-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2012.0046
        A number of vulnerabilities have been identified in McAfee
              Email and Web Security and McAfee Email Gateway
                               30 March 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              McAfee Email and Web Security
                      McAfee Email Gateway
Operating System:     Network Appliance
Impact/Access:        Cross-site Scripting     -- Remote with User Interaction
                      Read-only Data Access    -- Existing Account            
                      Access Confidential Data -- Existing Account            
                      Unauthorised Access      -- Existing Account            
                      Reduced Security         -- Existing Account            
Resolution:           Patch/Upgrade
Member content until: Sunday, April 29 2012

OVERVIEW

        A number of vulnerabilities have been identified in McAfee Email and
        Web Security prior to version 5.5 Patch 6, and McAfee Email Gateway
        prior to version 7.0 Patch 1.


IMPACT

        The vendor has provided the following details regarding these
        vulnerabilities:
        
        "NGS00153  Reflected XSS
        McAfee Email and Web Security Appliance Software 5.x/ McAfee Email 
        Gateway 7.0 is prone to reflective XSS allowing an attacker to gain 
        session tokens and run arbitrary Javascript in the context of the 
        administrators browser and the McAfee Security Appliance Management 
        Console/Dashboard.
        
        NGS00154  Logout Failure
        When an administrator closes the Management console/Dashboard without 
        clicking logout and returns to the Dashboard later, they appear to be 
        logged out, however, this is simply the state of the Javascript in his 
        browser, and the session-token is still be active on the server-side. If 
        an attacker gains a session-cookie (perhaps using XSS, or by some other 
        means), they can make a dummy login attempt (with a dummy password) and 
        simply edit the (failure) response. They will then be logged-in, and can 
        use the Dashboard as if he had logged-in as the administrator.
        
        NGS00155  Password Reset issue 
        Any logged-in user can bypass controls to reset passwords of other 
        administrators.
        
        NGS00156  Session Disclosure
        Active session tokens of other users are disclosed within the Dashboard.
        
        NGS00157  Weak Encryption of Backups
        Password hashes can be recovered from a system backup and easily cracked.
        
        NGS00158  File Download Issue
        Arbitrary file download is possible with a crafted URL, when logged in 
        as any user.
        
        NGS00159  File Content Leakage
        File contents disclosure as if root user, when logged in as any 
        user." [1]


MITIGATION

        The vendor recommends upgrading to the latest versions of McAfee Email 
        and Web Security and McAfee Email Gateway to correct these issues. [1]


REFERENCES

        [1] McAfee Security Bulletin - EWS 5.5, 5.6, and MEG 7 patches resolve
            multiple issues
            https://kc.mcafee.com/corporate/index?page=content&id=SB10020

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBT3Ubq+4yVqjM2NGpAQJvAA/+I+r3AmZzBwjDM/4tAXLuCV8IFHan06Yh
CAte5HOkgjMyVJs6Cf5UtEUw2U38CldkWlokJUOfgbaOMuH1z1ZJIYy7fiqgHmS/
cxmbmkIzQfddC7E9o0jw3tkLbW3H6pj3Slddisdf7jLAIWTnYyQoogWPldNELffz
GCYJaFwylFTX6hLlHNiygRzAw2rKTM5b1u5k9BF48W+rVc8qHGiXmcCSKHzpEYLy
B8BsTQ5vpj8ynqOCjoItIuMLMesutse7He/jKUAQRWK98VJym7k3n4gcSsCseGo1
QAmb478D8uXjlwIvfWSpaH9yuaKoi5BAP6XYARdppSxRgiSk3xLAsxfetAuFQmtf
hRcdnFPcQJOAiN0daewu+6H0qe9YlmqOsOTkOpPQtPG9xR9Z5ZamuOIxbVeYjxI2
yfR7+PKGSOk3VbwF/DnKVK245zwhRJ8Go1wwSr3sA8l4SlgWQkDzX0Il5vZzr2Hj
pZiT76YgTsFvk8+kLPiKayegXCXoLiNH5iLe0TgitxXCHM50iloZgf6Y0S4pqW7A
uSiYMMCGPlQRcw6Lv6RGUpUgTpUN69nE4LM694uPw4SD5DWU7zaSoIG68u62eJ60
natRsWpJflMmmmJ6M602inVyG4J69573zu15Sdsf3HMBtLWTCfej5+n6dng3ps/q
a9w6JMlxCn8=
=Jni6
-----END PGP SIGNATURE-----