Loading...

Knowledge Center


McAfee Security Bulletin - McAfee Agent update fixes http-generic-click-jacking vulnerability
Security Bulletins ID:   SB10094
Last Modified:  4/9/2017
Rated:


Summary

 
 Who Should Read This Document:  Technical and Security Personnel
 Impact of Vulnerability:  Protection Mechanism Failure
 Security Misconfiguration
 Invalidated Redirects and Forwards
 CVE Numbers:  CVE-2015-2053
 Severity Rating:  Medium
 Base / Overall CVSS Scores:  4.3 / 3.5
 Recommendations:  Install or update to McAfee Agent (MA) 4.8.0 Patch 3
 Install or update to MA 5.0.1
 Security Bulletin Replacement:  None
 Affected Software:  MA 4.8.0 Patch 2 and earlier
 MA 5.0.0
 Location of Updated Software:  http://www.mcafee.com/us/downloads/downloads.aspx

To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.

Article contents:

Description

The MA functionality for viewing logs remotely on Windows is vulnerable to http-generic-click-jacking. This flaw can be exploited if the attacker is able to craft a malicious 'clickjacking' page and a user clicks on a button that initiates a malicious action.

NOTE: This vulnerability cannot be exploited with default MA policies applied. It exists only when the option Accept connections only from the ePO server is deselected in the General policy for the MA.

This patch remediates the following issues:

CVE-2015-2053
The log viewer in MA allows remote attackers to conduct clickjacking attacks.
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2053

CAPEC-103
Common Attack Pattern Enumeration and Classification - Clickjacking
http://capec.mitre.org/data/definitions/103.html
 
CWE-20
Input Validation
http://cwe.mitre.org/data/definitions/20.html
 
Affected Components:
  • MA remote log viewer
All of these issues are resolved in MA 4.8.0 Patch 3 and MA 5.0.1.

Remediation

The remediation plan is to upgrade the currently supported versions of MA 4.6.0/MA 4.8.0/MA 5.0.0. These fixes are included in MA 4.8.0 Patch 3 and MA 5.0.1.
  • MA 4.6.x users should upgrade to MA 4.8.0 Patch 3 (MA480P3WIN.zip), released on February 17, 2015.
  • MA 4.8.x users should upgrade to MA 4.8.0 Patch 3 (MA480P3WIN.zip), released on February 17, 2015.
  • Alternatively, you can directly upgrade to the latest MA 5.0.1 (MA501WIN.zip), released on June 16, 2015.
Refer to the upgrade instructions in the Release Notes for further details.

Go to the Product Downloads site and download the applicable product patch file:
 
Product Type Patch Version File Name Release Date
MA 4.8.0 Patch Patch 3 MA480P3WIN.zip February 17, 2015
MA 5.0.0 Patch Patch 1 MA501WIN.zip June 16, 2015

McAfee product download instructions
  1. Launch Internet Explorer.
  2. Navigate to: http://www.mcafee.com/us/downloads/downloads.aspx.
  3. Provide your valid McAfee Grant Number.
  4. Click your product suite.
  5. Click the applicable product (see table above) and click I Agree.
  6. Click the Patches tab and click the link to download the product .zip file under the Product column.
For instructions on how to download McAfee products, documentation, security updates, patches, or hotfixes, see KB56057.

For instructions on how to install/upgrade this hotfix/patch, please review the Release Notes and the Installation Guide, which you can download from the Documentation tab by following the same steps above.

Workaround

Choose one of the following workarounds:
  • In the General policy for the MA, ensure that the option Accept connections only from the ePO server is selected. This will ensure that the remote log viewing feature is restricted only to the ePO server. This is the default setting recommended by McAfee.
  • Enforce maximum security restrictions in the browser:
    • JavaScript disabled
    • Flash disabled
    • CSS disabled
    • iFrames forbidden
       
  • Remove any elevated privileges as soon as possible (for example, log out of the target application after you are finished with it and before doing other things in the browser).

Acknowledgements

None.

Support

Corporate Technical Support:
1-800-338-8754
http://www.mcafee.com/us/about/contact-us.aspx#ht=tab-techsupport 

Frequently Asked Questions (FAQs)

What is affected by this security vulnerability?
MA is affected.

Affected Versions:

 

  • MA 5.0.0
  • MA 4.8.0 Patch 2 and earlier
Protected Versions:
  • MA 5.0.1
  • MA 4.8.0 Patch 3
McAfee recommends all customers verify that they have applied the latest updates.

What issue does this hotfix/patch address?
1013473: MA is vulnerable to Click Jacking (http-generic-click-jacking)

NOTE: Apart from this security fix, MA 4.8.0 Patch 3 and MA 5.0.1 will contain many more fixes to improve customers' experience. Please refer to the respective patch release notes for more details.

Does this vulnerability affect McAfee enterprise products?
Yes. MA is an enterprise product.

How do I know if my McAfee product is vulnerable or not?
Use the following instructions for endpoint or client based products:
  1. Right-click on the McAfee tray shield icon on the Windows task bar.
  2. Select About. The product version for ‘McAfee Agent’ is displayed.
What is CVSS?
CVSS, or Common Vulnerability Scoring System, is the result of the National Infrastructure Advisory Council’s effort to standardize a system of assessing the criticality of a vulnerability. This system offers an unbiased criticality score between 0 and 10 that customers can use to judge how critical a vulnerability is and plan accordingly. For more information, please visit the CVSS website at: http://www.first.org/cvss/.

What are the CVSS scoring metrics that have been used?

 

 Base Score  4.3
 Related exploit range (AccessVector)  Network
 Attack complexity (AccessComplexity)  Medium
 Level of authentication needed (Authentication)  None
 Confidentiality impact  None
 Integrity impact  Partial
 Availability impact  None
 Temporal Score (Overall)  3.5
 Availability of exploit (Exploitability)  Unproven that exploit exists
 Type of fix available (RemediationLevel)  Workaround
 Level of verification that vulnerability exists (ReportConfidence)  Not Defined

NOTE: CVSS version 2.0 was used to generate this score.
http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:W/RC:ND)

What has McAfee done to resolve the issue?
McAfee released patches to address this security flaw on February 17, 2015 and June 16, 2015.

Where do I download the fix?
You can download the fix from: http://www.mcafee.com/us/downloads/downloads.aspx.
Users will need to provide their McAfee Grant Number to initiate the download.

How does McAfee respond to this and any other security flaws?
McAfee's key priority is the security of our customers. In the event that a vulnerability is found within any McAfee software, we work closely with the relevant security research group to ensure rapid and effective development of a fix and communication plan.

McAfee only publishes product vulnerability bulletins together with an actionable workaround, hotfix, patch, or version update; otherwise, we would simply be informing the hacker community that our products are a target, putting our customers at greater risk.  

McAfee may publish lists of known vulnerable and not vulnerable products if the product vulnerability is already generally known publicly, but no actionable workaround is ready yet.

Resources

For contact details: Go to http://www.mcafee.com/us/about/contact/index.html. Non-US customers - select your country from the list of Worldwide Offices.

Alternatively:
Log in to the Technical Support ServicePortal at https://mysupport.mcafee.com:
  • If you are a registered user, type your User ID and Password and click Log In.
  • If you are not a registered user, click Register and complete the required fields. Your password and login instructions will be emailed to you.
To download McAfee products, updates, and documentation, visit the Product Downloads page at http://www.mcafee.com/us/downloads/downloads.aspx. For instructions on downloading, see KB56057.

To download new Beta software or to read about the latest Beta information, go to http://www.mcafee.com/us/downloads/beta-programs/index.aspx.

To submit Beta feedback on any McAfee product, email: mcafee_beta@mcafee.com.

For copyright, trademark attributions, and license information, go to http://us.mcafee.com/root/aboutUs.asp?id=copyright.

For patents protecting this product, see your product documentation.

Disclaimer

The information provided in this security bulletin is provided as is without warranty of any kind. McAfee disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall McAfee or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits, or special damages, even if McAfee or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Any future product release dates mentioned in this bulletin are intended to outline our general product direction and they should not be relied on in making a purchasing decision. The product release dates are for information purposes only, and may not be incorporated into any contract. The product release dates are not a commitment, promise, or legal obligation to deliver any material, code, or functionality. The development, release, and timing of any features or functionality described for our products remains at our sole discretion and may be changed or cancelled at any time.

Rate this document

Languages:

This article is available in the following languages:

English United States
Japanese

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.