Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2019.0223 McAfee Data Loss Prevention Endpoint fixes multiple vulnerabilities 25 July 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: McAfee Data Loss Prevention Endpoint Operating System: Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Cross-site Scripting -- Remote with User Interaction Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2019-3622 CVE-2019-3621 CVE-2019-3595 CVE-2019-3591 Member content until: Saturday, August 24 2019 Comment: This bulletin contains two (2) McAfee security advisories. OVERVIEW McAfee has published McAfee DLP Endpoint 11.3.0, which resolves multiple security vulnerabilities. [1] [2] IMPACT McAfee has provided the following information on the vulnerabilities. " CVE-2019-3591 addresses an issue where it is possible for a malicious user to correctly trigger a DLP Endpoint Web Protection rule while browsing on a protected endpoint. These events will be logged in the ePO DLP Endpoint events database. The DLP Endpoint administrator will then be able to see the events and some of the content through the ePO extension reporting module. If the malicious user chose the remote website correctly and carefully composed the upload it was possible to trigger a Cross-Site Scripting vulnerability. CVE-2019-3595 addresses an issue where the DLP Endpoint ePO extension was not correctly sanitizing CSV exports, which would, with a carefully crafted configuration, incorrectly execute commands with the DLP Endpoint ePO administrator's local machine privileges. When choosing to open the CSV file in Excel the user will be prompted to run the configured file. If the administrator chose not to disable the Excel warning, or not to run the process, nothing would happen." [1] "CVE-2019-3621 addresses an issue where it was possible to bypass the Windows lock screen. With certain DLP Endpoint configuration options, and when one or more DLP Endpoint processes are killed immediately before the screen is locked or while the screen is locked, an attacker with physical access to the machine can bypass the lock screen by inserting a USB drive into the machine. This would result in a notification window being displayed above the lock screen, through which the attacker could gain access to the user's session. CVE-2019-3622 addresses an issue where the permissions on the DLP Endpoint log directory were incorrectly set, allowing privileged users to redirect the log files to arbitrary locations. The content of the redirected log files is unchanged." [2] MITIGATION McAfee advises updating to McAfee DLP Endpoint 11.3.0 to address these vulnerabilities. "o For DLP Endpoint 11.2.x or earlier, update to 11.3.0. NOTE: DLP Endpoint 11.2.x is End of Life at the release of 11.3.0. o For DLP Endpoint 11.1.x, upgrade to 11.3.0 or update to 11.1.200." [1] [2] REFERENCES [1] Data Loss Prevention Endpoint ePolicy Orchestrator extension update fixes two vulnerabilities (CVE-2019-3591 and CVE-2019-3595) https://kc.mcafee.com/corporate/index?page=content&id=SB10289 [2] Data Loss Prevention Endpoint for Windows update fixes two vulnerabilities (CVE-2019-3621 and CVE-2019-3622) https://kc.mcafee.com/corporate/index?page=content&id=SB10290 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXTk75maOgq3Tt24GAQhaohAA2qXo7ru88oO88ndsuTR9XKorG1BAQ8B1 UzVcr4yg4jrTqWFcYyDnav+Bi539cdhgVkqEhNEvApjKlOX8tgGmYA6yglXbxDkN VhSKDzozrq0ZYlLglyW2DVnJhNriF7+wxYP/S9Ig4fJGYjXD2kVLYJAaVlA2NQ7V 8KDBy8mOyQCjJeARs0ngEIglBSIXSxBT59FiWgDQqiHPEUHLTzbcA/EwfFHCnbHp yrtSywqzR0v4o1JWViEW+Tj5olPMgT8rqnmMbdX/CEXN5I+39d1Xq9l/MWwDkLe0 P3AV3fqQhW15WmeUB/XH63KbQvJbYQ8GmSgCNlxC4co5qkF66FK2Stcu0vXAvMt5 dkHdmzDA7DROmQKTN5Gtnq7cqDmF+8TH4RS2UkyJHq+XKengHd7Q75EHNWv+jmqO UrKh0mn1vjBBPwCdgg+o/SSW4Nbjy+Kh+aZBehTRk2cjjCagWU1w2ubfGN4VuTOp 17A7/n94PblC6oubA/p9W7EDcK+JCZ8e/kTE0BjssUxZ3DK5kCJHz72Pkdu9ZbBt LD/84hB+4Qwg7YeqfUrYiGjuWjW5lpjXM6OZv9T70wGYL3u9hnd07YNK3/YXZhCc Wiy3DcAmpQ96icbHZ/jpsh9pDyIjYtJxDvqChhozK94ZMKv8D3TjG9+s9NbyfrFR ttH3C5keZtU= =Ly0s -----END PGP SIGNATURE-----