Loading...

Knowledge Center


McAfee Security Bulletin – McAfee Data Loss Prevention addresses four security issues
Security Bulletins ID:   SB10074
Last Modified:  11/5/2018
Rated:


Summary

Who Should Read This Document: Technical and Security Personnel
Impact of Vulnerability: Denial of Service
Confidentiality
Integrity
Man-in-the-Middle Attacks
CVE Numbers: CVE-2009-4565
CERT/CC and Other Number: None
Severity Rating: Medium to High
Base / Overall CVSS Score: 7.1 / 5.9
5.5 / 4.5
4.4 / 3.4
4.3 / 3.6
Recommendations: Install or upgrade to Network Data Loss Prevention (NDLP) 9.3.2. After that, apply Hotfix 963587_47041.
Security Bulletin Replacement: None
Caveats: None
Affected Software:
  • NDLP 9.3.2 (without hotfix)
  • NDLP 9.3.1
  • NDLP 9.3.0
  • NDLP 9.2.2
  • NDLP 9.2.1 (and earlier) 
Location of Updated Software: http://www.mcafee.com/us/downloads.aspx

Description

This bulletin outlines several product vulnerabilities according to McAfee’s Product Security Policy. McAfee strives to be transparent with our customers about potential security issues in McAfee products.

This release resolves the four NDLP issues below:

CVE # / McAfee ID Vulnerability CVSS Base / Temporal Score
938810 RAR file containing infected file cause segmentation fault DOS attack. 7.1 / 5.9
921267 MySQL Injection may affect the confidentiality and integrity of the application. 5.5 / 4.5
921270 Insufficient framing protection may lead to click-jacking or frame-sniffing attacks. 4.4 / 3.4
CVE-2009-4565
963587
Sendmail does not handle ‘\0’ character in common name field of X.509 Certificate leading to Man in Middle Attacks. 4.3 / 3.6


Typically, the NDLP Management Console is deployed on a trusted network and will have access granted only on an as-needed basis. Data Loss Prevention tools are typically among an organization’s most sensitive systems and should be restricted as such. Before updating the software with the fixes, customers are advised to configure typical system and network access controls (see Workaround section below).

When access to NDLP is restricted appropriately, these vulnerabilities pose a reduced security risk from insider threats.

Affected Components:

McAfee NDLP:
  • McAfee DLP Manager
  • McAfee DLP Monitor
  • McAfee DLP iPrevent
  • McAfee DLP iDiscover
NOTE: McAfee DLP Endpoint (DLPE) is not affected by these issues.

These issues are resolved in NDLP 9.3.2 and corresponding hotfix releases on May 6, 2014.

Remediation

The issues are resolved in NDLP 9.3.2 and corresponding hotfixes.

The list of vulnerabilities fixed in 9.3.2 (RTW) and the 9.3.2 hotfix are listed below:

CVE # / McAfee ID Major version Hotfix number Hotfix file name
938810
921267
921270
9.3.2 Version update to 9.3.2. NDLP 9.3.2 (RTW)
CVE-2009-4565
963587
9.3.2 Hotfix_963587_47041 Hotfix_963587_47041_01.tar.gz

Additional Patch/Hotfix Information:
The first three vulnerabilities are fixed in the version update release of NDLP 9.3.2.

The hotfix only resolves CVE-2009-4565 and only on legacy systems. The 4400 / 5500 NDLP appliances are not vulnerable to this problem.
  • PD25217 - Network DLP 9.3.2 Hotfix 963587_47041 Release Notes

NDLP 9.3.2 download instructions:
  1. Launch Internet Explorer.
  2. Navigate to: http://www.mcafee.com/us/downloads.aspx.
  3. Provide your valid McAfee Grant Number.
  4. Select the product and click View Available Downloads.
  5. Click McAfee Data Loss Prevention.
  6. Click the link to download the product file under Download on the Software Downloads screen. 
For instructions on how to download McAfee products, documentation, security updates, patches, or hotfixes, see KB56057.  

For instructions on how to install/upgrade this patch, see the Release Notes and the Installation Guide (which can be downloaded from the Documentation tab) following the previous procedure.

Workaround

Before upgrading to NDLP 9.3.2, McAfee strongly recommends that you configure system and network access controls according to the following best practices:
  • The default root password of the system should be changed to a strong, un-guessable password.
  • The NDLP Management console should be placed only on a trusted network.
  • Only personnel with a “need-to-know” should be given accounts on NDLP systems.
  • Network restrictions should be placed such that only NDLP Monitors can communicate with NDLP Managers.
  • Only a single network interface card (NIC) should be used for inter-system communications.
  • Management functions should be presented on only a single NIC. The management NIC should only accept connections from a trusted, restricted network.
     

Acknowledgements

McAfee credits the following companies for reporting these flaws:
  • Alaska USA Federal Credit Union
  • ANZ Bank
     

Support

Corporate Technical Support:

Frequently Asked Questions (FAQs)

What is affected by this security vulnerability?
McAfee NDLP 9.3.2 without hotfixes and earlier.

Affected Versions:
  • NDLP 9.3.2 (without hotfix)
  • NDLP 9.3.1
  • NDLP 9.3.0
  • NDLP 9.2.2
  • NDLP 9.2.1
  • NDLP 9.2.0 (and earlier) 
Protected Versions:
  • NDLP 9.3.2 (with hotfix and later) 
McAfee recommends that all customers verify that they have applied the latest updates.

What issues do this hotfix / patch address?
See issues listed in the table above. The six digit number prefixes are McAfee’s internal tracking IDs.
 
Does this vulnerability affect McAfee enterprise products?
Yes. NDLP is an Enterprise product.

What is CVSS?
CVSS, or Common Vulnerability Scoring System, is the result of the National Infrastructure Advisory Council’s effort to standardize a system of assessing the criticality of a vulnerability. This system offers an unbiased criticality score that customers can use to judge how critical a vulnerability is and plan accordingly. For more information, please visit the CVSS website at: http://www.first.org/cvss/.


What are the CVSS scoring metrics that have been used?

The tables below score each of the issues called out above.

938810 - RAR file containing infected file cause segmentation fault DOS attack
 Base Score 7.1
 Related exploit range (AccessVector) Network
 Attack complexity (AccessComplexity) Medium
 Level of authentication needed (Authentication) No Authentication
 Confidentiality impact None
 Integrity impact None
 Availability impact Complete
 Temporal Score 5.9
 Availability of exploit (Exploitability) Functional
 Type of fix available (RemediationLevel) Official fix
 Level of verification that vulnerability exists (ReportConfidence) Confirmed

NOTE: CVSS version 2.0 vector was used to generate this score: http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C   

The infected RAR file creates memory segmentation faults which make the computer unusable for a while, causing a denial of service attack.

The RAR file preserves CRC values, so when we calculate the CRC value of RAR data and match it with the stored CRC value, we can tell if the RAR file is infected. If infected, McAfee will not extract the RAR file. This vulnerability was solved with stricter CRC checks.


921267 – SQL injection may affect the confidentiality and integrity of the application
 Base Score 5.5
 Related exploit range (AccessVector) Local Access
 Attack complexity (AccessComplexity) High
 Level of authentication needed (Authentication) Single Instance Authentication
 Confidentiality impact Complete
 Integrity impact Complete
 Availability impact None
 Temporal Score 4.5
 Availability of exploit (Exploitability) Functional
 Type of fix available (RemediationLevel) Official fix
 Level of verification that vulnerability exists (ReportConfidence) Confirmed

NOTE: CVSS version 2.0 vector was used to generate this score: http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=AV:L/AC:H/Au:S/C:C/I:C/A:N/E:F/RL:OF/RC:C   

Providing specific data to an application in areas where data is used directly in an SQL query can cause the SQL server to execute data passed to it directly as code. This can often allow an attacker complete access to the SQL database used by the application. An attacker can view and manipulate the database affecting the confidentiality and integrity of the application.

The attack is highly unlikely because the application is available to the internal company network only. Furthermore, application user credentials that have the privileges to view the Incident report are required. An intermediate penetration tester skill level is required to exploit this vulnerability.
This is fixed by sanitising URI query before database access.


921270 – Insufficient framing protection may lead to click-jacking or frame-sniffing attacks
 Base Score 4.4
 Related exploit range (AccessVector) Local Access
 Attack complexity (AccessComplexity) Medium
 Level of authentication needed (Authentication) Single Instance Authentication
 Confidentiality impact Complete
 Integrity impact None
 Availability impact None
 Temporal Score 3.4
 Availability of exploit (Exploitability) Proof of Concept
 Type of fix available (RemediationLevel) Official fix
 Level of verification that vulnerability exists (ReportConfidence) Confirmed

NOTE: CVSS version 2.0 vector was used to generate this score: http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=%28AV:L/AC:H/Au:N/C:C/I:C/A:C/E:F/RL:O/RC:C%29    

HTTP header does not contain X-Frame option. It may trigger to Click-jacking or frame-sniffing attacks. This is solved by adding X-Frame header option to HTTP packet.


963587 - CVE-2009-4565 - Sendmail does not handle ‘\0’ character in common name field of X.509 Certificate leading to Man in Middle Attacks
 Base Score 4.3
 Related exploit range (AccessVector) Local Access
 Attack complexity (AccessComplexity) Low
 Level of authentication needed (Authentication) Single Instance Authentication
 Confidentiality impact Partial
 Integrity impact Partial
 Availability impact Partial
 Temporal Score 3.6
 Availability of exploit (Exploitability) Functional
 Type of fix available (RemediationLevel) Official fix
 Level of verification that vulnerability exists (ReportConfidence) Confirmed

NOTE: CVSS version 2.0 vector was used to generate this score: http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=%28AV:L/AC:H/Au:N/C:C/I:C/A:C/E:F/RL:O/RC:C%29   

The present version of sendmail is vulnerable to CVE-2009-4565. It does not handle ‘\0’ in common field of an X.509 certificate leading to Denial of Service attacks. This vulnerability was solved by upgrading the sendmail RPM.


What has McAfee done to resolve the issue?
McAfee has released a version update to address these security flaws.

Where do I download the fix?
You can download the fix from http://www.mcafee.com/us/downloads.aspx. You might have to type your McAfee Grant Number to initiate the download.


How does McAfee respond to this and any other security flaws?
The McAfee key priority is the security of our customers. In the event that a vulnerability is found within any McAfee software, we work closely with the relevant security research group to ensure rapid and effective development of a fix and communication plan. McAfee is an active member of the Organization for Internet Safety (OIS), which is dedicated to developing guidelines and best practices for the reporting and fixing of software vulnerabilities.

McAfee only publishes product vulnerability bulletins together with an actionable workaround, patch, or hotfix; otherwise we would be informing the hacker community that our products are a target, putting our customers at greater risk.
 

Resources

To download new Beta software or to read about the latest Beta information, go to: http://www.mcafee.com/us/downloads/beta-programs/index.aspx
 
To submit Beta feedback on any McAfee product, email: mcafee_beta@mcafee.com
 
For contact information, go to: http://www.mcafee.com/uk/about/contact-us.aspx
 
For copyright, trademark attributions, and license information, go to: http://us.mcafee.com/root/aboutUs.asp?id=copyright
 
For patents protecting this product, see your product documentation.

Disclaimer

The information provided in this security bulletin is provided as is without warranty of any kind. McAfee disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall McAfee or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if McAfee or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Any future product release dates mentioned in this bulletin are intended to outline our general product direction and they should not be relied on in making a purchasing decision. The product release dates are for information purposes only, and may not be incorporated into any contract. The product release dates are not a commitment, promise or legal obligation to deliver any material, code, or functionality. The development, release, and timing of any features or functionality described for our products remains at our sole discretion and may be changed or cancelled at any time.

Rate this document

Languages:

This article is available in the following languages:

English United States
Japanese

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.