Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2014.0033
A vulnerability exists in McAfee Web Gateway.
21 March 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: McAfee Web Gateway
Operating System: Network Appliance
Impact/Access: Read-only Data Access -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2014-2535
Member content until: Sunday, April 20 2014
OVERVIEW
A vulnerability has been identified in McAfee Web Gateway (MWG) prior
to MWG 7.4.1 and MWG 7.3.2.6. [1]
IMPACT
The vendor has provided the following details regarding these
vulnerabilities:
"This update resolves an issue involving information leakage to
end-users.
By sending specially crafted requests to the MWG web filtering port,
any end-user is able to download any file from the Appliance that the
Unix user mwg has read access to." [1]
MITIGATION
The vendor recommends updating to the latest version of McAfee Web
Gateway (MWG). [1]
REFERENCES
[1] McAfee Security Bulletin – Web Gateway Patch fixes Directory
Traversal information leakage vulnerability
https://kc.mcafee.com/corporate/index?page=content&id=SB10063
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUyumbhLndAQH1ShLAQLvgg//YG/HZ7oE0CvcPspNtPK5Yy06yhnuoiMb
cYDDO386cRtmfhJgMlwZD6V4/gjHCGCz/Wicy39ckcEv+59sWCvTJMRQnKy4Qmse
C3A2jMnooXsZfqehbLuzbOWptGhVy6zS3VwXPVzFDqYdtA4KplcGYcguhdyXUo2n
TCw2gVNm/wQbhyWDedGhc4J/i5eHYRL/v0NFLKsi9NjpgIvO3z4xh3yhmzpkvTDx
DEEeDMHI3WfYXfnYukG5lFnxu3HoEb1qK4uYA5yfOex5wrfQshS1ZYC+TmSCW6So
WmojiYcnxucOPYqvMblkFLJ69fonwIytL1f+qOcHwVu2Xrptn0XKDO/xPytU8WtQ
VLc06Nwn35i3MUxUTdR9zvYa7qQU6WpV1jRbj14kh7Y2gpkQC1QOHgoCadj23O+l
wj8cE3aoQnw+igN0tSUUgWcEgJ32uBiRxGQCbru6vcgviTImdSKR1J+Cesgx+KO/
5XZCVGB6+SJ0X0XjGS2XH1Y6aUzy1w97aYwxWow8AlhDKn9WKvZMmCm2mIFeOA3Z
VyRmIBIUC6ltJhsN1vySRYkrkt7h+IFcl22kt6PodsnjL0wBCGkt6XR3MAN6vrPi
w8M/j6IpS+75MnLhEBCrwVNNgGEPL7Kae+krGT/H3dyt+rkJy8IrxiOG/fOXbG+0
u7KnSvFyH9E=
=EFdS
-----END PGP SIGNATURE-----