McAfee Security Bulletin - Network Security Manager update fixes CSRF vulnerability in User Management module
Security Bulletins ID:
SB10081
Last Modified: 1/10/2018
Last Modified: 1/10/2018
Summary
| Who Should Read This Document: | Technical and Security Personnel |
| CVE Number: | CVE-2014-2390 |
| US CERT Number: | None |
| Severity Rating: | Medium |
| Base / Overall CVSS Score: | 6.0 / 4.7 |
| Recommendations: | Install or update to one of the following: NSM 8.1.7.3 or later NSM 7.5.5.9 or later NSM 7.1.15.7 or later NSM 7.1.5.15 or later NSM 6.1.15.39 or later |
| Security Bulletin Replacement: | None |
| Caveats: | None |
| Affected Software: |
NSM 8.1.7.2 and earlier
NSM 7.5.5.8 and earlier NSM 7.1.15.6 and earlier NSM 7.1.5.14 and earlier NSM 6.1.15.38 and earlier |
| Location of Updated Software: | http://www.mcafee.com/us/downloads/downloads.aspx |
Description
A Cross Site Request Forgery (CSRF) vulnerability in the User Management module may allow a malicious user to modify user accounts.
McAfee Network Security Manager version 8.1.7.3, released in June 2014, remediates the following issue:
CVE-2014-2390
McAfee Network Security Manager version 8.1.7.3, released in June 2014, remediates the following issue:
CVE-2014-2390
CSRF vulnerability in User Management module
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2014-2390
Affected Components:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2014-2390
Affected Components:
- McAfee Network Security Manager
Remediation
Go to the McAfee Downloads site and download the applicable product patch/hotfix file:
| Product | Type | Patch Version | File Name | Release Date |
| Network Security Manager | Version Update | 8.1.7.3 | Setup.exe | June 2014 |
| Network Security Manager | Hotfix | 7.5.5.9 | Setup.exe | June 2014 |
| Network Security Manager | Hotfix | 7.1.15.7 | Setup.exe | July 2014 |
| Network Security Manager | Hotfix | 7.1.5.15 | Setup.exe | June 2014 |
| Network Security Manager | Hotfix | 6.1.15.39 | Setup.exe | June 2014 |
McAfee Network Security Manager download Instructions:
- Launch Internet Explorer.
- Navigate to: http://www.mcafee.com/us/downloads/downloads.aspx.
- Provide your valid McAfee Grant Number.
- Select the product from the available downloads.
- Download the product version as mentioned in the Remediation section.
For instructions on how to download McAfee products, documentation, security updates, patches, or hotfixes, see: KB56057.
For instructions on how to install/upgrade, please review the Release Notes and the Installation Guide (which can be downloaded from the Documentation tab) following the same steps above.
Workaround
None. Install the provided hotfix/version updates.
Acknowledgements
McAfee credits Adi Volkovitz and Oded Vanunu from the Check Point Security Research Team for reporting this flaw.
Support
Corporate Technical Support:
1-800-338-8754
http://www.mcafee.com/us/about/contact-us.aspx#ht=tab-techsupport
1-800-338-8754
http://www.mcafee.com/us/about/contact-us.aspx#ht=tab-techsupport
Frequently Asked Questions (FAQs)
What is affected by this security vulnerability?
McAfee Network Security Manager:
Affected Versions:
- 8.1.7.2 and earlier
- 7.5.5.8 and earlier
- 7.1.15.6 and earlier
- 7.1.5.14 and earlier
- 6.1.15.38 and earlier
Protected Versions:
- 8.1.7.3 or later
- 7.5.5.9 or later
- 7.1.15.7 or later
- 7.1.5.15 or later
- 6.1.15.39 or later
McAfee recommends that all customers verify that they have applied the latest updates.
What issue does this patch address?
Bug 960293 - Need to fix up CSRF (Cross-site request forgery) problems reported by Checkpoint
Does this vulnerability affect McAfee enterprise products?
Yes, Network Security Manager is an enterprise product.
How do I know if my McAfee product is vulnerable or not?
- Open the Administrator's User Interface (UI).
- The product version is displayed at the top center of the UI.
What is CVSS?
CVSS, or Common Vulnerability Scoring System, is the result of the National Infrastructure Advisory Council’s effort to standardize a system of assessing the criticality of a vulnerability. This system offers an unbiased criticality score that customers can use to judge how critical a vulnerability is and plan accordingly. For more information, please visit the CVSS website at: http://www.first.org/cvss/.
What are the CVSS scoring metrics that have been used?
CVSS, or Common Vulnerability Scoring System, is the result of the National Infrastructure Advisory Council’s effort to standardize a system of assessing the criticality of a vulnerability. This system offers an unbiased criticality score that customers can use to judge how critical a vulnerability is and plan accordingly. For more information, please visit the CVSS website at: http://www.first.org/cvss/.
What are the CVSS scoring metrics that have been used?
CVE-2014-2390:CSRF Vulnerability in Network Security Manager
| Base Score | 6.0 |
| Related exploit range (AccessVector) | Network |
| Attack complexity (AccessComplexity) | Medium |
| Level of authentication needed (Authentication) | Single Instance |
| Confidentiality impact | Partial |
| Integrity impact | Partial |
| Availability impact | Partial |
| Temporal Score | 4.7 |
| Availability of exploit (Exploitability) | Proof of concept code |
| Type of fix available (RemediationLevel) | Offical fix |
| Level of verification that vulnerability exists (ReportConfidence) | Confirmed |
NOTE: CVSS version 2.0 was used to generate this score.
http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C)
What has McAfee done to resolve the issue?
McAfee has released an update to address this security flaw.
Where do I download the fix?
The fix can be downloaded from: http://www.mcafee.com/us/downloads/downloads.aspx.
Users will need to provide their McAfee Grant Number to initiate the download.
How does McAfee respond to this and any other security flaws?
McAfee's key priority is the security of our customers. In the event that a vulnerability is found within any of McAfee’s software, we work closely with the relevant security research group to ensure rapid and effective development of a fix and communication plan. McAfee is an active member of the Organization for Internet Safety (OIS), which is dedicated to developing guidelines and best practices for the reporting and fixing of software vulnerabilities.
How does McAfee respond to this and any other security flaws?
McAfee's key priority is the security of our customers. In the event that a vulnerability is found within any of McAfee’s software, we work closely with the relevant security research group to ensure rapid and effective development of a fix and communication plan. McAfee is an active member of the Organization for Internet Safety (OIS), which is dedicated to developing guidelines and best practices for the reporting and fixing of software vulnerabilities.
Resources
To download new Beta software or to read about the latest Beta information, go to: http://www.mcafee.com/us/downloads/beta-programs/index.aspx
To submit Beta feedback on any McAfee product, email: mcafee_beta@mcafee.com
For contact information, go to: http://www.mcafee.com/uk/about/contact-us.aspx
For copyright, trademark attributions, and license information, go to: http://us.mcafee.com/root/aboutUs.asp?id=copyright
For patents protecting this product, see your product documentation.
To submit Beta feedback on any McAfee product, email: mcafee_beta@mcafee.com
For contact information, go to: http://www.mcafee.com/uk/about/contact-us.aspx
For copyright, trademark attributions, and license information, go to: http://us.mcafee.com/root/aboutUs.asp?id=copyright
For patents protecting this product, see your product documentation.
Disclaimer
McAfee’s key priority is the security of our customers. In the event that a vulnerability is found within any of McAfee’s software, we work closely with the relevant security research group to ensure rapid and effective development of a fix and communication plan. McAfee is an active member of the Organization for Internet Safety (OIS), which is dedicated to developing guidelines and best practices for the reporting and fixing of software vulnerabilities.
McAfee only publishes product vulnerability bulletins together with an actionable workaround, patch, or hotfix; otherwise we would simply be informing the hacker community that our products are a target, putting our customers at greater risk.
McAfee only publishes product vulnerability bulletins together with an actionable workaround, patch, or hotfix; otherwise we would simply be informing the hacker community that our products are a target, putting our customers at greater risk.
