Loading...

Knowledge Center


McAfee Security Bulletin - Data Loss Prevention Endpoint ePO extension update fixes several vulnerabilities: XSS (CVE-2015-2760), Denial of Service (CVE-2015-2757), Improper Access Control (CVE-2015-2758), and Cross-Site Request Forgery (CVE-2015-2759)
Security Bulletins ID:   SB10111
Last Modified:  5/12/2017
Rated:


Summary

 Who Should Read This Document:  Technical and Security Personnel
 Impact of Vulnerability:  Cross-Site Scripting (XSS) (CWE-79)
 Denial of Service (CWE-400)
 Improper Access Control (CWE-287)
 Cross-Site Request Forgery (CWE-352)
 CVE Numbers:  CVE-2015-2760
 CVE-2015-2757
 CVE-2015-2758
 CVE-2015-2759
 CERT/CC and Other Numbers:  None
 Severity Rating:  Medium
 Base / Overall CVSS Scores:  See description below
 Recommendations:  Install or update to 9.3 Patch 4 Hotfix 16 (9.3.416.4)
 Security Bulletin Replacement:  None
 Caveats:  None
 Affected Software:  DLP Endpoint (DLPe) 9.3.400 and earlier
 Location of Updated Software:  http://www.mcafee.com/us/downloads/downloads.aspx

To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.

Article contents:

Description

DLP Endpoint ePO extension is vulnerable to four exploits:
  • An authenticated ePO user is capable of injecting arbitrary browser script content into a user’s browsing session through Cross Site Scripting. Injected content may contain malicious JavaScript designed to exploit or harm a user’s browser.
  • A Denial of Service vulnerability can be exploited by authenticated ePO users to lock the DLPe extension’s database or corrupt the DLPe extension’s license.
  • Specially crafted URLs may be used by authenticated ePO users to perform unauthorized tasks such as retrieving internal system information or manipulating the DLPe extension’s database.
  • A Cross Site Request Forgery attack may be performed by authenticated ePO users to disclose sensitive information or manipulate the DLPe extension’s database.
Affected Components:
  • DLPe ePO extension 9.3.400 and earlier
These issues are resolved in McAfee DLPe 9.3 Patch 4 Hotfix 16 released on March 25, 2015.

CVE-2015-2760
Cross-site scripting (XSS) vulnerability in the ePO extension in McAfee Data Loss Prevention Endpoint (DLPe) before 9.3 Patch 4 Hotfix 16 (9.3.416.4) allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2760

CVE-2015-2757
The ePO extension in McAfee Data Loss Prevention Endpoint (DLPe) before 9.3 Patch 4 Hotfix 16 (9.3.416.4) allows remote authenticated users to cause a denial of service (database lock or license corruption) via unspecified vectors.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2757

CVE-2015-2758
The ePO extension in McAfee Data Loss Prevention Endpoint (DLPe) before 9.3 Patch 4 Hotfix 16 (9.3.416.4) allows remote authenticated users to obtain sensitive information, modify the database, or possibly have other unspecified impact via a crafted URL.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2758

CVE-2015-2759
Multiple cross-site request forgery (CSRF) vulnerabilities in the ePO extension in McAfee Data Loss Prevention Endpoint (DLPe) before 9.3 Patch 4 Hotfix 16 (9.3.416.4) allow remote attackers to hijack the authentication of users for requests that (1) obtain sensitive information or (2) modify the database via unspecified vectors.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2759
 
(CWE-79) Cross-Site Scripting (XSS)
https://cwe.mitre.org/data/definitions/79.html
 
(CWE-400) Denial of Service
https://cwe.mitre.org/data/definitions/400.html
 
(CWE-287) Improper Access Control
https://cwe.mitre.org/data/definitions/287.html
 
(CWE-352) Cross-Site Request Forgery
https://cwe.mitre.org/data/definitions/352.html

Remediation

Install DLPe 9.3 Patch 4 Hotfix 16 ePO extension on affected systems.

Go to the McAfee Downloads site and download the applicable product patch/hotfix file:
 
Product Type Patch Version File Name Release Date
DLPe 9.3 Patch 4 Hotfix 16            Patch 9.3.416.4 McAfeeDLPEndPoint93Patch4HF16Licensed.zip March 25, 2015

Additional Patch/Hotfix Information:
This patch only needs to be applied to systems running the DLPe ePO extension.

McAfee Product Download Instructions
  1. Launch Internet Explorer.
  2. Navigate to: http://www.mcafee.com/us/downloads/downloads.aspx.
  3. Provide your valid McAfee Grant Number.
  4. Click your product suite.
  5. Click the applicable product (see table above) and click I Agree.
  6. Click the Patches tab and click the link to download the product .ZIP file under the Product column.
For instructions on how to download McAfee products, documentation, security updates, patches, or hotfixes, see: KB56057.

For instructions on how to install/upgrade this hotfix/patch, please review the Release Notes and the Installation Guide (which you can download from the Documentation tab) following the same steps above.

Workaround

None. Install the provided patch.

Mitigations
None

Acknowledgements

McAfee credits François-Xavier Stellamans from NCI Agency - Cyber Security for reporting these flaws.

Support

Corporate Technical Support:
1-800-338-8754
http://www.mcafee.com/us/about/contact-us.aspx#ht=tab-techsupport 

Frequently Asked Questions (FAQs)

How do I know if my McAfee product is vulnerable or not?
For Endpoint products:
Use the following instructions for endpoint or client based products:
  1. Right-click on the McAfee tray shield icon on the Windows task bar.
  2. Select Open Console.
  3. In the console, select Action Menu.
  4. In the Action Menu, select Product Details. The product version is displayed.
What is CVSS?
CVSS, or Common Vulnerability Scoring System, is the result of the National Infrastructure Advisory Council’s effort to standardize a system of assessing the criticality of a vulnerability. This system offers an unbiased criticality score between 0 and 10 that customers can use to judge how critical a vulnerability is and plan accordingly. For more information, please visit the CVSS website at: http://www.first.org/cvss/.
 
What are the CVSS scoring metrics that have been used?

CVE-2015-2760: Cross Site Scripting vulnerability 
 
 Base Score 6.6
 Related exploit range (AccessVector) Network
 Attack complexity (AccessComplexity) High
 Level of authentication needed (Authentication) Single
 Confidentiality impact Complete
 Integrity impact Complete
 Availability impact None
 Temporal Score (Overall) 4.9
 Availability of exploit (Exploitability) Unproven that exploit exists
 Type of fix available (RemediationLevel) Official fix
 Level of verification that vulnerability exists (ReportConfidence) Confirmed

NOTE: CVSS version 2.0 was used to generate this score.
https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:S/C:C/I:C/A:N/E:U/RL:OF/RC:C)

CVE-2015-2757: Denial of Service
 
 Base Score 6.3
 Related exploit range (AccessVector) Network
 Attack complexity (AccessComplexity) High
 Level of authentication needed (Authentication) Single
 Confidentiality impact None
 Integrity impact None
 Availability impact Complete
 Temporal Score (Overall) 4.9
 Availability of exploit (Exploitability) Proof of concept code
 Type of fix available (RemediationLevel) Official fix
 Level of verification that vulnerability exists (ReportConfidence) Confirmed

NOTE: CVSS version 2.0 was used to generate this score.
https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C)

CVE-2015-2758: Improper Authentication Control
 
 Base Score 4
 Related exploit range (AccessVector) Network
 Attack complexity (AccessComplexity) Low
 Level of authentication needed (Authentication) Single
 Confidentiality impact Partial
 Integrity impact None
 Availability impact None
 Temporal Score (Overall) 3.1
 Availability of exploit (Exploitability) Proof of concept code
 Type of fix available (RemediationLevel) Official fix
 Level of verification that vulnerability exists (ReportConfidence) Confirmed

NOTE: CVSS version 2.0 was used to generate this score.
https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C)

CVE-2015-2759: Cross-Site Request Forgery
 
 Base Score 4.9
 Related exploit range (AccessVector) Network
 Attack complexity (AccessComplexity) Medium
 Level of authentication needed (Authentication) Single
 Confidentiality impact Partial
 Integrity impact Partial
 Availability impact None
 Temporal Score (Overall) 3.8
 Availability of exploit (Exploitability) Proof of concept code
 Type of fix available (RemediationLevel) Official fix
 Level of verification that vulnerability exists (ReportConfidence) Confirmed

NOTE: CVSS version 2.0 was used to generate this score.
https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:P/A:N/E:POC/RL:OF/RC:C)

What has McAfee done to resolve the issue?
McAfee has released a patch to address this security flaw.

Where do I download the fix?
You can download the fix from: http://www.mcafee.com/us/downloads/downloads.aspx.
Users will need to provide their McAfee Grant Number to initiate the download.

How does McAfee respond to this and any other security flaws?
McAfee’s key priority is the security of our customers. In the event that a vulnerability is found within any of McAfee’s software, we work closely with the relevant security research group to ensure rapid and effective development of a fix and communication plan.

McAfee only publishes product vulnerability bulletins together with an actionable workaround, hotfix, patch, or version update; otherwise we would simply be informing the hacker community that our products are a target, putting our customers at greater risk. 

McAfee may publish lists of known vulnerable and not vulnerable products if the product vulnerability is already generally known publicly, but no actionable workaround is ready yet.
 
Where can I find a list of all Security Bulletins?
To view all published Security Bulletins, visit the McAfee ServicePortal at https://mysupport.mcafee.com, click Knowledge Center, and select Security Bulletins in the left navigation pane under Content Source. Alternatively, you can use this link: https://support.mcafee.com/ServicePortal/faces/knowledgecenter?s=true&lang=en-us&sm=false&tab=SCtdl&facets=Security+Bulletin@INQUIRA_TYPE&sb=mostViewed&sbv=numberofviews%3Anumberdecreasing&scps=q.
 
If you know the Security Bulletin ID, use the following link after replacing the example Security Bulletin ID (SB10071) with the Security Bulletin ID you are searching for: https://kc.mcafee.com/corporate/index?page=content&id=SB10071.
 
How do I report a product vulnerability?
If you have information about a security issue or vulnerability with a McAfee product, please visit our product security website at: http://www.mcafee.com/us/threat-center/product-security-bulletins.aspx#=tab-vulnerability.

Resources

For contact details: Go to http://www.mcafee.com/us/about/contact/index.html. Non-US customers - select your country from the list of Worldwide Offices.

Alternatively:
Log into the McAfee Technical Support ServicePortal at https://mysupport.mcafee.com:
  • If you are a registered user, type your User ID and Password and click Log In.
  • If you are not a registered user, click Register and complete the required fields. Your password and login instructions will be emailed to you.
To download McAfee products, updates, and documentation, visit the Downloads page at http://www.mcafee.com/us/downloads/downloads.aspx. For instructions on downloading, see KB56057.

To download new Beta software or to read about the latest Beta information, go to http://www.mcafee.com/us/downloads/beta-programs/index.aspx.

To submit Beta feedback on any McAfee product, email: mcafee_beta@mcafee.com.

For copyright, trademark attributions, and license information, go to http://us.mcafee.com/root/aboutUs.asp?id=copyright.

For patents protecting this product, see your product documentation.

Disclaimer

The information provided in this security bulletin is provided as is without warranty of any kind. McAfee disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall McAfee or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits, or special damages, even if McAfee or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Any future product release dates mentioned in this bulletin are intended to outline our general product direction and they should not be relied on in making a purchasing decision. The product release dates are for information purposes only, and may not be incorporated into any contract. The product release dates are not a commitment, promise, or legal obligation to deliver any material, code, or functionality. The development, release, and timing of any features or functionality described for our products remains at our sole discretion and may be changed or cancelled at any time.

Rate this document

Languages:

This article is available in the following languages:

English United States
Japanese

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.