Loading...

Knowledge Center


McAfee Security Bulletin – Email Gateway privilege escalation issue patched
Security Bulletins ID:  SB10057
Last Modified:  10/15/2013

Summary

Who Should Read This Document: Technical and Security Personnel
Impact of Vulnerability: Privilege Escalation
CVE Number: None
CERT/CC Number: None
Severity Rating: Medium
Overall CVSS Score: 6.4
Recommendations: Update using the McAfee supplied patches
Security Bulletin Replacement: None
Caveats: None
Affected Software:
  • McAfee Email Gateway (MEG) 7.0 Appliance
  • McAfee Email Gateway (MEG) 7.5 Appliance
Location of Updated Software: http://www.mcafee.com/us/downloads

Description

By providing specific data to the graphical user interface, the software can be made to execute data passed directly to it as code. This can allow an attacker to execute arbitrary shell commands which could lead to root level super-user access.

This vulnerability requires a valid session ID to perform this attack.

Remediation

Go to the McAfee Downloads site and download the applicable product patch/hotfix file: 

Product Patch Hotfix Release Date
Email Gateway (MEG) 7.5 Appliance 7.5.1 October 15, 2013
Email Gateway (MEG) 7.0 Appliance 7.0.4 October 31, 2013*

*MEG 7.0.4 is tentatively expected to be released on this date. This article will be updated once the actual release date has been confirmed.


MEG 7.5.1 and 7.0.4 download instructions

  1. Launch Internet Explorer.
  2. Go to to: http://www.mcafee.com/us/downloads.
  3. Provide your valid McAfee Grant Number.
  4. Click your product suite.
  5. Click the applicable product (see table above) and click I Agree.
  6. Click the Patches tab and click the link to download the product .ZIP file under the Product column.

For instructions on how to download McAfee products, documentation, security updates, patches, or hotfixes, see article KB56057.

For instructions on how to install / upgrade this patch, review the Release Notes and the Installation Guide (available from the Documentation tab) following the same steps above. 

Workaround

McAfee recommends that you configure the appliance for management only through the Out-of-Band (OOB) interface. Configure access controls for the GUI such that only the administrator is allowed to access it:
  1. Connect the OOB NIC to your secure Management network.
  2. Log on to the Administrator interface on the existing network.
  3. Click SystemAppliance ManagementRemote Access.
  4. Click Out of Band Management.
  5. Select Enable the out of band interface.
  6. Type the IP address for the OOB NIC.
  7. Deselect Enable in-band management to prevent Administrator access on all other interfaces.
  8. Select Allow permitted hosts / networks listed below in the User Interface Access Configuration field.
  9. Type the IP address or domain name of the administrator.
  10. Click Apply.

    NOTE: You can now manage your appliance through the Management network.

Acknowledgements

McAfee credits ANZ Bank for reporting this flaw.

Support

Corporate Technical Support:
1-800-338-8754
http://www.mcafee.com/us/about/contact-us.aspx#ht=tab-techsupport

Frequently Asked Questions (FAQs)

What is affected by this security vulnerability?
Email Gateway  versions older than 7.6.

Affected versions:
  • MEG 7.0 Appliance 7.0.3 (and earlier)
  • MEG 7.5 Appliance 7.5.0 
Protected versions:
  • MEG 7.6 Appliance
McAfee recommends that all customers verify that they have applied the latest updates.

Does this vulnerability affect McAfee enterprise products?
Yes, all affected products are Enterprise products.


How do I know if my McAfee product is vulnerable or not?
Use the following instructions for Appliance based products:

  1. Open the Administrator's User Interface (UI).
  2. Click the About link.
    You then see the product version.


What is CVSS?
CVSS, or Common Vulnerability Scoring System, is the result of the National Infrastructure Advisory Council’s effort to standardize a system of assessing the criticality of a vulnerability. This system offers an unbiased criticality score that customers can use to judge how critical a vulnerability is and plan accordingly. For more information, please visit the CVSS website at: http://www.first.org/cvss/.


What are the CVSS scoring metrics that have been used?

 Base Score 8.2
 Related exploit range (AccessVector) Network
 Attack complexity (AccessComplexity) Medium
 Level of authentication needed (Authentication) Single Instance
 Confidentiality impact Partial
 Integrity impact Complete
 Availability impact Complete
 Temporal Score 6.4
 Availability of exploit (Exploitability) Proof of concept code
 Type of fix available (RemediationLevel) Official fix
 Level of verification that vulnerability exists (ReportConfidence) Confirmed

NOTE: CVSS version 2.0 vector was used to generate this score.
http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:C/A:C/E:P/RL:O/RC:C


What has McAfee done to resolve the issue?
McAfee has released several version-specific patches to address this security flaw.


Where do I download the fix?
You can download the fix from http://www.mcafee.com/us/downloads. Users will need to provide their McAfee Grant Number to initiate the download.


How does McAfee respond to this and any other security flaws?
The McAfee key priority is the security of our customers. In the event that a vulnerability is found within any McAfee software, we work closely with the relevant security research group to ensure rapid and effective development of a fix and communication plan. McAfee is an active member of the Organization for Internet Safety (OIS), which is dedicated to developing guidelines and best practices for the reporting and fixing of software vulnerabilities.

McAfee only publishes product vulnerability bulletins together with an actionable workaround, patch, or hotfix; otherwise we would simply be informing the hacker community that our products are a target, putting our customers at greater risk.

Resources

To download new Beta software or to read about the latest Beta information, go to: http://www.mcafee.com/us/downloads/beta-programs/index.aspx
 
To submit Beta feedback on any McAfee product, email: mcafee_beta@mcafee.com
 
For contact information, go to: http://www.mcafee.com/uk/about/contact-us.aspx
 
For copyright, trademark attributions, and license information, go to: http://us.mcafee.com/root/aboutUs.asp?id=copyright
 
For patents protecting this product, see your product documentation.

Disclaimer

The information provided in this security bulletin is provided as is without warranty of any kind. McAfee disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall McAfee or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if McAfee or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Any future product release dates mentioned in this bulletin are intended to outline our general product direction and they should not be relied on in making a purchasing decision. The product release dates are for information purposes only, and may not be incorporated into any contract. The product release dates are not a commitment, promise or legal obligation to deliver any material, code, or functionality. The development, release, and timing of any features or functionality described for our products remains at our sole discretion and may be changed or cancelled at any time.

Rate this document

Did this article resolve your issue?

Please provide any comments below

Languages:

This article is available in the following languages:

English United States
Japanese

Glossary of Technical Terms


Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.
United States - English
© 2003-2013 McAfee, Inc.