-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2014.0115
  Numerous McAfee security products affected by GNU Bash vulnerabilities
                              7 October 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              McAfee products
Operating System:     Network Appliance
                      Virtualisation
                      Windows
                      UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                      Denial of Service               -- Remote/Unauthenticated
Resolution:           Patch/Upgrade
CVE Names:            CVE-2014-7187 CVE-2014-7186 CVE-2014-7169
                      CVE-2014-6278 CVE-2014-6277 CVE-2014-6271
Member content until: Thursday, November  6 2014

OVERVIEW

        It has been discovered that several well known Bash vulnerabilities
        affect numerous McAfee products. [1]
        
        The vendor advises the following products are vulnerable, and have 
        been updated:
        
        GTI Proxy 2.0 McAfee Email Gateway (MEG) 
        McAfee Firewall Enterprise
        Control Center (MFE CC) 
        McAfee Security Information and Event Management (SIEM) / Nitro 
        McAfee Web Gateway (MWG) 
        Network Data Loss Prevention (NDLP) 
        Next-Generation Firewall (NGFW) / Stonesoft [1]
        
        The vendor advises the following products, though vulnerable, 
        have not yet been updated:
        
        Email and Web Security (EWS) 
        McAfee SSL VPN (VPN) [1]
        
        The vendor also states the following products, though vulnerable, are 
        considered low risk, if deployed using best practices:
        
        Boot Attestation Service (BAS) / Open Virtual Appliance (OVA)
        GTI Proxy / GTI Private Cloud (File Reputation)
        McAfee Advanced Threat Defense (MATD)
        McAfee Asset Manager (MAM)
        McAfee Cloud Single Sign On (MCSSO) / McAfee Cloud Identity Manager 
          (MCIM)
        Management for Optimized Virtual Environments AntiVirus (MOVE AV)
        Management for Optimized Virtual Environments AntiVirus Security 
          Virtual Appliance (MOVE SVA)
        Management for Optimized Virtual Environments AntiVirus Security 
          Virtual Appliance Manager (MOVE SVA Manager)
        Management for Optimized Virtual Environments Firewall (MOVE Firewall)
        McAfee MOVE Scheduler (MOVE AV Scheduler)
        Network Access Control (NAC)
        Network Security Platform (NSP)
        SaaS Account Management (SAM)
        SaaS Email Archiving
        SaaS Email Protection and Continuity
        SaaS Web Protection [1]


IMPACT

        The vendor has provided the following details regarding the 
        vulnerabilities:
        
        CVE-2014-6271: "GNU Bash through 4.3 processes trailing strings 
        after function definitions in the values of environment variables."
        [1]
        
        CVE-2014-7169: "GNU Bash through 4.3 Bash43-025 processes trailing 
        strings after certain malformed function definitions in the values 
        of environment variables." [1]
        
        CVE-2014-7186: "The redirection implementation in parse.y in GNU 
        Bash through 4.3 Bash43-026 allows remote attackers to cause a 
        denial of service (out-of-bounds array access and application crash)
        or possibly have unspecified other impact via crafted use of here 
        documents, aka the "redir_stack" issue." [1]
        
        CVE-2014-7187: "Off-by-one error in the read_token_word function in
        parse.y in GNU Bash through 4.3 Bash43-026 allows remote attackers 
        to cause a denial of service (out-of-bounds array access and 
        application crash) or possibly have unspecified other impact via 
        deeply nested for loops, aka the "word_lineno" issue." [1]
        
        The vendor notes that some vulnerabilities exist due to incomplete 
        patches provided for previously identified vulnerabilities.
        
        "Incomplete Vendor Patches: Early patches from vendors are not 
        always complete or accurate. More issues in the parser have been 
        discovered that are just as serious as the original vulnerability.
        
        Vendor Patch Vulnerability IDs
        
        CVE-2014-6277:
        NOTE: This vulnerability exists because of an incomplete fix for 
        CVE-2014-6271 and CVE-2014-7169.
        
        CVE-2014-6278:
        NOTE: This vulnerability exists because of an incomplete fix for 
        CVE-2014-6271 and CVE-2014-7169." [1] 


MITIGATION

        The vendor recommends users of known vulnerable McAfee products:
        
        "Go to the McAfee Downloads site and download the applicable product
        patch/hotfix file". [1]


REFERENCES

        [1] McAfee Security Bulletin - Bash Shellshock Code Injection Exploit
            Updates for CVE-2014-6271 and CVE-2014-7169
            https://kc.mcafee.com/corporate/index?page=content&id=SB10085

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVDNzZRLndAQH1ShLAQLjmw//bY2dAhegjMwogFEfs3aM0QGQAFXS2Hy5
PQcAy9YT67YsZOxMVP83WTsyZKutuld1NfSaxqPbjuChC/zdQT1tYQR1Er1h/2yl
7+aghkcx3VAb6LzYOvV4jmLH031PZbd6J30AJ5KY+2rRW8HqWZVAnUjCKDbJB434
qQlMfNm0gJH60d01h45JouC6J+7okCR9MmY8+xClw5Ag/DhywmayvVJAo7flTWcx
dYnxXzM9jvbGA3ssgSr2U34R+xedbv375JeA+2iK7/uWNSqeQnSSdXmlAQX8DkJb
W0gXORaHm2h9iiZv6pN/VdjXhvb9ZL6qoyLVbxzJI8U3mBmpoVtH+jegZS954kMs
tWDU7YZV0EEIqXNI6tZy9ToZfSgrJz8zbcmIPDkPy4K6arjhbYEXuJm9zO9+7vUO
AHfMUf3N2ezwXtCQIIUbaRuKGZZx3RLOPTCwA3RH+c+TJMoaDp+g3KCl1JOxDD2t
4siza+uy10rpS9cyH89Y5L/zWie81ZV5V2iKms0Yi6B7GsWcF62QuhnUznq7N4Ie
9e2g0TQQFrAA2vGQQ8ieV9dkPC6TshdNoS4ARN1REaqtdSpQYTT+l9BmcwiFjLxN
NPiwL0H+JYw7k+J/79ClWl5hGY6Hw2GjaarFQHFreHvVOSE6uC4dR0xKFgQGu5lf
DCmTarMkoJI=
=7IiA
-----END PGP SIGNATURE-----