashboard as if he had logged-in as the administrator.

NGS00155 – Password Reset issue 
Any logged-in user can bypass controls to reset passwords of other administrators.

NGS00156 – Session Disclosure
Active session tokens of other users are disclosed within the Dashboard.

NGS00157 – Weak Encryption of Backups
Password hashes can be recovered from a system backup and easily cracked.

NGS00158 – File Download Issue
Arbitrary file download is possible with a crafted URL, when logged in as any user.

NGS00159 – File Content Leakage
File contents disclosure as if root user, when logged in as any user. 
 

Remediation

The following patches resolve the mentioned vulnerabilities and are available for download from the following locations:

 
Patch Location
EWS 5.5 Patch 6 ftp://custftp2.nai.com/outgoing/EWS/v55/Patch6/EWS-5.5p6-2146.108.zip
EWS 5.6 Patch 3 ftp://custftp2.nai.com/outgoing/EWS/v56/Patch3/EWS-5.6p3-2143.111.zip
MEG 7.0 Patch 1 ftp://custftp2.nai.com/outgoing/MEG/Patch1/MEG-7.0.1-2151.108.zip

 

Acknowledgements

McAfee credits Ben Williams of NGS Secure for reporting this flaw.

Frequently Asked Questions (FAQs)

Who is affected by this security vulnerability?
McAfee Email and Web Security 5.5 Patch 5 and older.
Email and Web Security 5.6 Patch 2 and older.
McAfee Email Gateway 7.0

McAfee recommends that all customers verify that they have applied the latest updates.

Does this vulnerability affect McAfee enterprise products?
Yes, McAfee Email and Web Security and McAfee Email Gateway are enterprise products.

What is CVSS?
CVSS, or Common Vulnerability Scoring System, is the result of the National Infrastructure Advisory Council’s effort to standardize a system of assessing the criticality of a vulnerability. This system offers an unbiased criticality score that customers can use to judge how critical a vulnerability is and plan accordingly. For more information, please visit the CVSS website at: http://www.first.org/cvss/

What are the CVSS scoring metrics that have been used?
 

NGS00153 – Reflected XSS

Base Score 8.8
Temporal Score 6.9
Exploit Range Network
Attack Complexity Medium
Authentication None
Confidentiality Complete
Integrity Complete
Availability None
Availability of Exploit Proof of concept
Fix available Official
Verification Confirmed


NGS00154 - Logout Failure

Base Score 8.8
Temporal Score 6.9
Exploit Range Network
Attack Complexity Medium
Authentication None
Confidentiality Complete
Integrity Complete
Availability None
Availability of Exploit Proof of concept
Fix available Official
Verification Confirmed


NGS00155 - Password Reset Issue

Base Score 7.0
Temporal Score 5.5
Exploit Range Network
Attack Complexity Medium
Authentication Single Instance
Confidentiality Partial
Integrity Complete
Availability None
Availability of Exploit Proof of concept
Fix available Official
Verification Confirmed


NGS00156 - Session Disclosure

Base Score 4.9
Temporal Score 3.8
Exploit Range Network
Attack Complexity Medium
Authentication Single Instance
Confidentiality Partial
Integrity Partial
Availability None
Availability of Exploit Proof of concept
Fix available Official
Verification Confirmed


NGS00157 - Weak Encryption of Backups

Base Score 3.5
Temporal Score 2.7
Exploit Range Network
Attack Complexity Medium
Authentication Single Instance
Confidentiality Partial
Integrity None
Availability None
Availability of Exploit Proof of concept
Fix available Official
Verification Confirmed


NGS00158 - File Download Issue


Base Score 3.5
Temporal Score 2.7
Exploit Range Network
Attack Complexity Medium
Authentication Single Instance
Confidentiality Partial
Integrity None
Availability None
Availability of Exploit Proof of concept
Fix available Official
Verification Confirmed


NGS00159 - File content Leakage

Base Score 3.5
Temporal Score 2.7
Exploit Range Network
Attack Complexity Medium
Authentication Single Instance
Confidentiality Partial
Integrity None
Availability None
Availability of Exploit Proof of concept
Fix available Official
Verification Confirmed


What has McAfee done to resolve the issue?
McAfee has released a patch for each affected platform to address this security flaw.

Resources

For contact details:

Alternatively
:
Log in to the ServicePortal at https://support.mcafee.com:
  • If you are a registered user, type your User Id and Password, and click OK.
  • If you are not a registered user, click Register and complete the required fields. Your password and login instructions will be emailed to you.


McAfee product software, upgrades, maintenance releases, and documentation are available from the McAfee Downloads site at: http://www.mcafee.com/us/downloads/downloads.aspx.

NOTE:
 You will need a valid Grant Number for access. KB56057 provides additional information about the McAfee Downloads site, as well as alternate locations for some products.



To download new Beta software or to read about the latest Beta information, go to: http://www.mcafee.com/us/downloads/beta-programs/index.aspx
 
To submit Beta feedback on any McAfee product, email: mcafee_beta@mcafee.com 
 
For copyright, trademark attributions, and license information, go to: http://us.mcafee.com/root/aboutUs.asp?id=copyright
 
For patents protecting this product, see your product documentation.

Disclaimer

The information provided in this security bulletin is provided as is without warranty of any kind. McAfee disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall McAfee or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if McAfee or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Rate this document

Did this article resolve your issue?

Please provide any comments below

Glossary of Technical Terms


Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.
United States - English
© 2003-2013 McAfee, Inc.