Loading...

Knowledge Center


McAfee Security Bulletin - Network Security Manager update fixes CSRF vulnerability in User Management module
Security Bulletins ID:   SB10081
Last Modified:  1/10/2018

Summary

 
 Who Should Read This Document: Technical and Security Personnel
 CVE Number: CVE-2014-2390
 US CERT Number: None
 Severity Rating: Medium
 Base / Overall CVSS Score: 6.0 / 4.7
 Recommendations: Install or update to one of the following:
NSM 8.1.7.3 or later
NSM 7.5.5.9 or later
NSM 7.1.15.7 or later
NSM 7.1.5.15 or later
NSM 6.1.15.39 or later
 Security Bulletin Replacement: None
 Caveats: None
 Affected Software:
NSM 8.1.7.2 and earlier
NSM 7.5.5.8 and earlier
NSM 7.1.15.6 and earlier
NSM 7.1.5.14 and earlier
NSM 6.1.15.38 and earlier
 Location of Updated Software: http://www.mcafee.com/us/downloads/downloads.aspx 

Description

A Cross Site Request Forgery (CSRF) vulnerability in the User Management module may allow a malicious user to modify user accounts.

McAfee Network Security Manager version 8.1.7.3, released in June 2014, remediates the following issue:

CVE-2014-2390
CSRF vulnerability in User Management module
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2014-2390

Affected Components:
  • McAfee Network Security Manager

Remediation

Go to the McAfee Downloads site and download the applicable product patch/hotfix file:
Product Type Patch Version File Name Release Date
Network Security Manager Version Update 8.1.7.3 Setup.exe June 2014
Network Security Manager Hotfix 7.5.5.9 Setup.exe June 2014
Network Security Manager Hotfix 7.1.15.7 Setup.exe July 2014
Network Security Manager Hotfix 7.1.5.15 Setup.exe June 2014
Network Security Manager Hotfix 6.1.15.39 Setup.exe June 2014

 
McAfee Network Security Manager download Instructions:
  1. Launch Internet Explorer.
  2. Navigate to: http://www.mcafee.com/us/downloads/downloads.aspx.
  3. Provide your valid McAfee Grant Number.
  4. Select the product from the available downloads.
  5. Download the product version as mentioned in the Remediation section.
For instructions on how to download McAfee products, documentation, security updates, patches, or hotfixes, see: KB56057.
For instructions on how to install/upgrade, please review the Release Notes and the Installation Guide (which can be downloaded from the Documentation tab) following the same steps above.

Workaround

None. Install the provided hotfix/version updates.

Acknowledgements

McAfee credits Adi Volkovitz and Oded Vanunu from the Check Point Security Research Team for reporting this flaw.

Support

Corporate Technical Support:
1-800-338-8754
http://www.mcafee.com/us/about/contact-us.aspx#ht=tab-techsupport 

Frequently Asked Questions (FAQs)

What is affected by this security vulnerability?
McAfee Network Security Manager:

Affected Versions:

  • 8.1.7.2 and earlier
  • 7.5.5.8 and earlier
  • 7.1.15.6 and earlier
  • 7.1.5.14 and earlier
  • 6.1.15.38 and earlier
Protected Versions:
  • 8.1.7.3 or later
  • 7.5.5.9 or later
  • 7.1.15.7 or later
  • 7.1.5.15 or later
  • 6.1.15.39 or later

McAfee recommends that all customers verify that they have applied the latest updates.

What issue does this patch address?
Bug 960293 - Need to fix up CSRF (Cross-site request forgery) problems reported by Checkpoint

Does this vulnerability affect McAfee enterprise products?
Yes, Network Security Manager is an enterprise product.

How do I know if my McAfee product is vulnerable or not?

  1. Open the Administrator's User Interface (UI).
  2. The product version is displayed at the top center of the UI.
What is CVSS?
CVSS, or Common Vulnerability Scoring System, is the result of the National Infrastructure Advisory Council’s effort to standardize a system of assessing the criticality of a vulnerability. This system offers an unbiased criticality score that customers can use to judge how critical a vulnerability is and plan accordingly. For more information, please visit the CVSS website at: http://www.first.org/cvss/.

What are the CVSS scoring metrics that have been used?
CVE-2014-2390:CSRF Vulnerability in Network Security Manager

 Base Score  6.0
 Related exploit range (AccessVector)  Network
 Attack complexity (AccessComplexity)  Medium
 Level of authentication needed (Authentication)  Single Instance
 Confidentiality impact  Partial
 Integrity impact  Partial
 Availability impact  Partial
 Temporal Score  4.7
 Availability of exploit (Exploitability)  Proof of concept code
 Type of fix available (RemediationLevel)  Offical fix
 Level of verification that vulnerability exists (ReportConfidence)  Confirmed

NOTE: CVSS version 2.0 was used to generate this score.
http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C)

What has McAfee done to resolve the issue?
McAfee has released an update to address this security flaw.

Where do I download the fix?
The fix can be downloaded from: http://www.mcafee.com/us/downloads/downloads.aspx.
Users will need to provide their McAfee Grant Number to initiate the download.

How does McAfee respond to this and any other security flaws?
McAfee's key priority is the security of our customers. In the event that a vulnerability is found within any of McAfee’s software, we work closely with the relevant security research group to ensure rapid and effective development of a fix and communication plan. McAfee is an active member of the Organization for Internet Safety (OIS), which is dedicated to developing guidelines and best practices for the reporting and fixing of software vulnerabilities.

Resources

To download new Beta software or to read about the latest Beta information, go to: http://www.mcafee.com/us/downloads/beta-programs/index.aspx
 
To submit Beta feedback on any McAfee product, email: mcafee_beta@mcafee.com
 
For contact information, go to: http://www.mcafee.com/uk/about/contact-us.aspx
 
For copyright, trademark attributions, and license information, go to: http://us.mcafee.com/root/aboutUs.asp?id=copyright
 
For patents protecting this product, see your product documentation.

Disclaimer

McAfee’s key priority is the security of our customers. In the event that a vulnerability is found within any of McAfee’s software, we work closely with the relevant security research group to ensure rapid and effective development of a fix and communication plan. McAfee is an active member of the Organization for Internet Safety (OIS), which is dedicated to developing guidelines and best practices for the reporting and fixing of software vulnerabilities.

McAfee only publishes product vulnerability bulletins together with an actionable workaround, patch, or hotfix; otherwise we would simply be informing the hacker community that our products are a target, putting our customers at greater risk.

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.