Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2019.0223
McAfee Data Loss Prevention Endpoint fixes multiple vulnerabilities
25 July 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: McAfee Data Loss Prevention Endpoint
Operating System: Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Cross-site Scripting -- Remote with User Interaction
Access Confidential Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2019-3622 CVE-2019-3621 CVE-2019-3595
CVE-2019-3591
Member content until: Saturday, August 24 2019
Comment: This bulletin contains two (2) McAfee security advisories.
OVERVIEW
McAfee has published McAfee DLP Endpoint 11.3.0, which resolves
multiple security vulnerabilities. [1] [2]
IMPACT
McAfee has provided the following information on the
vulnerabilities.
" CVE-2019-3591 addresses an issue where it is possible for a
malicious user to correctly trigger a DLP Endpoint Web Protection
rule while browsing on a protected endpoint. These events will be
logged in the ePO DLP Endpoint events database. The DLP Endpoint
administrator will then be able to see the events and some of the
content through the ePO extension reporting module. If the malicious
user chose the remote website correctly and carefully composed the
upload it was possible to trigger a Cross-Site Scripting
vulnerability.
CVE-2019-3595 addresses an issue where the DLP Endpoint ePO
extension was not correctly sanitizing CSV exports, which would,
with a carefully crafted configuration, incorrectly execute commands
with the DLP Endpoint ePO administrator's local machine privileges.
When choosing to open the CSV file in Excel the user will be
prompted to run the configured file. If the administrator chose not
to disable the Excel warning, or not to run the process, nothing
would happen." [1]
"CVE-2019-3621 addresses an issue where it was possible to bypass
the Windows lock screen. With certain DLP Endpoint configuration
options, and when one or more DLP Endpoint processes are killed
immediately before the screen is locked or while the screen is
locked, an attacker with physical access to the machine can bypass
the lock screen by inserting a USB drive into the machine. This
would result in a notification window being displayed above the lock
screen, through which the attacker could gain access to the user's
session.
CVE-2019-3622 addresses an issue where the permissions on the DLP
Endpoint log directory were incorrectly set, allowing privileged
users to redirect the log files to arbitrary locations. The content
of the redirected log files is unchanged." [2]
MITIGATION
McAfee advises updating to McAfee DLP Endpoint 11.3.0 to address these
vulnerabilities.
"o For DLP Endpoint 11.2.x or earlier, update to 11.3.0.
NOTE: DLP Endpoint 11.2.x is End of Life at the release of 11.3.0.
o For DLP Endpoint 11.1.x, upgrade to 11.3.0 or update to 11.1.200."
[1] [2]
REFERENCES
[1] Data Loss Prevention Endpoint ePolicy Orchestrator extension update
fixes two vulnerabilities (CVE-2019-3591 and CVE-2019-3595)
https://kc.mcafee.com/corporate/index?page=content&id=SB10289
[2] Data Loss Prevention Endpoint for Windows update fixes two
vulnerabilities (CVE-2019-3621 and CVE-2019-3622)
https://kc.mcafee.com/corporate/index?page=content&id=SB10290
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXTk75maOgq3Tt24GAQhaohAA2qXo7ru88oO88ndsuTR9XKorG1BAQ8B1
UzVcr4yg4jrTqWFcYyDnav+Bi539cdhgVkqEhNEvApjKlOX8tgGmYA6yglXbxDkN
VhSKDzozrq0ZYlLglyW2DVnJhNriF7+wxYP/S9Ig4fJGYjXD2kVLYJAaVlA2NQ7V
8KDBy8mOyQCjJeARs0ngEIglBSIXSxBT59FiWgDQqiHPEUHLTzbcA/EwfFHCnbHp
yrtSywqzR0v4o1JWViEW+Tj5olPMgT8rqnmMbdX/CEXN5I+39d1Xq9l/MWwDkLe0
P3AV3fqQhW15WmeUB/XH63KbQvJbYQ8GmSgCNlxC4co5qkF66FK2Stcu0vXAvMt5
dkHdmzDA7DROmQKTN5Gtnq7cqDmF+8TH4RS2UkyJHq+XKengHd7Q75EHNWv+jmqO
UrKh0mn1vjBBPwCdgg+o/SSW4Nbjy+Kh+aZBehTRk2cjjCagWU1w2ubfGN4VuTOp
17A7/n94PblC6oubA/p9W7EDcK+JCZ8e/kTE0BjssUxZ3DK5kCJHz72Pkdu9ZbBt
LD/84hB+4Qwg7YeqfUrYiGjuWjW5lpjXM6OZv9T70wGYL3u9hnd07YNK3/YXZhCc
Wiy3DcAmpQ96icbHZ/jpsh9pDyIjYtJxDvqChhozK94ZMKv8D3TjG9+s9NbyfrFR
ttH3C5keZtU=
=Ly0s
-----END PGP SIGNATURE-----