Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2019.0059.2
McAfee Security Bulletin - Web Gateway updates fix five vulnerabilities
18 February 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: McAfee Web Gateway
Operating System: Windows
Linux variants
Virtualisation
Impact/Access: Access Privileged Data -- Remote/Unauthenticated
Provide Misleading Information -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2018-16395 CVE-2018-15473 CVE-2018-10846
CVE-2018-10845 CVE-2018-10844
Member content until: Wednesday, March 20 2019
Reference: ESB-2019.0473
ESB-2018.3717
ESB-2018.3467
ESB-2018.3444
ESB-2018.3309
Revision History: February 18 2019: Corrected Impact/Access analysis.
February 18 2019: Initial Release
OVERVIEW
Multiple vulnerabilities have been identified in McAfee Web Gateway.
IMPACT
Details of the vulnerabilities can be found below:
"CVE-2018-15473:
OpenSSH is prone to a user enumeration vulnerability due to not delaying
bailout for an invalid authenticating user until after the packet
containing the request has been fully parsed.
https://nvd.nist.gov/vuln/detail/CVE-2018-15473
CVE-2018-16395:
An issue was discovered in the OpenSSL library in Ruby. When two
OpenSSL::X509::Name objects are compared using ==, depending on the
ordering, non-equal objects may return true.
https://nvd.nist.gov/vuln/detail/CVE-2018-16395
CVE-2018-10844:
It was found that GnuTLS's implementation of HMAC-SHA-256 was vulnerable to
a Lucky Thirteen-style attack. A remote attacker could use this flaw to
conduct distinguishing attacks and plain text recovery attacks via
statistical analysis of timing data using crafted packets.
https://nvd.nist.gov/vuln/detail/CVE-2018-10844
CVE-2018-10845:
It was found that GnuTLS's implementation of HMAC-SHA-384 was vulnerable to
a Lucky Thirteen-style attack. A remote attacker could use this flaw to
conduct distinguishing attacks and plain text recovery attacks via
statistical analysis of timing data using crafted packets.
https://nvd.nist.gov/vuln/detail/CVE-2018-10845
CVE-2018-10846:
A cache-based side channel attack was found in the way GnuTLS implements
CBC-mode cipher suites. An attacker could use a combination of "Just in
Time" Prime+probe and Lucky Thirteen attacks to recover plain text in a
cross-VM attack scenario.
https://nvd.nist.gov/vuln/detail/CVE-2018-10846"[1]
MITIGATION
McAfee recommends installing or updating to the following versions:
"+-------+----------+-----------+-----------------------------------+----------+
|Product|Version |Type |File Name |Release |
| | | | |Date |
+-------+----------+-----------+-----------------------------------+----------+
|MWG |7.8.2.6 |Main |mwgappl-7.8.2.6.0-27882-x.86_64.iso|February |
| |and later |Release | |12, 2019 |
+-------+----------+-----------+-----------------------------------+----------+
|MWG |8.0.3 and |Controlled |mwgappl-8.0.3-27937-x.86_64.iso |February |
| |later |Release | |12, 2019 |
+-------+----------+-----------+-----------------------------------+----------+" [1]
REFERENCES
[1] McAfee Security Bulletin - Web Gateway updates fix five
vulnerabilities
https://kc.mcafee.com/corporate/index?page=content&id=SB10267
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXGn7SWaOgq3Tt24GAQidjw//UYzpBDpz5RGOgIBJgFzK8Mg0PZDO9Jj+
8a6SwiCquPILlj5ykz3mqufxc1SwvPlQmXFlYrp+pTavhYk8mqW652Xke7/kuSb3
joSepRcoDGZzL3CKZ9E0JK9uCWomYpox8TjTf9ZPmb+M+BD4O282Iyc2jom03BAW
l0dnzulrmfq3tGbFPSUj8LZsFwOpta6sXJRaUspWgJhtMvu/2eTUFNL8ZW3Us+uc
Rx12KnCj6lM4H+gkamzj83NvMVGV6yPNd4K3rLvIznsliZKfFREHVsiEJRnbnn2/
U9mq83S6oRjYTbglTh6FxaZPHi63R/LrhLfF7LPNmARqT6jzIQJePXpuKjMP6hvZ
aHEKidYHiR1pcc84n2HzZP33rkQO6CqvNwy4PFnHhif0mdaZ0zWER0XV3DCe3Ewk
zjY68CK+eXA7XNkJ2oDnKf1kUD70d2EjpG/mLQh7PIi8lgmNIi/EAiBf7o2R1DRw
TDZ3EjIt21eP3uusGlj1q3Fb07GeALXeRFxgMEc/tu3OYDmEdIotc6DuM2hcWRk7
iCPSnaKYmrmX46T80P/MNTDhqgiBthtJnd3Fx+/7pNnvLcde4iyNZdIcuSt+e8pm
seUtHdBhUCXi+Tj4d3k2jt3iawuoiB/2ZhrxztBFBhztPkUOsqKNNAMjFMm0vROE
eTjKneq6eKA=
=RFCb
-----END PGP SIGNATURE-----