Loading...

Knowledge Center


McAfee Security Bulletin: Bash Shellshock Code Injection Exploit Updates for CVE-2014-6271 and CVE-2014-7169
Security Bulletins ID:   SB10085
Last Modified:  4/6/2017
Rated:


Summary

 Who Should Read This Document: Technical and Security Personnel
 Impact of Vulnerability: OS Command Injections (CWE-78)
 CVE Number: CVE-2014-6271
CVE-2014-6277
CVE-2014-6278
CVE-2014-7169
CVE-2014-7186
CVE-2014-7187
 US CERT Number: CERT/CC VU#252743
Red Hat Advisory RHBA-2013:1096-1
Exploit Database EDB-ID: 34766
 Severity Rating: High
 Base / Overall CVSS Score:
10.0 / 8.3 (All CVEs listed above)
 Recommendations: Deploy the remediation signatures/rules first. 
Update product patches/hotfixes.
 Security Bulletin Replacement: None
 Caveats: None
 Affected Software: See the McAfee Product Vulnerability Status list below.
 Location of Updated Software:

http://www.mcafee.com/us/downloads/downloads.aspx

 
Article contents:

Description

Several McAfee products are vulnerable to the Bash/Shellshock vulnerability. See the McAfee Product Vulnerability Status list below for the status of each product. See the McAfee Mitigations section below for immediate action.

A serious security vulnerability known as the Bash or Shellshock bug affects all UNIX operating systems, including: Linux, Mac OS, iOS, Oracle/Solaris, AIX, HP-UX, BSD, and cygwin. Any other OS to which Bash has been added will also be vulnerable. For instance, Bash can be run on Windows or Android. Specific situations (DHCP client requests) can also lead to this vulnerable condition within Bash.

GNU Bourne Again SHell (Bash) is the shell of GNU operating system. Bash is an sh-compatible shell that blends the best features of the Korn shell (ksh) and C shell (csh). It is designed to conform to IEEE POSIX P1003.2/ISO 9945.2 Shell and Tools standard. In addition, most sh scripts can be run by Bash without modification. GNU Bash versions up to 4.3 process trailing strings after function definitions in the values of environment variables.

This vulnerability allows malicious code execution within the Bash shell (commonly accessed through a command prompt on a PC or Mac's Terminal application) up to and including compromising an operating system. An attacker can provide specially crafted environment variables containing arbitrary commands that will be executed on vulnerable systems under certain conditions.

For a thorough description of the Bash vulnerability, see:
http://www.vox.com/2014/9/25/6843949/the-bash-bug-explained

Vulnerability IDs
  • CVE-2014-7187
    Off-by-one error in the read_token_word function in parse.y in GNU Bash through 4.3 Bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via deeply nested for loops, aka the "word_lineno" issue:
    http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7187


Incomplete Vendor Patches
Early patches from vendors are not always complete or accurate. More issues in the parser have been discovered that are just as serious as the original vulnerability:

Vendor Patch Vulnerability IDs

CWE-78
OS Command Injections:
http://cwe.mitre.org/data/definitions/78.html

CERT/CC Vulnerability Note VU#252743
GNU Bash environment variable vulnerability ("shellshock"):
http://www.kb.cert.org/vuls/id/252743

Red Hat Advisory RHBA-2013:1096-1
Updated Bash packages that fix this bug for Red Hat Enterprise Linux 6:
https://rhn.redhat.com/errata/RHBA-2013-1096.html
https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/

Free Bash Detection Tools


Additional Information


McAfee Product Vulnerability Status

Investigation into all McAfee products is ongoing. This security bulletin will be updated as additional information and patches are made available.

The distinction between vulnerable hosts and truly exposed hosts matters with this issue. Products that are vulnerable but have minimal or no exposure are in the Vulnerable but Low Risk list below. Justifications for being in this list are explained in the Product Specific Notes section below.

Vulnerable and Updated
  1. Email and Web Security (EWS)
  2. GTI Proxy 2.0 (EOL)
  3. McAfee Email Gateway (MEG)
  4. McAfee Security Information and Event Management (SIEM) / Nitro
  5. McAfee Web Gateway (MWG)
  6. Network Data Loss Prevention (NDLP)
  7. Network Security Platform (NSP)/NSM

Vulnerable and Not Yet Updated
None

Vulnerable but Low Risk (given standard deployment best practices)
  1. Boot Attestation Service (BAS) / Open Virtual Appliance (OVA)
  2. GTI Proxy / GTI Private Cloud (File Reputation)
  3. McAfee Advanced Threat Defense (MATD)
  4. McAfee Asset Manager (MAM)
  5. McAfee Cloud Single Sign On (MCSSO) / McAfee Cloud Identity Manager (MCIM)
  6. Management for Optimized Virtual Environments AntiVirus (MOVE AV)
  7. Management for Optimized Virtual Environments AntiVirus Security Virtual Appliance (MOVE SVA)
  8. Management for Optimized Virtual Environments AntiVirus Security Virtual Appliance Manager (MOVE SVA Manager)
  9. Network Access Control (NAC)
  10. SaaS Account Management (SAM)
  11. SaaS Email Archiving
  12. SaaS Email Protection and Continuity
  13. SaaS Web Protection

Not Vulnerable
  1. Anti-Malware Core (AMC)
  2. Anti-Spam Engine (ASE)
  3. AntiSpam (MSK) (consumer)
  4. AntiVirus Engine (AVE) / Anti-Malware Engine (AME)
  5. CleanBoot
  6. Cloud Analysis and Deconstruction Service (CADS)
  7. Cloud Service Platform (CSP)
  8. Content Security Interlock (CSI)
  9. Content Security Reporter (CSR)
  10. Database Activity Monitoring (DAM)
  11. Database Vulnerability Manager (DVM)
  12. Data Loss Prevention Endpoint (DLPe)
  13. Deep Defender (DD)
  14. DeepSAFE
  15. Endpoint Encryption for Files and Folders (EEFF)
  16. Endpoint Encryption for Removable Media – USB (EERM)
  17. Endpoint Encryption Manager (EEM)
  18. Endpoint Intelligence Agent (EIA)
  19. Endpoint Protection for Mac (EPM)
  20. Enterprise Mobility Manager (EMM)
  21. ePO Deep Command (eDC)
  22. ePolicy Orchestrator (ePO)
  23. Gateway Anti-Malware Engine (GAM)
  24. Global Threat Intelligence (GTI) / GTI Cloud Server (CS) / Artemis
  25. Host Data Loss Prevention (HDLP)
  26. Host Intrusion Prevention Services (HIPS)
  27. McAfee Agent (MA) / Common Management Agent (CMA)
  28. McAfee Anti-Theft (MAT / IATS)
  29. McAfee AntiVirus Plus (AVP)
  30. McAfee Application Control (MAC)
  31. McAfee Change Control (MCC)
  32. McAfee Drive Encryption (MDE) / Endpoint Encryption for PCs (EEPC)
  33. McAfee Embedded Control (MEC)
  34. McAfee Family Protection (MFP) / Safe Eyes
  35. McAfee File Lock (MFL)
  36. McAfee Foundation Services (MFS)
  37. McAfee Home Network (MHN)
  38. McAfee Integrity Control (MIC)
  39. McAfee Internet Security (MIS)
  40. McAfee Mobile Security (MMS)
  41. McAfee MOVE Firewall (MOVE Firewall)
  42. McAfee Online Backup (MOBK) / Mozy
  43. McAfee Parental Controls (MPC)
  44. McAfee Password Manager (PassMgr) / SafeKey / LastPass
  45. McAfee Personal Firewall (MPF)
  46. McAfee Personal Locker (MPL) / Daon / Cloud Vault
  47. McAfee Policy Auditor (MPA)
  48. McAfee Quarantine Manager (MQM)
  49. McAfee QuickClean and Shredder (MQCS)
  50. McAfee Real Time for ePO (RTE)
  51. McAfee Risk Advisor (MRA)
  52. McAfee SECURE Certification (MS) / Trustmark
  53. McAfee Security for App Store- Cloud (MSAS)
  54. McAfee Security Center (MSC)
  55. McAfee Security for Email Servers (MSES) / GroupShield
  56. McAfee Security for Lotus Domino (MSLD) (Windows, Linux, AIX)
  57. McAfee Security for Mac (MSM)
  58. McAfee Security for Microsoft Exchange (MSME)
  59. McAfee Security for Microsoft SharePoint (MSMS)
  60. McAfee Security Management Center (SMC)
  61. McAfee Total Protection (MTP)
  62. McAfee Vulnerability Manager (MVM)
  63. McAfee Web Protection (MWP) / SmartFilter
  64. McAfee Web Reporter (MWR)
  65. Mobile Cloud (MC)
  66. Network Security Manager (NSM)
  67. Network Threat Behavior Analysis (NTBA)
  68. Network Threat Response (NTR)
  69. One Time Password (OTP) / Nordic Edge / Pledge
  70. Partner Custom products
  71. Pre-Install Scanner (PIS)
  72. Rouge System Detection (RSD)
  73. SaaS Endpoint Protection (SEP)
  74. Secure Container (Android and iOS)
  75. Site Advisor Enterprise (SAE) / Site Advisor Live (SA)
  76. VirusScan Enterprise Linux (VSEL)
  77. VirusScan Enterprise (VSE)
  78. VirusScan for Mac (VSMac)
  79. VirusScan Mobile (VSM)
  80. Vulnerability Scanner (VulnScan)
  81. Whole Disk Encryption (WDE)
  82. Windows Systems Security (WSS)

Being Investigated
None

For a description of each product, see: http://www.mcafee.com/us/apps/products-az.aspx.

Remediation

Go to the Product Downloads site and download the applicable product patch/hotfix file:
Product Type Patch Version File Name Release Date
BAS / OVA Patch Patch 1   Expected October 30, 2014
EWS Hotfix 5.6 EWS-5.6h1010267 October 7, 2014
GTI Proxy 2.0 Cloud Update   MLOS Update for GTI Proxy 2.0. November 24, 2014
MAM Hotfix 7 mam_hotfix_pack7.sh June 23, 2015
MEG Hotfix
7.5.4
7.6.2
MEG-7.5.4h1010253
MEG-7.6.2h1010246
October 2, 2014
MEG Hotfix 7.0.5 MEG-7.0.5h1010264 October 3, 2014
MFE CC Patch 5.2.1P10 521P10.zip September 29, 2014
MFE CC Patch 5.3.2P04 532P04.zip October 1, 2014
MOVE AV Patch Patch 1   October 30, 2014
MOVE SVA Patch Patch 1   October 30, 2014
MOVE SVA Manager Patch Patch 1   October 30, 2014
MWG Patch 7.5.0, 7.4.2.3   September 30, 2014
NDLP Hotfix
9.3.2 for appliances
4400, 5500
hotfix 101538_47224 October 2, 2014
NGFW Hotfix 5.8.0   September 30, 2014
NGFW Hotfix 5.5.11   October 2, 2014
NGFW Hotfix 5.7.5 (FW/VPN), 5.3.11   October 6, 2014
NSP/NSM Senor Hotfix 7.1.3.127   December 1, 2014
NSP/NSM Senor Hotfix 7.1.5.97   October 31, 2014
NSP/NSM Senor Hotfix 7.5.3.116   November 3, 2014
NSP/NSM Senor Hotfix 8.1.3.x   Expected December 15, 2014
NSP/NSM Senor Hotfix 8.1.5.47   November 8, 2014
NUBA Hotfix bash-3.0-19.3.i386.rpm   October 20, 2014
SIEM Hotfix 9.3.2, 9.4.0, 9.4.1 9.3.2-hf15, 9.4.1-hf1, 9.4.0-hf8 October 2, 2014
VPN Patch 1.5.205.2017   October 6, 2014


McAfee Product Download Instructions
  1. Launch Internet Explorer.
  2. Navigate to: http://www.mcafee.com/us/downloads/downloads.aspx.
  3. Provide your valid McAfee Grant Number.
  4. Click your product suite.
  5. Click the applicable product and click I Agree.
  6. Click the Patches tab and click the link to download the product .ZIP file under the Product column.
NOTE: The Content and Cloud Security portal does not require a McAfee Grant number; however, customers have received login credentials together with their MWG license.

For instructions on how to download McAfee products, documentation, security updates, patches, or hotfixes, see: KB56057.

For instructions on how to install / upgrade these hotfixes / patches, please review the Release Notes and the Installation Guide (which can be downloaded from the Documentation tab) following the same steps above.

Product Specific Notes:
  • BAS
    The BAS appliance has the 'Ubuntu' environment with 'automatic upgrade' option turned on. It has single user access and no CGI/Apache server running in it. The appliance is shipped with ‘SSH’ disabled.
     
  • EWS
    See KB83006 for requirements for installing the hotfixes that fix this vulnerability.
     
  • GTI Proxy / GTI Proxy 2.0
    With GTI Proxy exploitation of the vulnerable Bash package is only possible through remote SSH access to the device. Remote SSH access requires administrative credentials. In the absence of compromised administrative credentials an attacker could not interact with the vulnerable Bash package. Nonetheless, update of the Bash package is to be delivered in the next appliance security update.

    GTI Proxy 2.0 will require an update, but while impacted, it would require SSH credentials to be exploitable. An appliance operating system update is available with details provided in PD25586.
     
  • HIPS
    The HIPS installation uses the Bash shell that is configured on the underlying OS, but HIPS doesn’t ship Bash. HIPS Linux/Solaris are not vulnerable.
     
  • MA
    The McAfee Agent and its components are not exploitable on a system running the vulnerable Bash.
     
  • MAM
    While the MAM 6.6 product itself is not vulnerable, the underlying platform for the product, which is based on Debian, is potentially vulnerable.

    Debian by default has Bash installed making the product potentially vulnerable. McAfee does not expose access to Bash by any web or CGI script from outside the device, so there is no exploit vector.

    McAfee plans to patch this problem and provide an update script to the latest Bash shell.

    MAM Hotfix 7 has superseded the hotfix originally posted in this article. Hotfix 7 is a rollup that includes previous hotfixes 1-6.
     
  • MATD
    ATD is not vulnerable to the Bash shell vulnerability since the Bash shell is not directly exposed to end users nor does it use DHCP. This appliance does not allow end users to execute Bash commands directly. The Bash shell is accessible only to McAfee developers and requires additional authentication credentials known to only McAfee developers.
     
  • MEG
    MEG is vulnerable. The attack vector is via DHCP, which could compromise certain machines. The GUI can also be exploited, although the user needs to be authenticated.

    See KB83006 for requirements for installing the hotfixes that fix this vulnerability.
     
  • MCSSO
    MCSSO ships in two configurations:
    • MCSSO installer for Windows – Not vulnerable.
    • MCSSO installer for Linux – Possibly vulnerable.  If running a vulnerable version of bash on Red Hat Enterprise Linux Server 5.0, then it is vulnerable. McAfee recommends you upgrade bash to a higher version.
    MCSSO is not passing variables (arguments/parameters received through HTTP requests) into the shell called “bash”. Hence, it is not exploitable because of MCSSO. There could still be other programs/servers in the OS that could make it exploitable.
     
  • MOVE
    The MOVE appliances have the ‘Ubuntu' environment with ‘automatic upgrade’ option turned on. They have single user access and no CGI/Apache server running in them.
     
  • MOVE SVA / MOVE SVA Manager
    McAfee has published a separate KB article recommending that customers upgrade Bash, with complete steps on how to do it.

    The MOVE appliances are vulnerable, but not exploitable. In a specific case where a customer changes the DHCP option in dhclient.conf and adds the “default-url” option, a rogue DHCP server would be able to execute an arbitrary command on the appliance. If the customer has made this specific change, it is strongly recommended to update the Bash package.

    The MOVE SVA Appliance is shipped with ‘SSH’ disabled. The MOVE SVA Manager appliance is shipped with ‘SSH’ enabled.

    A patch will be provided for the appliance to avoid unnecessary queries from customers who might run vulnerability scanners against the product.
     
  • MWG
    MWG is vulnerable. A hostile DHCP server can craft a DHCP reply to a DHCP request that exploits the MWG DHCP client and allows root privileged remote code execution for the attacker. This attack vector is only present if the MWG engine has a dynamic interface that is configured to get an IP address via DHCP.

    MWG has been patched.
    • PD25433 is the Release Notes with a full list of changes and upgrade instructions.
    • KB82982 provides a list of known issues.
    • KB83022 addresses how MWG is impacted by the Bash/Shellshock vulnerability that it is fixed with the 7.4.2.3 and 7.5.0 releases and includes mitigation instructions for customers who cannot upgrade immediately.
    Affected Versions:
    • Pre-7.5.0 and earlier
    • 7.4.2.2 and earlier

    Protected Versions:
    • 7.5.0 or later
    • 7.4.2.3 or later
     
  • NDLP
    The vulnerable version of Bash is present in the product, but it is not utilized. The Bash shell is accessible only to system administrators. It has been patched. McAfee recommends that all customers verify that they have applied the latest updates.

    Affected Versions:
    • 9.3.2 and earlier

    Protected Versions:
    • 9.3.2 with hotfix 1010538_47224 or later
     
  • NSP/NSM
    NSP includes both the NSM (Manager) and the Sensor. NSM is a Windows-based product and is not vulnerable since it does not run Bash. NSP is not vulnerable to the Bash shell vulnerability because the Bash shell is not directly exposed to end users nor does it use DHCP. This appliance does not allow end users to execute Bash commands directly. The Bash shell is accessible only to McAfee developers and requires additional authentication credentials known to only McAfee developers. See the remediation table above for the latest sensor image update information.
     
  • NTBA
    NTBA does not expose the Bash shell and does not use DHCP, and is therefore not vulnerable to this threat.
     
  • SaaS Email, Web and Archiving
    SaaS Email, Archiving and Web have no exposure. They are all based on Red Hat, CentOS, and McAfee Linux Operating System (MLOS), but are not exploitable by anyone who does not already have privileged access to the box via SSH, which is restricted to administrators.

    The SaaS products do not utilize CGI in any of the product's applications. All Apache interactions are through PHP, which integrates directly with Apache and not through CGI interfaces. As SaaS does not utilize CGI, it would be recommended that any CGI enabled configurations that exist in your environment are disabled.

    Apache can be an attack vector through the CGI interface where it will set environment variables and may possibly instantiate bash, which could then execute a command hidden in one of the environment variables. If Apache is not configured to use mod cgi, or if no cgis are present, Apache will not invoke bash.

    How was it determined that the product is not exploitable?
    The SaaS product is not exploitable because it does not allow users to run a Bash shell in any part of the application. All customer-facing services are restricted to HTTP, SMTP, and IMAP protocols; none of which offer any access or data paths to the shell. Any use of Bash would be restricted to administrators and tightly controlled administrative networks, inaccessible from any of the product's public interfaces.

    Under what versions and criteria was this established?
    No version of the SaaS product suite allows a user to execute commands at the Bash level; nor is the Bash accessible/remotely reachable from any of the product data paths. This has been confirmed in all supported releases of SaaS, including 7.2.x, 8.1, and 8.2 releases.

    When will a solution to remediate the vulnerability be made available?
    The SaaS engineering team released the CentOS-based patch for the Bash vulnerability on Tuesday, September 30. We will be releasing additional patches as they become available from the upstream providers and can be verified by McAfee. This is because new attack vectors are still being discovered and we may be dealing with this for some time.
     
  • SIEM
    The SIEM devices have a version of Bash that is subject to the auto execution of a variable defined function. However, there is no exposure of Bash external to the device. Therefore, there is no exploit vector.

    SIEM has been patched.

    Available on the Download site:
    9.3.2-hf15 (build stamp: 20141001141316)
    9.4.1-hf1 (build stamp: 20140930172307)

    Available through SIEM support by request*:
    9.4.0-hf8 (build stamp: 20140930151418)

    * The official fix for 9.4.0 is 9.4.1-hf1. However, for users that, by internal policy, cannot upgrade a version number change without a long testing and approval process, we have 9.4.0-hf8. You must contact SIEM Technical Support directly to obtain this hotfix.

    For all releases:
    SIEM does not put “hotfix” numbers in the product. The full build stamp for a SIEM appliance is on its “System Information” tab in the “System Properties” dialog. Example: “Version 9.4.1 Build 20140930172307”

    Protected Versions:
    • 9.4.1 or later
    • 9.4.0 or later
    • 9.3.2 or later 
     
  • Wind River Products
    Shellshock Vulnerability Security Notice
    http://www.windriver.com/announces/shellshock_notice/

Workaround

Many UNIX vendors have published patches. McAfee has not yet tested all patches to determine potential impact on McAfee products. Please be aware of the risks.

UNIX Patches:
  • Red Hat Enterprise Linux

McAfee Mitigations
Several McAfee products have signatures to help mitigate this vulnerability. These include:
  • AV - AntiVirus
    • Includes all McAfee AntiVirus products, including VSE, McAfee AntiVirus Plus, MWG, and so on.
    • 7573 DAT – Detects all payload samples seen from exploit of the Bash vulnerability
      • Samples are detected as “Linux/Dingle”
  • MVM – McAfee Vulnerability Manager
    • Foundstone Scripting Language Update 09-30-2014 - Lists 43 Foundstone Scripting Language (FSL) signatures for these vulnerabilities
    • McAfee's recommendation is to perform this scan as an authenticated user.
    • KB83002 - How to run a single vulnerability scan for the Shellshock vulnerability (CVE-2014-6271 used as an example)
     
  • NSP – Network Security Platform
    • Network detection signatures for Apache CGI and SSH can be downloaded from within NSM and are available on the Product Downloads site: http://www.mcafee.com/us/downloads/downloads.aspx
    • Updated Detection Signature (UDS)
      • UDS 7.6.41.5 – Legacy version
      • UDS 8.6.41.5 – Current version
    • KB83009 – Release Notes for Network Security Signature Sets Release Bulletin (7.6.41.5|8.6.41.5)
     
  • SIEM – Security Information and Event Management
    • Eight signature detection rules for the NitroGuard IPS / NitroSecurity IPS / McAfee NTP are available for download via the SIEM rule server
    • Signatures:
      • Two (2) for options in DHCP ACK messages
      • Six (6) for web traffic, examining URIs, HTTP headers, cookies, bodies, and the HTTP Version number
Download the latest content for each and enable the checks if they are not enabled by default.

Acknowledgements

This vulnerability was first discovered by Stéphane Chazelas, a European security researcher.

This vulnerability was first disclosed by The MITRE Corporation as CVE-2014-6271.

Support

Corporate Technical Support:
1-800-338-8754
http://www.mcafee.com/us/about/contact-us.aspx#ht=tab-techsupport 

Frequently Asked Questions (FAQs)

What is affected by this security vulnerability?
See the Product Specific Notes section above.

McAfee recommends that all customers verify that they have applied the latest updates.

Does this vulnerability affect McAfee enterprise products?
Yes, several enterprise products are vulnerable. No consumer products are vulnerable.

How do I know if my McAfee product is vulnerable or not?
For Endpoint products:
Use the following instructions for endpoint or client based products:
  1. Right-click on the McAfee tray shield icon on the Windows task bar.
  2. Select Open Console.
  3. In the console, select Action Menu.
  4. In the Action Menu, select Product Details. The product version is displayed.

For ePO / Server products:
Use the following instructions for server based products:
  • Check the version and build of ePO that is installed.  For more information on how to check the version, see: KB52634.
  • Or, create a query in ePO for the product version of the product installed within your organization.

For Appliances:
Use the following instructions for Appliance based products:
  1. Open the Administrator's User Interface (UI).
  2. Click the About link. The product version is displayed.

What is CVSS?
CVSS, or Common Vulnerability Scoring System, is the result of the National Infrastructure Advisory Council’s effort to standardize a system of assessing the criticality of a vulnerability. This system offers an unbiased criticality score that customers can use to judge how critical a vulnerability is and plan accordingly. For more information, please visit the CVSS website at: http://www.first.org/cvss/

What are the CVSS scoring metrics that have been used?
All CVEs listed have the same CVSS score and vector.

CVE-2014-6271
CVE-2014-6277
CVE-2014-6278
CVE-2014-7169
CVE-2014-7186
CVE-2014-7187


 
 Base Score 10.0
 Related exploit range (AccessVector)  Network
 Attack complexity (AccessComplexity)  Low
 Level of authentication needed (Authentication)  None
 Confidentiality impact
 Complete
 Integrity impact  Complete
 Availability impact  Complete
 Temporal Score 8.3
 Availability of exploit (Exploitability)  Functional exploit exists
 Type of fix available (RemediationLevel)  Official fix
 Level of verification that vulnerability exists (ReportConfidence)  Confirmed

NOTE: CVSS version 2.0 was used to generate this score.
http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C)

NOTE: The Red Hat website reports a much lower base score of 4.6. Red Hat used the below CVSS version 2.0 vector to generate their score.
What has McAfee done to resolve the issue?
McAfee has released several product updates to address these security flaws.
Several signatures and rules have been created for McAfee products to detect and block this vulnerability.

Where do I download the fix?
The fix can be downloaded from:  http://www.mcafee.com/us/downloads/downloads.aspx
Users will need to provide their McAfee Grant Number to initiate the download.

How does McAfee respond to this and any other security flaws?
McAfee's key priority is the security of our customers.  In the event that a vulnerability is found within any McAfee software, we work closely with the relevant security research group to ensure rapid and effective development of a fix and communication plan.

McAfee only publishes product vulnerability bulletins together with an actionable workaround, hotfix, patch, or version update; otherwise we would simply be informing the hacker community that our products are a target, putting our customers at greater risk.

McAfee may publish lists of known vulnerable and not vulnerable products if the product vulnerability is already generally known publicly, but no actionable workaround is ready yet.

Resources

To download new Beta software or to read about the latest Beta information, go to: http://www.mcafee.com/us/downloads/beta-programs/index.aspx
 
To submit Beta feedback on any McAfee product, email: mcafee_beta@mcafee.com
 
For contact information, go to: http://www.mcafee.com/uk/about/contact-us.aspx
 
For copyright, trademark attributions, and license information, go to: http://us.mcafee.com/root/aboutUs.asp?id=copyright
 
For patents protecting this product, see your product documentation.

Disclaimer

McAfee’s key priority is the security of our customers. In the event that a vulnerability is found within any McAfee software, we work closely with the relevant security research group to ensure rapid and effective development of a fix and communication plan. McAfee is an active member of the Organization for Internet Safety (OIS), which is dedicated to developing guidelines and best practices for the reporting and fixing of software vulnerabilities.

McAfee only publishes product vulnerability bulletins together with an actionable workaround, patch, or hotfix; otherwise we would simply be informing the hacker community that our products are a target, putting our customers at greater risk.

Rate this document

Did this article resolve your issue?

Please provide any comments below

Languages:

This article is available in the following languages:

English United States
Japanese

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.