Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2014.0033 A vulnerability exists in McAfee Web Gateway. 21 March 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: McAfee Web Gateway Operating System: Network Appliance Impact/Access: Read-only Data Access -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2014-2535 Member content until: Sunday, April 20 2014 OVERVIEW A vulnerability has been identified in McAfee Web Gateway (MWG) prior to MWG 7.4.1 and MWG 7.3.2.6. [1] IMPACT The vendor has provided the following details regarding these vulnerabilities: "This update resolves an issue involving information leakage to end-users. By sending specially crafted requests to the MWG web filtering port, any end-user is able to download any file from the Appliance that the Unix user mwg has read access to." [1] MITIGATION The vendor recommends updating to the latest version of McAfee Web Gateway (MWG). [1] REFERENCES [1] McAfee Security Bulletin – Web Gateway Patch fixes Directory Traversal information leakage vulnerability https://kc.mcafee.com/corporate/index?page=content&id=SB10063 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUyumbhLndAQH1ShLAQLvgg//YG/HZ7oE0CvcPspNtPK5Yy06yhnuoiMb cYDDO386cRtmfhJgMlwZD6V4/gjHCGCz/Wicy39ckcEv+59sWCvTJMRQnKy4Qmse C3A2jMnooXsZfqehbLuzbOWptGhVy6zS3VwXPVzFDqYdtA4KplcGYcguhdyXUo2n TCw2gVNm/wQbhyWDedGhc4J/i5eHYRL/v0NFLKsi9NjpgIvO3z4xh3yhmzpkvTDx DEEeDMHI3WfYXfnYukG5lFnxu3HoEb1qK4uYA5yfOex5wrfQshS1ZYC+TmSCW6So WmojiYcnxucOPYqvMblkFLJ69fonwIytL1f+qOcHwVu2Xrptn0XKDO/xPytU8WtQ VLc06Nwn35i3MUxUTdR9zvYa7qQU6WpV1jRbj14kh7Y2gpkQC1QOHgoCadj23O+l wj8cE3aoQnw+igN0tSUUgWcEgJ32uBiRxGQCbru6vcgviTImdSKR1J+Cesgx+KO/ 5XZCVGB6+SJ0X0XjGS2XH1Y6aUzy1w97aYwxWow8AlhDKn9WKvZMmCm2mIFeOA3Z VyRmIBIUC6ltJhsN1vySRYkrkt7h+IFcl22kt6PodsnjL0wBCGkt6XR3MAN6vrPi w8M/j6IpS+75MnLhEBCrwVNNgGEPL7Kae+krGT/H3dyt+rkJy8IrxiOG/fOXbG+0 u7KnSvFyH9E= =EFdS -----END PGP SIGNATURE-----