Loading...

Knowledge Center


McAfee Security Bulletin – Network Data Loss Prevention addresses 17 security issues
Security Bulletins ID:   SB10053
Last Modified:  10/3/2014

Summary

 
 Who Should Read This Document: Technical and Security Personnel
 Impact of Vulnerability: Authentication Issue
Cross-Site Request Forgery (CSRF)
Cross-Site Scripting (XSS)
Insecure Cryptographic Storage
Insufficient Transport Layer Protection
 CVE Number: CVE-2004-0230
CVE-2000-0219
CVE-1999-0524
 US CERT Number: None
 Severity Rating: Low to High
 Overall CVSS Score: 7.2
 Recommendations: Install or update to Network Data Loss Prevention (NDLP) 9.3
 Security Bulletin Replacement: None
 Caveats: None
 Affected Software:
  • NDLP 9.2.2
  • NDLP 9.2.1
  • NDLP 9.2.0
  • NDLP 8.6 (and earlier)
 Location of Updated Software: http://www.mcafee.com/us/downloads

 

Description

Multiple issues have been reported against NDLP. This release includes fixes for the items listed in the table below.

This bulletin outlines these issues according to McAfee’s Product Security Policy. McAfee strives to be transparent with our customers about potential issues in McAfee products.

This release resolves the 17 issues below:

Vulnerability CVE # CVSS
Temporal
Score
829720 - Cookie without HTTPOnly flag set   3.4
829721 – Password and other sensitive fields have autocomplete set   5.0
829728 – Simultaneous logins allowed   3.8
829734 – Cross site forgery issue   4.7
829737 – SSH key stored unencrypted   4.2
829738 – Local MySQL does not require password   4.2
829739 – Plain text password in application   4.2
829745 – Cross site scripting issue   4.7
844218 – Application exposes sensitive data in Java stack traces   1.1
844230 – Session IDs in Audit log   3.0
No authentication for single user mode CVE-2000-0219 7.2
ICMP redirection allowed   6.8
883565 - TLS/SSL Server supports Weak Cipher Algorithms   5.5
Partition Mounting Weakness   1.8
TCP windows scale option is enabled CVE-2004-0230 0.0
ICMP information such as netmask and timestamp is allowed from unknown host CVE-1999-0524 0.0
829741 - Unnecessary open network ports   1.0


Typically, the NDLP Management Console is deployed on a trusted network and will have access granted only on an as-needed basis. Data Loss Prevention tools are typically among an organization’s most sensitive systems and should be restricted as such. Before updating the software with the fixes, customers are advised to configure typical system and network access controls (see IMPORTANT entry in the Remediation section below).

When access to NDLP is restricted appropriately, these vulnerabilities pose a reduced security risk from insider misuse.

Affected Components for NDLP:
  • McAfee DLP Manager
  • McAfee DLP Prevent
  • McAfee DLP Discover
  • McAfee DLP Monitor

NOTES:
  • This issue has been addressed for those networks that do not use Network Address Translation (NAT). Remediation for networks using NAT will be made available in a future patch release.
  • SB10044 addressed 6 NDLP vulnerabilities on July 11, 2013. This security bulletin addresses 17 additional NDLP issues.
  • All fixes detailed in SB10044 are included in this release.
  • DLP Endpoint (DLPE) is not affected by these issues.
All of these issues are resolved in NDLP 9.3 released on August 5, 2013.

Remediation

All of these issues are resolved in NDLP 9.3.

IMPORTANT: Before upgrading to NDLP 9.3, McAfee strongly recommends that you configure typical system and network access controls. See below for details:
  • The default root password of the system should be changed to a strong, un-guessable password.
  • The NDLP Management console should be placed only on a trusted network.
  • Only personnel with a “need-to-know” should be given accounts on NDLP systems.
  • Network restrictions should be placed such that only NDLP Monitors can communicate with NDLP Managers.
  • Only a single network interface card (NIC) should be used for inter-system communications.
  • Management functions should be presented on only a single NIC. The management NIC should only accept connections from a trusted, restricted network.

NDLP 9.3 download instructions:
  1. Launch Internet Explorer.
  2. Navigate to: http://www.mcafee.com/us/downloads.
  3. Provide your valid McAfee grant number.
  4. Select the product and click View Available Downloads.
  5. Click McAfee Data Loss Prevention.
  6. Click the link to download the product .ZIP file under Download on the Software Downloads screen.

For instructions on how to download McAfee products, documentation, security updates, patches, or hotfixes, see article KB56057.

For instructions on how to install / upgrade this patch, review the Release Notes and the Installation Guide (available from the Documentation tab) following the same steps above.

Workaround

There is no workaround for this issue.

Acknowledgements

McAfee credits the following companies for reporting these flaws:
  • ANZ Bank
  • BAE Systems (Pen Test)
  • Graham Bell, Stratsec.Detica
  • Jamie Ooi
  • DirecTV
  • Xylinx
  • Telstra
Several of these vulnerabilities were also disclosed by The MITRE Corporation as:
  • CVE-2004-0230
  • CVE-2000-0219
  • CVE-1999-0524

Support

Corporate Technical Support:
1-800-338-8754
http://www.mcafee.com/us/about/contact-us.aspx#ht=tab-techsupport

Frequently Asked Questions (FAQs)

What is affected by these security vulnerabilities?
McAfee NDLP 9.2.2 and earlier.

Affected Versions:

  • NDLP 9.2.2
  • NDLP 9.2.1
  • NDLP 9.2.0
  • NDLP 8.6 (and earlier)

Protected Versions:

  • NDLP 9.3 (and later)

McAfee recommends that all customers verify that they have applied the latest updates.

What issues does this release address?
See issues listed in the Description setion table above.

NOTE: The 6-digit number prefixes are internal McAfee Bugzilla tracking IDs.

Do these vulnerabilities affect McAfee enterprise products?
Yes, NDLP is an Enterprise product.

How do I know if my NDLP is vulnerable or not?

  1. Log on to the NDLP Management console.
  2. Click System, System Administration, Devices.
  3. Click More in the Advanced table column for the More=Manager row.
  4. The product version displays in the System Information section.

What is CVSS?
CVSS, or Common Vulnerability Scoring System, is the result of the National Infrastructure Advisory Council’s effort to standardize a system of assessing the criticality of a vulnerability. This system offers an unbiased criticality score that customers can use to judge how critical a vulnerability is and plan accordingly. For more information, please visit the CVSS website at: http://www.first.org/cvss/.


What are the CVSS scoring metrics that have been used?
The tables below score each of the issues called out above in the Description section.

829720 - Cookie without HTTPOnly flag set

 Base Score 4.3
 Related exploit range (AccessVector) Network
 Attack complexity (AccessComplexity) Medium
 Level of authentication needed (Authentication) None
 Confidentiality impact Partial
 Integrity impact None
 Availability impact None
 Temporal Score 3.4
 Availability of exploit (Exploitability) Proof of concept code
 Type of fix available (RemediationLevel) Official fix
 Level of verification that vulnerability exists (ReportConfidence) Confirmed

NOTE: CVSS version 2.0 vector was used to generate this score.
http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N/E:P/RL:O/RC:C)      


829721 – Password and other sensitive fields have autocomplete set

 Base Score 5.8
 Related exploit range (AccessVector) Adjacent Network
 Attack complexity (AccessComplexity) Low
 Level of authentication needed (Authentication) None
 Confidentiality impact Partial
 Integrity impact Partial
 Availability impact Partial
 Temporal Score 5.0
 Availability of exploit (Exploitability) High
 Type of fix available (RemediationLevel) Official fix
 Level of verification that vulnerability exists (ReportConfidence) Confirmed

NOTE: CVSS version 2.0 vector was used to generate this score.
http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:A/AC:L/Au:N/C:P/I:P/A:P/E:H/RL:O/RC:C)      


829728 – Simultaneous logins allowed

 Base Score 4.9
 Related exploit range (AccessVector) Adjacent Network
 Attack complexity (AccessComplexity) Medium
 Level of authentication needed (Authentication) Single Instance
 Confidentiality impact Partial
 Integrity impact Partial
 Availability impact Partial
 Temporal Score 3.8
 Availability of exploit (Exploitability) Proof of concept code
 Type of fix available (RemediationLevel) Official fix
 Level of verification that vulnerability exists (ReportConfidence) Confirmed

NOTE: CVSS version 2.0 vector was used to generate this score.
http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:A/AC:M/Au:S/C:P/I:P/A:P/E:PC/RL:O/RC:C)      


829734 – Cross site forgery issue

 Base Score 6.3
 Related exploit range (AccessVector) Adjacent Network
 Attack complexity (AccessComplexity) Medium
 Level of authentication needed (Authentication) Single Instance
 Confidentiality impact Partial
 Integrity impact Partial
 Availability impact Complete
 Temporal Score 4.7
 Availability of exploit (Exploitability) Unproven that exploit exists
 Type of fix available (RemediationLevel) Official fix
 Level of verification that vulnerability exists (ReportConfidence) Confirmed

NOTE: CVSS version 2.0 vector was used to generate this score.
http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:A/AC:M/Au:S/C:P/I:P/A:C/E:U/RL:O/RC:C)      


829737 – SSH key stored unencrypted

 Base Score 5.7
 Related exploit range (AccessVector) Local
 Attack complexity (AccessComplexity) High
 Level of authentication needed (Authentication) Single Instance
 Confidentiality impact Complete
 Integrity impact Complete
 Availability impact Partial
 Temporal Score 4.2
 Availability of exploit (Exploitability) Unproven that exploit exists
 Type of fix available (RemediationLevel) Official fix
 Level of verification that vulnerability exists (ReportConfidence) Confirmed

NOTE: CVSS version 2.0 vector was used to generate this score.
http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:L/AC:H/Au:S/C:C/I:C/A:P/E:U/RL:O/RC:C)      


829738 – Local MySQL does not require password

 Base Score 5.7
 Related exploit range (AccessVector) Local
 Attack complexity (AccessComplexity) High
 Level of authentication needed (Authentication) Single Instance
 Confidentiality impact Complete
 Integrity impact Complete
 Availability impact Partial
 Temporal Score 4.2
 Availability of exploit (Exploitability) Unproven that exploit exists
 Type of fix available (RemediationLevel) Official fix
 Level of verification that vulnerability exists (ReportConfidence) Confirmed

NOTE: CVSS version 2.0 vector was used to generate this score.
http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:L/AC:H/Au:S/C:C/I:C/A:P/E:U/RL:O/RC:C)      


829739 – Plain text password in application

 Base Score 5.7
 Related exploit range (AccessVector) Local
 Attack complexity (AccessComplexity) High
 Level of authentication needed (Authentication) Single Instance
 Confidentiality impact Complete
 Integrity impact Complete
 Availability impact Partial
 Temporal Score 4.2
 Availability of exploit (Exploitability) Unproven that exploit exists
 Type of fix available (RemediationLevel) Official fix
 Level of verification that vulnerability exists (ReportConfidence) Confirmed

NOTE: CVSS version 2.0 vector was used to generate this score.
http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:L/AC:H/Au:S/C:C/I:C/A:P/E:U/RL:O/RC:C


829745 – Cross site scripting issue

 Base Score 6.3
 Related exploit range (AccessVector) Adjacent Network
 Attack complexity (AccessComplexity) Medium
 Level of authentication needed (Authentication) Single Instance
 Confidentiality impact Partial
 Integrity impact Partial
 Availability impact Complete
 Temporal Score 4.7
 Availability of exploit (Exploitability) Unproven that exploit exists
 Type of fix available (RemediationLevel) Official fix
 Level of verification that vulnerability exists (ReportConfidence) Confirmed

NOTE: CVSS version 2.0 vector was used to generate this score.
http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:A/AC:M/Au:S/C:P/I:P/A:C/E:U/RL:O/RC:C)      


844218 – Application exposes sensitive data in Java stack traces

 Base Score 1.5
 Related exploit range (AccessVector) Local
 Attack complexity (AccessComplexity) Medium
 Level of authentication needed (Authentication) Single Instance
 Confidentiality impact Partial
 Integrity impact None
 Availability impact None
 Temporal Score 1.1
 Availability of exploit (Exploitability) Unproven that exploit exists
 Type of fix available (RemediationLevel) Official fix
 Level of verification that vulnerability exists (ReportConfidence) Confirmed

NOTE: CVSS version 2.0 vector was used to generate this score.
http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:L/AC:M/Au:S/C:P/I:N/A:N/E:U/RL:O/RC:C)      


844230 – Session IDs in Audit log

 Base Score 4.1
 Related exploit range (AccessVector) Local
 Attack complexity (AccessComplexity) Medium
 Level of authentication needed (Authentication) Single Instance
 Confidentiality impact Partial
 Integrity impact Partial
 Availability impact Partial
 Temporal Score 3.0
 Availability of exploit (Exploitability) Unproven that exploit exists
 Type of fix available (RemediationLevel) Official fix
 Level of verification that vulnerability exists (ReportConfidence) Confirmed

NOTE: CVSS version 2.0 vector was used to generate this score.
http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:L/AC:M/Au:S/C:P/I:N/A:N/E:U/RL:O/RC:C)      


No authentication for single user mode

 Base Score 7.2
 Related exploit range (AccessVector) Local
 Attack complexity (AccessComplexity) Low
 Level of authentication needed (Authentication) None
 Confidentiality impact Complete
 Integrity impact Complete
 Availability impact Complete

NOTE: CVSS version 2.0 vector was used to generate this score.
http://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2000-0219&vector=(AV%3AL/AC%3AL/Au%3AN/C%3AC/I%3AC/A%3AC)      


ICMP redirection allowed

 Base Score 6.8
 Related exploit range (AccessVector) Adjacent Network
 Attack complexity (AccessComplexity) High
 Level of authentication needed (Authentication) None
 Confidentiality impact Complete
 Integrity impact Complete
 Availability impact Complete

NOTE: CVSS version 2.0 vector was used to generate this score.
http://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2000-0219&vector=(AV:A/AC:H/Au:N/C:C/I:C/A:C)      


883565 - TLS/SSL Server supports Weak Cipher Algorithms

 Base Score 7.4
 Related exploit range (AccessVector) Network
 Attack complexity (AccessComplexity) Medium
 Level of authentication needed (Authentication) Single Instance
 Confidentiality impact Complete
 Integrity impact Complete
 Availability impact Complete
 Temporal Score 5.5
 Availability of exploit (Exploitability) Unproven that exploit exists
 Type of fix available (RemediationLevel) Official fix
 Level of verification that vulnerability exists (ReportConfidence) Confirmed

NOTE: CVSS version 2.0 vector was used to generate this score.
http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:C/I:C/A:C/E:U/RL:O/RC:C)      


Partition Mounting Weakness

 Base Score 2.4
 Related exploit range (AccessVector) Local
 Attack complexity (AccessComplexity) High
 Level of authentication needed (Authentication) Single Instance
 Confidentiality impact Partial
 Integrity impact Partial
 Availability impact None
 Temporal Score 1.8
 Availability of exploit (Exploitability) Unproven that exploit exists
 Type of fix available (RemediationLevel) Official fix
 Level of verification that vulnerability exists (ReportConfidence) Confirmed

NOTE: CVSS version 2.0 vector was used to generate this score.
http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:L/AC:H/Au:S/C:P/I:P/A:N/E:U/RL:O/RC:C)      


829741 - Unnecessary open network ports

 Base Score 1.4
 Related exploit range (AccessVector) Adjacent Network
 Attack complexity (AccessComplexity) High
 Level of authentication needed (Authentication) Single Instance
 Confidentiality impact Partial
 Integrity impact None
 Availability impact None
 Temporal Score 1.0
 Availability of exploit (Exploitability) Unproven that exploit exists
 Type of fix available (RemediationLevel) Official fix
 Level of verification that vulnerability exists (ReportConfidence) Confirmed

NOTE: CVSS version 2.0 vector was used to generate this score.
http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:A/AC:H/Au:S/C:P/I:N/A:N/E:U/RL:O/RC:C)      



What has McAfee done to resolve the issue?
McAfee has released a version update to address these security flaws.

Where do I download the fix?
The fix can be downloaded from:  http://www.mcafee.com/us/downloads
Users will need to provide their McAfee Grant Number to initiate the download.

How does McAfee respond to this and any other security flaws?
McAfee’s key priority is the security of our customers. In the event that a vulnerability is found within any of McAfee’s software, we work closely with the relevant security research group to ensure rapid and effective development of a fix and communication plan. McAfee is an active member of the Organization for Internet Safety (OIS), which is dedicated to developing guidelines and best practices for the reporting and fixing of software vulnerabilities.

McAfee only publishes product vulnerability bulletins together with an actionable workaround, patch, or hotfix; otherwise we would simply be informing the hacker community that our products are a target, putting our customers at greater risk.

Resources

{SBRESOURCES.EN_US}

Disclaimer

The information provided in this security bulletin is provided as is without warranty of any kind. McAfee disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall McAfee or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if McAfee or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Any future product release dates mentioned in this bulletin are intended to outline our general product direction and they should not be relied on in making a purchasing decision. The product release dates are for information purposes only, and may not be incorporated into any contract. The product release dates are not a commitment, promise or legal obligation to deliver any material, code, or functionality. The development, release, and timing of any features or functionality described for our products remains at our sole discretion and may be changed or cancelled at any time.

Rate this document

Did this article resolve your issue?

Please provide any comments below

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.