Loading...

Knowledge Center


McAfee Security Bulletin - McAfee Network Data Loss Prevention 9.2.2 update resolves six low severity security issues
Security Bulletins ID:   SB10044
Last Modified:  8/7/2015
Rated:


Summary

 
 Who Should Read This Document: Technical and Security Personnel
 Impact of Vulnerability: Authentication Issue
Data Disclosure
Security Misconfiguration
Session Hijacking
 CVE Number: None
 US CERT Number: None
 Severity Rating: Low (all)
 Overall CVSS Score: 1.1 - 2.7
 Recommendations: Install or update to Network Data Loss Prevention (NDLP) 9.2.2
 Security Bulletin Replacement: None
 Caveats: None
 Affected Software:

NDLP 9.2.1, 9.2.0, 8.6 (and earlier)

 Location of Updated Software: http://www.mcafee.com/us/downloads


 

Description

Six minor flaws have been fixed in NDLP. Five of these require local access to the system, which in typical post-installation configurations will be restricted to appropriate administrative personnel.

The complexity of the administrative password has also been increased to achieve a higher standard of resistance to discovery and/or brute force cracking.

Upon technical analysis, three issues reported by the discoverers (see below) operate according to the product design. These have been closed as not a security issue.

This bulletin outlines these issues according to McAfee’s Product Security Policy. McAfee strives to be transparent with our customers about potential issues in McAfee products.

This update resolves the following issues:
 
Vulnerability CWE Cat. Fixed in Version Notes CVSS Score
Application exposes logs CWE285 9.2.2 Fixed 1.3
Arbitrary file read CWE73 9.2.2 Fixed 1.1
Verbose error messages CWE209 9.2.2 Fixed 1.3
Unintended functionality exposed   9.2.2 Fixed 1.3
Inadequate password complexity policy   9.2.2 Fixed 2.7
Domain field of login form accepts arbitrary value   9.2.2 Fixed 1.6
Account lock-out policy not in place   Closed Fixed N/A
Information disclosure in McAfee Agent Activity Log web interface   Closed Log restriction must be configured in ePO, as per the design. Please see additional note** entry below. N/A
Incorrect permissions assigned to application resources CWE732 Closed Permissions function as designed. N/A


These flaws are encountered when NDLP is in its default configuration state. Changing the root password, as suggested for any deployment use case, restricts the disclosure vulnerabilities to only the highest level of access privilege.

Typically, the NDLP Management Console will be deployed on a trusted network and should have access granted only on an as-needed basis. Data Loss Prevention tools are typically among an organization’s most sensitive systems and should be restricted as such. Before updating the software with the fixes, customers are advised to configure typical system and network access controls (see Workaround section below).

When access to NDLP is restricted appropriately, these vulnerabilities pose a small security risk from insider misuse. The risk is reflected in the low CVSS scores.

Affected Components:
McAfee NDLP: McAfee DLP Manager, McAfee DLP Prevent, McAfee DLP Discover, McAfee DLP Monitor.

NOTE: McAfee DLP Endpoint (DLPe) is not affected by these issues.

** The visibility of the McAfee Agent events log file is configured through ePolicy Orchestrator (ePO). Log file visibility operates according to the McAfee Agent design and as documented. McAfee Agent is independent from NDLP.

All of these issues are resolved in NDLP version 9.2.2, released on May 15, 2013.

Remediation

All of these issues are resolved in NDLP 9.2.2.

NDLP 9.2.2 download instructions.
  1. Launch Internet Explorer.
  2. Navigate to: http://www.mcafee.com/us/downloads
  3. Provide your valid McAfee grant number.
  4. Select the product and click View Available Downloads.
  5. Click McAfee Network Data Loss Prevention.
  6. Click the link to download the product .ZIP file under Download on the Software Downloads screen.

For instructions on how to download McAfee products, documentation, security updates, patches, or hotfixes, see article KB56057.

For instructions on how to install / upgrade this patch, review the Release Notes and the Installation Guide (available from the Documentation tab) following the same steps above.

Workaround

Before upgrading to version 9.2.2, McAfee strongly recommends that you configure typical system and network access controls.
  • The default root password of the system should be changed to a strong, unguessable password.
  • The NDLP Management console should be placed only on a trusted network.
  • Only personnel with a “need-to-know” should be given accounts on NDLP systems.
  • Network restrictions should be placed such that only NDLP Monitors can communicate with NDLP Managers.
  • Only a single network interface (NIC) should be used for inter-system communications.
  • Management functions should be presented on only a single NIC. The management NIC should only accept connections from a trusted, restricted network.
     

Acknowledgements

McAfee credits Graeme Bell and Jamie Ooi from BAE Systems Detica for reporting these flaws.

Support

Corporate Technical Support:
1-800-338-8754
http://www.mcafee.com/us/about/contact-us.aspx#ht=tab-techsupport 

Frequently Asked Questions (FAQs)

What is affected by this security vulnerability?
See details below.

Affected versions:

  • NDLP 9.2.1
  • NDLP 9.2.0
  • NDLP 8.6 (and earlier)

Protected versions:

  • NDLP 9.2.2 (and later) 

McAfee recommends that all customers verify that they have applied the latest updates.


What issues does this hotfix / patch address?

  • 829731 - Application exposes logs
  • 829733 - Arbitrary file read
  • 829735 - Verbose error messages
  • 829740 - Unintended functionality exposed
  • 829742 - Inadequate password complexity policy
  • Domain field of login form accepts arbitrary value

Does this vulnerability affect McAfee enterprise products?
Yes, NDLP 9.2.1, 9.2.0, and 8.6 are enterprise products.


How do I know if my NDLP is vulnerable or not?

  1. Log on to the NDLP Management console.
  2. Click System, System Administration, Devices.
  3. Click More in the Advanced table column for the More=Manager row.
  4. The product version displays in the System Information section.


What is CVSS?
CVSS, or Common Vulnerability Scoring System, is the result of the National Infrastructure Advisory Council’s effort to standardize a system of assessing the criticality of a vulnerability. This system offers an unbiased criticality score that customers can use to judge how critical a vulnerability is and plan accordingly. For more information, please visit the CVSS website at: http://www.first.org/cvss/


What are the CVSS scoring metrics that have been used?

829731 - Application exposes logs

 Base Score 1.7
 Related exploit range (AccessVector) Local
 Attack complexity (AccessComplexity) Low
 Level of authentication needed (Authentication) Single Instance
 Confidentiality impact Partial
 Integrity impact None
 Availability impact None
 Temporal Score 1.3
 Availability of exploit (Exploitability) Unproven that exploit exists
 Type of fix available (RemediationLevel) Official fix
 Level of verification that vulnerability exists (ReportConfidence) Confirmed

NOTE: CVSS version 2.0 vector was used to generate this score.
http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:L/AC:L/Au:S/C:P/I:N/A:N/E:U/RL:O/RC:C   


829733 - Arbitrary file read

 Base Score 1.5
 Related exploit range (AccessVector) Local
 Attack complexity (AccessComplexity) Medium
 Level of authentication needed (Authentication) Single Instance
 Confidentiality impact Partial
 Integrity impact None
 Availability impact None
 Temporal Score 1.1
 Availability of exploit (Exploitability) Unproven that exploit exists
 Type of fix available (RemediationLevel) Official fix
 Level of verification that vulnerability exists (ReportConfidence) Confirmed

NOTE: CVSS version 2.0 vector was used to generate this score.
http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:L/AC:M/Au:S/C:P/I:N/A:N/E:U/RL:O/RC:C


829735 - Verbose error messages

 Base Score 1.7
 Related exploit range (AccessVector) Local
 Attack complexity (AccessComplexity) Low
 Level of authentication needed (Authentication) Single Instance
 Confidentiality impact Partial
 Integrity impact None
 Availability impact None
 Temporal Score 1.3
 Availability of exploit (Exploitability) Unproven that exploit exists
 Type of fix available (RemediationLevel) Official fix
 Level of verification that vulnerability exists (ReportConfidence) Confirmed

NOTE: CVSS version 2.0 vector was used to generate this score.
http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:L/AC:L/Au:S/C:P/I:N/A:N/E:U/RL:O/RC:C)  


829740 - Unintended functionality exposed

 Base Score 1.7
 Related exploit range (AccessVector) Local
 Attack complexity (AccessComplexity) Low
 Level of authentication needed (Authentication) Single Instance
 Confidentiality impact None
 Integrity impact Partial
 Availability impact None
 Temporal Score 1.3
 Availability of exploit (Exploitability) Unproven that exploit exists
 Type of fix available (RemediationLevel) Official fix
 Level of verification that vulnerability exists (ReportConfidence) Confirmed

NOTE: CVSS version 2.0 vector was used to generate this score.
http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:L/AC:L/Au:S/C:N/I:P/A:N/E:U/RL:O/RC:C

 
829742 - Inadequate password complexity policy

 Base Score 3.6
 Related exploit range (AccessVector) Network
 Attack complexity (AccessComplexity) High
 Level of authentication needed (Authentication) Single Instance
 Confidentiality impact None
 Integrity impact Partial
 Availability impact Partial
 Temporal Score 2,7
 Availability of exploit (Exploitability) Unproven that exploit exists
 Type of fix available (RemediationLevel) Official fix
 Level of verification that vulnerability exists (ReportConfidence) Confirmed

NOTE: CVSS version 2.0 vector was used to generate this score.
http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:S/C:N/I:P/A:P/E:U/RL:O/RC:C)  


Domain field of login form accepts arbitrary value

 Base Score 2.1
 Related exploit range (AccessVector) Local
 Attack complexity (AccessComplexity) Low
 Level of authentication needed (Authentication) None
 Confidentiality impact None
 Integrity impact None
 Availability impact Partial
 Temporal Score 1.6
 Availability of exploit (Exploitability) Proof of concept code
 Type of fix available (RemediationLevel) Official fix
 Level of verification that vulnerability exists (ReportConfidence) Confirmed

NOTE: CVSS version 2.0 vector was used to generate this score.
http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:L/AC:L/Au:N/C:N/I:N/A:P/E:P/RL:O/RC:C)  



What has McAfee done to resolve the issue?
McAfee released a version update to address this security flaw on May 15, 2013.

Where do I download the fix?
The fix can be downloaded from:  http://www.mcafee.com/us/downloads
Users will need to provide their McAfee Grant Number to initiate the download.

How does McAfee respond to this and any other security flaws?
McAfee’s key priority is the security of our customers. In the event that a vulnerability is found within any of McAfee’s software, we work closely with the relevant security research group to ensure rapid and effective development of a fix and communication plan. McAfee is an active member of the Organization for Internet Safety (OIS), which is dedicated to developing guidelines and best practices for the reporting and fixing of software vulnerabilities.

McAfee only publishes product vulnerability bulletins together with an actionable workaround, patch, or hotfix; otherwise we would simply be informing the hacker community that our products are a target, putting our customers at greater risk.

Resources

{SBRESOURCES.EN_US}

Disclaimer

The information provided in this security bulletin is provided as is without warranty of any kind. McAfee disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall McAfee or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if McAfee or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Rate this document

Did this article resolve your issue?

Please provide any comments below

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.