Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2015.0114.2
An authentication bypass vulnerability has been fixed in
SIEM ESM, ESMREC, and ESMLM
9 December 2015
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: McAfee Enterprise Security Manager
McAfee Enterprise Security Manager/Log Manager
McAfee Enterprise Security Manager/Receiver
Operating System: Windows
Linux variants
Mac OS
Impact/Access: Administrator Compromise -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2015-8024
Member content until: Monday, January 4 2016
Revision History: December 9 2015: Removed reference to McAfee Agent
December 7 2015: Initial Release
OVERVIEW
A vulnerability has been identified in McAfee Enterprise Security
Manager (ESM), Enterprise Security Manager/Log Manager (ESMLM), and
Enterprise Security Manager/Receiver (ESMREC) 9.3.x before
9.3.2MR19, 9.4.x before 9.4.2MR9, and 9.5.x before 9.5.0MR8. [1]
IMPACT
The vendor has provided the following information about the
vulnerability (CVE-2015-8024):
"A specially crafted username can bypass SIEM ESM authentication
(password is not validated) if the ESM is configured to use Active
Directory or LDAP authentication sources. This can result in the
attacker gaining NGCP (master user) access to the ESM." [1]
MITIGATION
The vendor has provided the following workaround:
"The ESM administrator can disable all Active Directory and LDAP
authentication sources in the ESM."
There are also patches available. [1]
REFERENCES
[1] Intel Security - Security Bulletin: SIEM ESM, ESMREC, and ESMLM
updates fix authentication bypass vulnerability
https://kc.mcafee.com/corporate/index?page=content&id=SB10137
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVmePdH6ZAP0PgtI9AQLixhAAjSAiQXYZgw5axUArVd6NsbcOOFbiFW0w
m87htT794DoudJg9MJfKWrYELCaebj2kKO2MNJnawlT33/IBmerIAE786ZvL450/
tgyKRlSWhNyoxqD1xH3h9oRp7Vy+YHMt5w1aXO5L5oJHUQWf4OX8iydTMnI8D09U
hRWpj9HznusUytEYiblK4YsYMw6JfIVn6Bx57FjNYPiBqd8X3gpcL8MuZsKQqjPI
7aGjXSQo15LgqAkl7tA4BeGbksqa0cdPQovD5idYNzyMmD/semMZ//CZ+S87uETR
ZL7CWtulZ6a67yAJ7rXG7KeGs/7aROy2bOchCFEGKu02QdtktnM+S2ITBuxVz/dx
6PY5UluqaltqyXFQlBNhKVd2s6pvgasiD51EaW7kI5jWxntA4ZXSaINv9D623GRv
rXO/ny7hVRdr3Ew0aD/jRlCSHoibBW9CKQAnHJWp2ANtiS+1qtoh32q51C1MaTvY
Ep7croYdmxFhWDnlHesbAHgPvSNDKs4FZfMqb9Bv7x56x+2fow1fMUmgkk7zC3ma
ueQMT+WSUVeyqvsLbS3jP56qtFfJLjLczUyYuFGtcUjGGLqUMDh+PLTCGulwnK2o
56Fka9lHd7IjNsalDv2p+8Sv7Vw1wUkpLZKdxVJuTtTulLIOhDO1Lo0hfiqzwXVq
2zJUS65l6YA=
=JFVH
-----END PGP SIGNATURE-----