Last Modified: 10/15/2013
|Who Should Read This Document:||Technical and Security Personnel|
|Impact of Vulnerability:||Privilege Escalation|
|Overall CVSS Score:||6.4|
|Recommendations:||Update using the McAfee supplied patches|
|Security Bulletin Replacement:||None|
|Location of Updated Software:||http://www.mcafee.com/us/downloads|
This vulnerability requires a valid session ID to perform this attack.
|Product||Patch Hotfix||Release Date|
|Email Gateway (MEG) 7.5 Appliance||7.5.1||October 15, 2013|
|Email Gateway (MEG) 7.0 Appliance||7.0.4||October 31, 2013*|
*MEG 7.0.4 is tentatively expected to be released on this date. This article will be updated once the actual release date has been confirmed.
MEG 7.5.1 and 7.0.4 download instructions
- Launch Internet Explorer.
- Go to to: http://www.mcafee.com/us/downloads.
- Provide your valid McAfee Grant Number.
- Click your product suite.
- Click the applicable product (see table above) and click I Agree.
- Click the Patches tab and click the link to download the product .ZIP file under the Product column.
For instructions on how to download McAfee products, documentation, security updates, patches, or hotfixes, see article KB56057.
For instructions on how to install / upgrade this patch, review the Release Notes and the Installation Guide (available from the Documentation tab) following the same steps above.
- Connect the OOB NIC to your secure Management network.
- Log on to the Administrator interface on the existing network.
- Click System, Appliance Management, Remote Access.
- Click Out of Band Management.
- Select Enable the out of band interface.
- Type the IP address for the OOB NIC.
- Deselect Enable in-band management to prevent Administrator access on all other interfaces.
- Select Allow permitted hosts / networks listed below in the User Interface Access Configuration field.
- Type the IP address or domain name of the administrator.
- Click Apply.
NOTE: You can now manage your appliance through the Management network.
Frequently Asked Questions (FAQs)
Email Gateway versions older than 7.6.
- MEG 7.0 Appliance 7.0.3 (and earlier)
- MEG 7.5 Appliance 7.5.0
- MEG 7.6 Appliance
Does this vulnerability affect McAfee enterprise products?
Yes, all affected products are Enterprise products.
How do I know if my McAfee product is vulnerable or not?
Use the following instructions for Appliance based products:
- Open the Administrator's User Interface (UI).
- Click the About link.
You then see the product version.
What is CVSS?
CVSS, or Common Vulnerability Scoring System, is the result of the National Infrastructure Advisory Council’s effort to standardize a system of assessing the criticality of a vulnerability. This system offers an unbiased criticality score that customers can use to judge how critical a vulnerability is and plan accordingly. For more information, please visit the CVSS website at: http://www.first.org/cvss/.
What are the CVSS scoring metrics that have been used?
|Related exploit range (AccessVector)||Network|
|Attack complexity (AccessComplexity)||Medium|
|Level of authentication needed (Authentication)||Single Instance|
|Availability of exploit (Exploitability)||Proof of concept code|
|Type of fix available (RemediationLevel)||Official fix|
|Level of verification that vulnerability exists (ReportConfidence)||Confirmed|
NOTE: CVSS version 2.0 vector was used to generate this score.
What has McAfee done to resolve the issue?
McAfee has released several version-specific patches to address this security flaw.
Where do I download the fix?
You can download the fix from http://www.mcafee.com/us/downloads. Users will need to provide their McAfee Grant Number to initiate the download.
How does McAfee respond to this and any other security flaws?
The McAfee key priority is the security of our customers. In the event that a vulnerability is found within any McAfee software, we work closely with the relevant security research group to ensure rapid and effective development of a fix and communication plan. McAfee is an active member of the Organization for Internet Safety (OIS), which is dedicated to developing guidelines and best practices for the reporting and fixing of software vulnerabilities.
McAfee only publishes product vulnerability bulletins together with an actionable workaround, patch, or hotfix; otherwise we would simply be informing the hacker community that our products are a target, putting our customers at greater risk.
To download new Beta software or to read about the latest Beta information, go to: http://www.mcafee.com/us/downloads/beta-programs/index.aspx
To submit Beta feedback on any McAfee product, email: email@example.com
For contact information, go to: http://www.mcafee.com/uk/about/contact-us.aspx
For copyright, trademark attributions, and license information, go to: http://us.mcafee.com/root/aboutUs.asp?id=copyright
For patents protecting this product, see your product documentation.
The information provided in this security bulletin is provided as is without warranty of any kind. McAfee disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall McAfee or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if McAfee or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Any future product release dates mentioned in this bulletin are intended to outline our general product direction and they should not be relied on in making a purchasing decision. The product release dates are for information purposes only, and may not be incorporated into any contract. The product release dates are not a commitment, promise or legal obligation to deliver any material, code, or functionality. The development, release, and timing of any features or functionality described for our products remains at our sole discretion and may be changed or cancelled at any time.