Operating System:

[Appliance]

Published:

13 August 2013

Protect yourself against future threats.

//Service

Incident Management

Whether it is proactive or reactive services you're after, we will help you detect, interpret and respond to attacks from across the globe.

Read more
Resources > Security Bulletins > ASB-2013.0100 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2013.0100
     A vulnerability has been identified in multiple McAfee products.
                              13 August 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Email and Web Security Appliances (EWS) 5.6
                      McAfee Email Gateway (MEG) 7.0. 7.5
                      McAfee Web Gateway (MWG) 7.3.2
                      McAfee Firewall Enterprise (MFE) 8.2.1, 8.3.1
Operating System:     Network Appliance
Impact/Access:        Denial of Service -- Remote/Unauthenticated
Resolution:           Patch/Upgrade
CVE Names:            CVE-2013-4854  
Member content until: Thursday, September 12 2013
Reference:            ASB-2013.0093
                      ESB-2013.1037
                      ESB-2013.1032
                      ESB-2013.1021
                      ESB-2013.1020
                      ESB-2013.1019

OVERVIEW

        A vulnerability in has been identified in the following McAfee 
        products:
        
        	Email and Web Security Appliances (EWS) 5.6
        	McAfee Email Gateway (MEG) 7.0. 7.5
        	McAfee Web Gateway (MWG) 7.3.2
        	McAfee Firewall Enterprise (MFE) 8.2.1, 8.3.1 [1]


IMPACT

        The vendor has provided the following details regarding this issue:
        
        "CVE-2013-4854 describes a vulnerability in ISC BIND. A specially 
        crafted query that includes malformed RDATA can cause named1 to 
        terminate with an assertion failure while rejecting the malformed 
        query.
        
        The listed McAfee products use the BIND server (named) as a local 
        caching DNS server to reduce the number of remote DNS queries they 
        have to perform, resulting in improved performance. By default, 
        these products do not listen for remote DNS queries. Only McAfee 
        Firewall Enterprise (MFE) includes an option to configure and 
        respond to remote queries.
        
        If the local BIND server receives one of the malformed queries, all
        listed products will fail closed in a manner that does not leave the
        Appliance in a state that will allow traffic that the configuration
        normally disallows. Should the BIND server unexpectedly stop 
        (crash), all McAfee Appliances will restart the BIND services and 
        normal operation will continue.
        
        Due to the nature of the products, how they utilize Bind, and their
        fail closed architecture, there is minimal risk that the Appliances
        may be successfully subverted through this BIND vulnerability. If 
        you calculate a CVSS environment score, please factor in the 
        mitigations designed into McAfee Appliances." [1]


MITIGATION

        The vendor recommends applying the latest patch to correct these
        issues. [1]


REFERENCES

        [1] McAfee Security Bulletin - Updates for multiple McAfee Network
            products resolve BIND vulnerability
            https://kc.mcafee.com/corporate/index?page=content&id=SB10052

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUgmLuhLndAQH1ShLAQIBBxAAkiJ26YrVo0GrubGZ8h/NxLzv7wzrO6E1
uz3ibS/t9JO9YoFSvfQq7O+S/kE40D1e/0Ft9PpqdC8+Rw9CboryKhtwRxDW4qYC
Cy1Eyuzsr5eVMZPMRZZIL5WrB0TERegImrHTLNApfT55xeeDgWsAJNtlRM09Jng3
JXVTQ/adjN+fA3jrGt56Y/a6IbsOobjN1OXhp2cDFXnFixwO0xqyQ+M65kxG2+Xc
ras0CZIinFBhDcMiLvuHnFxBOQer0zqjF06g0DQPeU7kizVxEWzgYLNgIOSpe+UM
yyP9/mbQKXcDiLVKtspHvR0wnywslpQRxUuK9B4a3rbu7raSRiAUxS65eEX1yxYv
zUMjzZhWBy+7Ytk9SU1tcfkQx21PjxH6Vwcl1MZ5nWyRlSkiT6zSgHq9NZshrLXA
YDoSajaowC/JYsJCfaHdTFSLLZpuwS9IzaOgoCyM4JpQP7uVKtWimesF9dzVJj/j
eg17CbNxD7Z3po7QXtw25M7gKhOBnbguE6O/V5kchNcnY+qVXiWZHTtIxmToJGln
RKXx0g84e4otQwsT1o157kdakjQdU+a6mfsTYvcjes73V7Y55uR+oukaYWKkOFY8
Vil2b/Xw3lM3v1YDnBKpY7nlge6zMC+NFg98l92iFZ6B/1m/7psU63NIOd0SfpSS
n7Tr0Y0m2Ow=
=1VKo
-----END PGP SIGNATURE-----