Loading...

Knowledge Center


McAfee Security Bulletin - McAfee EMM update fixes man-in-the-middle attack flaws in EMM Portal
Security Bulletins ID:  SB10022
Last Modified:  04/19/2012

Summary

Who should read this document:
Technical and Security Personnel
 Impact of Vulnerability:
EMMPortal Sessions can be compromised by an attacker
 CVE Number:
 
 US CERT Number:
 
 Severity Rating:
Moderate
 Overall CVSS Rating:
0.9
 Recommendations:
Update to McAfee EMM 10.0
 Security Bulletin Replacement:
 
 Caveats:
 
 Affected Software:
McAfee EMM 9.7.1 and earlier
 Location of updated software:

Description

Several legacy features of the McAfee Enterprise Mobility Manager (EMM) Portal can possibly be used to execute man-in-the-middle attacks against EMM users.  Specifically:
  • The Login.aspx page does not disable browser Autocomplete support.
  • The About.aspx page displays excessive details for the “User Agent” and “Connection” string variables allowing for a possible Cross-Site Scripting (XSS) attack.
  • The About.aspx page displays the IIS user which the worker process is running as.
  • The ASP.NET Session Cookie is not marked with the Secure flag.
 
References
 
McAfee Security Bulletin SB10022
This security bulletin.

Remediation

Patches are available on the McAfee EMM product support site using your McAfee Grant Number. McAfee EMM 10.0 download Instructions.
  1. Launch Internet Explorer.
  2. Navigate to: https://secure.mcafee.com/apps/downloads/my_products/login.asp
  3. Provide your valid McAfee grant number.
  4. Select the product and click View Available Downloads.
  5. Click McAfee Enterprise Mobility Manager.
  6. Click the link to download the product zip file under Download on the Software Downloads.
For instructions on how to install / upgrade this fix, please review the Installation Guide that can be download from the Documentation tab.

Workaround

Microsoft IIS has two features to temporarily remediate these issues:
  • Within a Website’s SSL Settings, the site can be configured to require SSL and not support basic HTTP connectivity.
  • The IIS Request Filtering feature can be used to prevent access to the About.aspx page as it does not provide end-user functionality.

Acknowledgements

McAfee credits Laurent Oudot of TEHTRI-Security and Scott White of Diebold for reporting this flaw.

This document was written by Harold Toomey, Principal Product Security Architect, McAfee, Inc.

Support

Corporate Technical Support:
1-800-338-8754
http://www.mcafee.com/us/support/default.asp

Frequently Asked Questions (FAQs)

Who is affected by this security vulnerability?
All McAfee customers using McAfee EMM 9.7.1 and earlier.
McAfee recommends that all customers verify that they have applied the latest updates.
 
Does this vulnerability affect McAfee enterprise products?
Yes, McAfee EMM 9.7.1 is an enterprise product.
 
What is CVSS?
CVSS, or Common Vulnerability Scoring System, is the result of the National Infrastructure Advisory Council’s effort to standardize a system of assessing the criticality of a vulnerability. This system offers an unbiased criticality score that customers can use to judge how critical a vulnerability is and plan accordingly. For more information, please visit the CVSS website at: http://www.first.org/cvss/
 
What are the CVSS scoring metrics that have been used?
CVSS version 2.0 was used to generate this score.
 

 Base Score
1.2
 Access Vector
0.7
 Access Complexity
0.8
 Authentication
0.6
 Confidentiality Impact
0.7
 Integrity Impact
0.0
 Availability Impact
0.0
 Adjusted Temporal Score
0.9
 Exploitability
0.9
 Remediation Level
0.87
 Report Confidence
1.0

 
What has McAfee done to resolve these issues?
McAfee has released McAfee EMM 10.0 to address this security flaw.
 
Will there be a patch issued for McAfee EMM 9.7.1 or earlier?
No. You will be required to upgrade to McAfee EMM 10.0 or later.
 
Where do I download the fix?
The fix can be downloaded from: 
 
Users will need to provide their McAfee Grant Number to initiate the download. 
 
To install, please refer to the installation and upgrade sections of the McAfee EMM Installation Guide.
 
How does McAfee respond to this and any other security flaws?
McAfee’s key priority is the security of our customers. In the event that a vulnerability is found within any of McAfee’s software, we work closely with the relevant security research group to ensure rapid and effective development of a fix and communication plan. McAfee is an active member of the Organization for Internet Safety (OIS), which is dedicated to developing guidelines and best practices for the reporting and fixing of software vulnerabilities.

Resources

To download new Beta software or to read about the latest Beta information, go to: http://www.mcafee.com/us/downloads/beta-programs/index.aspx.
 
To submit Beta feedback on any McAfee product, email: mcafee_beta@mcafee.com.
 
For contact information, go to: http://www.mcafee.com/uk/about/contact-us.aspx.
 
For copyright, trademark attributions, and license information, go to: http://us.mcafee.com/root/aboutUs.asp?id=copyright.
 
For patents protecting this product, see your product documentation.

Disclaimer

The information provided in this security bulletin is provided as is without warranty of any kind. McAfee disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall McAfee or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if McAfee or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Rate this document

Did this article resolve your issue?

Please provide any comments below

Glossary of Technical Terms


Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.
United States - English
© 2003-2013 McAfee, Inc.