Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2007.0531 -- [Win]
Multiple vulnerabilities in McAfee software
17 July 2007
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: McAfee ePolicy Orchestrator 3.5
McAfee ePolicy Orchestrator 3.6
McAfee ePolicy Orchestrator 3.6.1
McAfee ProtectionPilot 1.1.1
McAfee ProtectionPilot 1.5
McAfee Common Management Agent (CMA) 3.6.0.453 and prior
Publisher: McAfee
Operating System: Windows
Impact: Execute Arbitrary Code/Commands
Denial of Service
Access: Remote/Unauthenticated
Original Bulletin:
https://knowledge.mcafee.com/article/761/613364_f.SAL_Public.html
https://knowledge.mcafee.com/article/762/613365_f.SAL_Public.html
https://knowledge.mcafee.com/article/763/613366_f.SAL_Public.html
https://knowledge.mcafee.com/article/764/613367_f.SAL_Public.html
Comment: There are four McAfee Security Bulletins contained in this ESB, each
for a separate vulnerability in various McAfee products.
- --------------------------BEGIN INCLUDED TEXT--------------------
McAfee Security Bulletin - Stack corruption of Common Management Agent (CMA)
Environment
McAfee ePolicy Orchestrator 3.5
McAfee ePolicy Orchestrator 3.6
McAfee ePolicy Orchestrator 3.6.1
McAfee ProtectionPilot 1.1.1
McAfee ProtectionPilot 1.5
McAfee Common Management Agent (CMA) 3.6.0.453 and earlier
Summary
1.
Summary
Who should read this document: Technical and Security Personnel.
Impact of Vulnerability: Stack corruption of Common Management Agent (CMA)
Severity Rating: Critical
Overall CVSS Rating: 5.9
Recommendations:
Upgrade to McAfee Common Management Agent 3.6.0 Patch 1 (CMA3.6.0.546)
Security Bulletin Replacement: None
Caveats: Yes (see section 3 - Remediation)
Affected Software: Common Management Agent (CMA) 3.6.0.453 and earlier
Location of updated software:
https://mysupport.mcafee.com/eservice_enu/start.swe
2.
Description
A successful exploit of this security flaw would allow an attacker to
corrupt the memory of a machine that is running the McAfee Common
Management Agent. Corruption of this memory may lead to remote code
execution. In order for this attack to work, the attacker would have to
reverse engineer the product and generate a custom crafted network attack.
This specially crafted packet is processed by CMA on UDP port, which should
only be open if this feature is turned on. After successfully installing
the patch, the issue will no longer exist.
This exploit is only seen in Managed mode installations (CMA deployed and
managed by ePO or PrP) because the ports are open. Standalone (unmanaged)
installations of CMA are NOT affected by this vulnerability because the
ports are not open.
The new packages have been pushed to download servers and available for
download as of June 19, 2007. This update removes the risk associated with
this security flaw.
3.
Remediation
Overview:
Download the appropriate CMA patch binaries and update CMA.
CAVEAT:
IMPORTANT: McAfee strongly advises ProtectionPilot customers to review
613335 before applying CMA 3.6.0 Patch 1 because of a known compatibility
issue. This article contains a HotFix that must be applied immediately
after installing CMA 3.6.0 Patch 1 to the PrP server to resolve this issue.
Please see Installation steps for ProtectionPilot 1.1.1 & 1.5 under Section
3 - Remediation below for detailed steps on applying CMA 3.6.0 Patch 1 and
the HotFix.
Obtaining the Binaries:
https://mysupport.mcafee.com/eservice_enu/start.swe
Installation Requirements:
To use this release, you must have ePolicy Orchestrator 3.5, ePolicy
Orchestrator 3.6, or ePolicy Orchestrator 3.6.1, ProtectionPilot 1.1.1, or
ProtectionPilot 1.5 installed on the computer you intend to update with
this release.
Installation steps:
1. Create a temporary folder on the hard drive of the ePolicy Orchestrator
server.
2. Extract the CMA3601.ZIP file to the temporary folder that you created in
Step 1.
Installation steps for ePolicy Orchestrator 3.5, 3.6, 3.6.1:
Checking the agent package into the Master Repository:
NOTE: You cannot check in packages while pull or replication tasks are
executing.
1. Log on to the desired ePolicy Orchestrator server using a global
administrator user account.
2. In the console tree under ePolicy Orchestrator, <SERVER>, select
Repository.
3. In the details pane under AutoUpdate Tasks, click Check in package. The
Check in package wizard appears.
4. Click Next to open the package type dialog box.
5. Select Products or updates, then click Next. The catalog file dialog box
appears.
6. Select the package catalog (PKGCATALOG.Z) file from the temporary folder
you created in Step 1 of Installation Steps. You can type the path to this
file, or click Browse to select it, and click Next. The summary dialog box
appears.
7. Click Finish to check in the package.
8. Click Close after the package has been checked in.
The new agent package is automatically created.
Check in the new .NAP file:
1. In the console tree under ePolicy Orchestrator, <SERVER>, select
Repository.
2. In the details pane under AutoUpdate Tasks, click Check in NAP. The
Software Repository Configuration wizard appears.
3. Click Next to Add new software to be managed.
4. Select the NAP (CMA360.nap) file from the temporary folder you created
in Step 1 of Installation Steps.
5. Click Yes to overwrite existing NAP.
6. Click OK after the Software repository configuration has completed.
Replicating the agent package to Distributed Repositories:
NOTE: Since local distributed repositories can be accessed only from client
computers, replication tasks do not copy packages from the master
repository to local distributed repositories; you must manually update
local distributed repositories with the desired packages.
1. Log on to the desired ePolicy Orchestrator server using a global
administrator user account.
2. In the console tree under ePolicy Orchestrator, <SERVER>, select
Repository.
3. In the details pane under AutoUpdate Tasks, click Replicate now. The
Replicate Now wizard appears.
4. Click Next to open the distributed repositories dialog box.
5. Click Select All to select all global and SuperAgent distributed
repositories, then click Next. The replication type dialog box appears.
6. Select Incremental replication, then click Finish to run the task.
7. Click Close after the task has completed.
Deploying the agent to client computers:
Although there are numerous methods you can use to install the agent on
computers that you want to manage via ePolicy Orchestrator, we recommend
using the Deployment client task. For a list of other methods and
instructions for each, see Agent deployment in the ePolicy Orchestrator
Product Guide.
1. Log on to the desired ePolicy Orchestrator server.
2. In the console tree under ePolicy Orchestrator, <SERVER>, right-click
Directory, <SITE>, <GROUP>, or <COMPUTER>. The Policies, Properties, and
Tasks tabs appear in the details pane.
3. Click the Tasks tab.
4. Right-click the Deployment task, then select Edit Task. The ePolicy
Orchestrator Scheduler dialog box appears.
5. On the Task tab, click Settings. The Task Settings dialog box appears.
6. Deselect Inherit.
7. Next to Agent 3.6, select Install in Action.
8. Next to those products that you do not want to deploy, select Ignore in
Action.
9. To specify command-line options used when installing the agent, click
the '...' button next to Agent 3.6.0. For instructions, see Agent
installation command-line options in the ePolicy Orchestrator Product Guide.
10. If you want this task to also be enforced during the policy enforcement
interval, select Run this task at every policy enforcement interval.
11. Schedule the task. For instructions, see Scheduling client tasks in the
ePolicy Orchestrator Product Guide.
12. Click OK to save the current entries.
Monitoring agent deployment:
You can use the Agent Versions or the Compliance Issues reports to monitor
the deployment of the agent. For instructions and information, see Running
reports and Agent Versions report template or Compliance Issues report
template in the ePolicy Orchestrator Product Guide.
The new agent version number is 3.6.0.546
Installation steps for ProtectionPilot 1.1.1 & 1.5:
See the CAVEAT entry listed at the top of the Remediation section.
CMA 3.6.0 Patch 1 Installation steps:
1.
Log on to the ProtectionPilot 1.x.x server.
2.
Click Server (servername) entry.
3.
Click the Repository tab and select Check In Package.
4.
Select Products and updates and click Next.
5.
Click Browse to navigate to the folder where CMA 3.6.0 Patch 1 was
extracted to, double-click the PkgCatalog.z and click Next.
6.
Click Finish to check in CMA 3.6.0 Patch 1 into the Repository.
7.
Click OK to close the Check In Package Wizard.
IMPORTANT: After following the steps above, immediately apply the HotFix
contained within the 349919.zip file which is located in 613335.
HotFix Installation steps:
The following steps must be performed directly on the PrP server. The
HotFix should not be applied to any client computer.
1.
Extract 349919.zip located in the Attachments section at the bottom of
613335, to a temporary location.
2.
Restart the PrP server computer.
3.
Click Start, Run, type services.msc and click OK.
4.
Right-click on the McAfee ProtectionPilot 1.x.x Server service and select
Stop.
NOTE: If the ProtectionPilot Server service is already stopped, continue
to the next step.
5.
Open the temporary location where 349919.zip was extracted to and
double-click 349919.exe.
6.
Click Start, Run, type services.msc and click OK.
7.
Right-click on the McAfee ProtectionPilot 1.x.x Server service and select
Start.
4.
Work Around
There is a workaround for this security vulnerability in ePolicy
Orchestrator (ePO) if you do not install Common Management Agent (CMA)
3.6.0 patch 1. Deselect the Enable Agent wakeup call support and enable the
option to Accept connections only from IP addresses listed in the site list
in the the CMA NAP.
Steps to implement workaround on ePO 3.6.x:
1.
Log on to the ePO console. See KB42032 for information on logging on to
the ePO console.
2.
Navigate to the Directory level.
3.
Select ePO Agent 3.5.5 or ePO Agent 3.6.0 depending on which version of
the Common Management Agent is checked into the repository.
4.
Under Configuration create a new named policy.
5.
Deselect Enable Agent wakeup call support. A warning dialog box displays
when disabling agent wakeup call support. Select OK.
6.
Select Accept connections only from IP addresses listed in the site list.
7.
Click Apply All.
These policy settings will take affect at the next agent to server
communication interval.
5.
Acknowledgements
IBM Internet Security Systems X-Force member Neel Mehta.
6.
Support
Corporate Technical Support:
1-800-338-8754
http://www.mcafee.com/us/support/default.asp
7.
Frequently Asked Questions (FAQ) related to this security bulletin
Who is affected by this security vulnerability?
Common Management Agent 3.6.0.453 and earlier.
McAfee urges all customers to verify that they have received the latest
updates.
Does this vulnerability affect McAfee enterprise products?
Yes, ePolicy Orchestrator's agent (CMA) is affected. The McAfee consumer
products are not affected by this issue.
How do I know if my Common Management Agent is vulnerable or not?
1. Log on to ePO server reports as an admin.
2. Run the Agent Version report.
Check for the agent version that is used by ePO. The agent version should
be 3.6.0.546 or above.
What is CVSS?
CVSS, or Common Vulnerability Scoring System, is the result of the National
Infrastructure Advisory Council's effort to standardize a system of
assessing the criticality of a vulnerability. This system offers an
un-biased criticality score which customers can use to judge how critical a
vulnerability is and plan accordingly. For more information, please visit
the CVSS website at: http://www.first.org/cvss/.
What are the CVSS scoring metrics that have been used?
BaseScore 8
Access Vector Remote
Access Complexity High
Authentication Not Required
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
Impact Bias Normal
Adjusted temporal Score 5.9
Exploitability Unproven
Remediation level Official Fix
Report Confidence Confirmed
What has McAfee done to resolve the issue? McAfee believes in providing the
most secure software to customers and has provided a new release to address
this security flaw.
Where do I download the fix from?
The fix can be downloaded from:
https://mysupport.mcafee.com/eservice_enu/start.swe
How does McAfee respond to this and any other security flaws? McAfee's key
priority is the security of its customers. In the event a vulnerability is
found within any of McAfee's software, a strong process is in place to work
closely with the relevant security research group to ensure the rapid and
effective development of a fix and communication plan. McAfee is an active
member of the Organization for Internet Safety (OIS) which is dedicated to
developing guidelines and best practices for the reporting and fixing of
software vulnerabilities.
8.
Resources
To submit possible vulnerabilities on any McAfee product, send email to:
security@mcafee.com
For contact information, see:
http://www.mcafee.com/pubs/contacts.html
For copyright, trademark attributions, and license information, see:
http://www.mcafee.com/pubs/copyright.html
For patents protecting this product, see the product documentation.
9.
Disclaimer
The information provided in this security bulletin is provided as is
without warranty of any kind. McAfee disclaims all warranties, either
express or implied, including the warranties of merchantability and fitness
for a particular purpose. In no event shall McAfee or its suppliers be
liable for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if McAfee
or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not
apply.
============================================================================
McAfee Security Bulletin - Stack based buffer overflow of Common Management
Agent (CMA)
Environment
McAfee ePolicy Orchestrator 3.5
McAfee ePolicy Orchestrator 3.6
McAfee ePolicy Orchestrator 3.6.1
McAfee ProtectionPilot 1.1.1
McAfee ProtectionPilot 1.5
McAfee Common Management Agent (CMA) 3.6.0.546
Summary
1.
Summary
Who should read this document: Technical and Security Personnel.
Impact of Vulnerability: Stack based buffer overflow of Common Management
Agent (CMA)
Severity Rating: Critical
Overall CVSS Rating: 5.9
Recommendations:
Upgrade to McAfee Common Management Agent 3.6.0 Patch 1 (CMA3.6.0.546)
Security Bulletin Replacement: None
Caveats: Yes (see Section 3 - Remediation)
Affected Software: Common Management Agent (CMA) 3.6.0.453 and earlier
Location of updated software:
https://mysupport.mcafee.com/eservice_enu/start.swe
2.
Description
A successful exploit of this security flaw could allow an attacker to crash
a CMA node that is configured to receive updates from Super Agent and
possibly perform arbitrary code execution. In order for this attack to
work, ePO installation should have super agents deployed and the agents
should be configured to receive the updates from super agent repository.
When agents are configured in this manner, they may be susceptible to a
specially crafted packet which could result in memory corruption and
manipulation. An attacker would have to reverse engineer the product in
order to create this attack, and is considered difficult. This patch will
perform proper boundaries on the packet data, and will remove the risk
associated with this flaw.
This exploit is only seen in Managed mode installations (CMA deployed and
managed by ePO or PrP) because the ports are open. Standalone (unmanaged)
installations of CMA are NOT affected by this vulnerability because the
ports are not open.
The new packages have been pushed to download servers and available for
download as of June 19, 2007. This update removes the risk associated with
this security flaw.
3.
Remediation
Overview:
Download the appropriate CMA patch binaries and update CMA.
CAVEAT:
IMPORTANT: McAfee strongly advises ProtectionPilot customers to review
613335 before applying CMA 3.6.0 Patch 1 because of a known compatibility
issue. This article contains a HotFix that must be applied immediately
after installing CMA 3.6.0 Patch 1 to the PrP server to resolve this issue.
Please see Installation steps for ProtectionPilot 1.1.1 & 1.5 under Section
3 - Remediation below for detailed steps on applying CMA 3.6.0 Patch 1 and
the HotFix.
Obtaining the Binaries:
https://mysupport.mcafee.com/eservice_enu/start.swe
Installation Requirements:
To use this release, you must have ePolicy Orchestrator 3.5, ePolicy
Orchestrator 3.6, or ePolicy Orchestrator 3.6.1, ProtectionPilot 1.1.1, or
ProtectionPilot 1.5 installed on the computer you intend to update with
this release.
Installation steps:
1. Create a temporary folder on the hard drive of the ePolicy Orchestrator
server.
2. Extract the CMA3601.ZIP file to the temporary folder that you created in
Step 1.
Installation steps for ePolicy Orchestrator 3.5, 3.6, 3.6.1:
Checking the agent package into the Master Repository:
NOTE: You cannot check in packages while pull or replication tasks are
executing.
1. Log on to the desired ePolicy Orchestrator server using a global
administrator user account.
2. In the console tree under ePolicy Orchestrator, <SERVER>, select
Repository.
3. In the details pane under AutoUpdate Tasks, click Check in package. The
Check in package wizard appears.
4. Click Next to open the package type dialog box.
5. Select Products or updates, then click Next. The catalog file dialog box
appears.
6. Select the package catalog (PKGCATALOG.Z) file from the temporary folder
you created in Step 1 of Installation Steps. You can type the path to this
file, or click Browse to select it, and click Next. The summary dialog box
appears.
7. Click Finish to check in the package.
8. Click Close after the package has been checked in.
The new agent package is automatically created.
Check in the new .NAP file:
1. In the console tree under ePolicy Orchestrator, <SERVER>, select
Repository.
2. In the details pane under AutoUpdate Tasks, click Check in NAP. The
Software Repository Configuration wizard appears.
3. Click Next to Add new software to be managed.
4. Select the NAP (CMA360.nap) file from the temporary folder you created
in Step 1 of Installation Steps.
5. Click Yes to overwrite existing NAP.
6. Click OK after the Software repository configuration has completed.
Replicating the agent package to Distributed Repositories:
NOTE: Since local distributed repositories can be accessed only from client
computers, replication tasks do not copy packages from the master
repository to local distributed repositories; you must manually update
local distributed repositories with the desired packages.
1. Log on to the desired ePolicy Orchestrator server using a global
administrator user account.
2. In the console tree under ePolicy Orchestrator, <SERVER>, select
Repository.
3. In the details pane under AutoUpdate Tasks, click Replicate now. The
Replicate Now wizard appears.
4. Click Next to open the distributed repositories dialog box.
5. Click Select All to select all global and SuperAgent distributed
repositories, then click Next. The replication type dialog box appears.
6. Select Incremental replication, then click Finish to run the task.
7. Click Close after the task has completed.
Deploying the agent to client computers:
Although there are numerous methods you can use to install the agent on
computers that you want to manage via ePolicy Orchestrator, we recommend
using the Deployment client task. For a list of other methods and
instructions for each, see Agent deployment in the ePolicy Orchestrator
Product Guide.
1. Log on to the desired ePolicy Orchestrator server.
2. In the console tree under ePolicy Orchestrator, <SERVER>, right-click
Directory, <SITE>, <GROUP>, or <COMPUTER>. The Policies, Properties, and
Tasks tabs appear in the details pane.
3. Click the Tasks tab.
4. Right-click the Deployment task, then select Edit Task. The ePolicy
Orchestrator Scheduler dialog box appears.
5. On the Task tab, click Settings. The Task Settings dialog box appears.
6. Deselect Inherit.
7. Next to Agent 3.6, select Install in Action.
8. Next to those products that you do not want to deploy, select Ignore in
Action.
9. To specify command-line options used when installing the agent, click
the '...' button next to Agent 3.6.0. For instructions, see Agent
installation command-line options in the ePolicy Orchestrator Product Guide.
10. If you want this task to also be enforced during the policy enforcement
interval, select Run this task at every policy enforcement interval.
11. Schedule the task. For instructions, see Scheduling client tasks in the
ePolicy Orchestrator Product Guide.
12. Click OK to save the current entries.
Monitoring agent deployment:
You can use the Agent Versions or the Compliance Issues reports to monitor
the deployment of the agent. For instructions and information, see Running
reports and Agent Versions report template or Compliance Issues report
template in the ePolicy Orchestrator Product Guide.
The new agent version number is 3.6.0.546
Installation steps for ProtectionPilot 1.1.1 & 1.5:
See the CAVEAT entry listed at the top of the Remediation section.
CMA 3.6.0 Patch 1 Installation steps:
1.
Log on to the ProtectionPilot 1.x.x server.
2.
Click Server (servername) entry.
3.
Click the Repository tab and select Check In Package.
4.
Select Products and updates and click Next.
5.
Click Browse to navigate to the folder where CMA 3.6.0 Patch 1 was
extracted to, double-click the PkgCatalog.z and click Next.
6.
Click Finish to check in CMA 3.6.0 Patch 1 into the Repository.
7.
Click OK to close the Check In Package Wizard.
IMPORTANT: After following the steps above, immediately apply the HotFix
contained within the 349919.zip file which is located in 613335.
HotFix Installation steps:
The following steps must be performed directly on the PrP server. The
HotFix should not be applied to any client computer.
1.
Extract 349919.zip located in the Attachments section at the bottom of
613335, to a temporary location.
2.
Restart the PrP server computer.
3.
Click Start, Run, type services.msc and click OK.
4.
Right-click on the McAfee ProtectionPilot 1.x.x Server service and select
Stop.
NOTE: If the ProtectionPilot Server service is already stopped, continue
to the next step.
5.
Open the temporary location where 349919.zip was extracted to and
double-click 349919.exe.
6.
Click Start, Run, type services.msc and click OK.
7.
Right-click on the McAfee ProtectionPilot 1.x.x Server service and select
Start.
4.
Work Around
There is a workaround for this security vulnerability in ePolicy
Orchestrator (ePO) if you do not install Common Management Agent (CMA)
3.6.0 patch 1. Deselect the Enable Agent wakeup call support and enable the
option to Accept connections only from IP addresses listed in the site list
in the the CMA NAP.
Steps to implement workaround on ePO 3.6.x:
1.
Log on to the ePO console. See KB42032 for information on logging on to
the ePO console.
2.
Navigate to the Directory level.
3.
Select ePO Agent 3.5.5 or ePO Agent 3.6.0 depending on which version of
the Common Management Agent is checked into the repository.
4.
Under Configuration create a new named policy.
5.
Deselect Enable Agent wakeup call support. A warning dialog box displays
when disabling agent wakeup call support. Select OK.
6.
Select Accept connections only from IP addresses listed in the site list.
7.
Click Apply All.
These policy settings will take affect at the next agent to server
communication interval.
5.
Acknowledgements
IBM Internet Security Systems X-Force member Neel Mehta.
6.
Support
Corporate Technical Support:
1-800-338-8754
http://www.mcafee.com/us/support/default.asp
7.
Frequently Asked Questions (FAQ) related to this security bulletin
Who is affected by this security vulnerability?
Common Management Agent 3.6.0.453 and earlier.
McAfee urges all customers to verify that they have received the latest
updates.
Does this vulnerability affect McAfee enterprise products?
Yes, ePolicy Orchestrator's agent (CMA) is affected. The McAfee consumer
products are not affected by this issue.
How do I know if my Common Management Agent is vulnerable or not?
1. Login to ePO server reports as an admin.
2. Run the "Agent Version" report.
Check for the agent version that is used by ePO. The agent version should
be 3.6.0.546 or above.
What is CVSS?
CVSS, or Common Vulnerability Scoring System, is the result of the National
Infrastructure Advisory Council's effort to standardize a system of
assessing the criticality of a vulnerability. This system offers an
un-biased criticality score which customers can use to judge how critical a
vulnerability is and plan accordingly. For more information, please visit
the CVSS website at: http://www.first.org/cvss/.
What are the CVSS scoring metrics that have been used?
BaseScore 8.0
Access Vector Remote
Access Complexity High
Authentication Not Required
Confidentiality Impact Complete
Integrity Impact Complete
Availabliity Impact Complete
Impact Bias Normal
Adjusted Temporal score 5.9
Exploitability Unproven
Remediation Level Official Fix
Report Confidence Confirmed
What has McAfee done to resolve the issue? McAfee believes in providing the
most secure software to customers and has provided a new release to address
this security flaw.
Where do I download the fix from?
The fix can be downloaded from:
https://mysupport.mcafee.com/eservice_enu/start.swe
How does McAfee respond to this and any other security flaws? McAfee's key
priority is the security of its customers. In the event a vulnerability is
found within any of McAfee's software, a strong process is in place to work
closely with the relevant security research group to ensure the rapid and
effective development of a fix and communication plan. McAfee is an active
member of the Organization for Internet Safety (OIS) which is dedicated to
developing guidelines and best practices for the reporting and fixing of
software vulnerabilities.
8.
Resources
To submit possible vulnerabilities on any McAfee product, send email to:
security@mcafee.com
For contact information, see:
http://www.mcafee.com/pubs/contacts.html
For copyright, trademark attributions, and license information, see:
http://www.mcafee.com/pubs/copyright.html
For patents protecting this product, see the product documentation.
9.
Disclaimer
The information provided in this security bulletin is provided as is
without warranty of any kind. McAfee disclaims all warranties, either
express or implied, including the warranties of merchantability and fitness
for a particular purpose. In no event shall McAfee or its suppliers be
liable for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if McAfee
or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not
apply.
============================================================
McAfee Security Bulletin - Heap based buffer overflow of Common Management
Agent (CMA)
Environment
McAfee ePolicy Orchestrator 3.5
McAfee ePolicy Orchestrator 3.6
McAfee ePolicy Orchestrator 3.6.1
McAfee ProtectionPilot 1.1.1
McAfee ProtectionPilot 1.5
McAfee Common Management Agent (CMA) 3.6.0.438 to 3.6.0.453
Summary
1.
Summary
Who should read this document: Technical and Security Personnel.
Impact of Vulnerability: Heap based buffer overflow of Common Management
Agent (CMA)
Severity Rating: Critical
Overall CVSS Rating: 5.9
Recommendations:
Upgrade to McAfee Common Management Agent 3.6.0 Patch 1 (CMA3.6.0.546)
Security Bulletin Replacement: None
Caveats: Yes (see Section 3 - Remediation)
Affected Software: Common Management Agent (CMA) 3.5.5.438 till 3.6.0.453
Location of updated software:
https://mysupport.mcafee.com/eservice_enu/start.swe
2.
Description
A successful exploit of this security flaw would allow an attacker to crash
a CMA node or possibly perform arbitrary command execution. In order for
this attack to occur, the attacker would have to reverse engineer the
product, produce a specially crafted installation package, and reverse
engineer the protocols. This would require several manipulations of the
local network in order to be successful. After successfully installing the
patch, the issue will no longer exist.
This exploit is only seen in Managed mode installations (CMA deployed and
managed by ePO or PrP) because the ports are open. Standalone (unmanaged)
installations of CMA are NOT affected by this vulnerability because the
ports are not open.
The new packages have been pushed to download servers and available for
download as of June 19, 2007. This update removes the risk associated with
this security flaw.
3.
Remediation
Overview:
Download the appropriate CMA patch binaries and update CMA.
CAVEAT:
IMPORTANT: McAfee strongly advises ProtectionPilot customers to review
613335 before applying CMA 3.6.0 Patch 1 because of a known compatibility
issue. This article contains a HotFix that must be applied immediately
after installing CMA 3.6.0 Patch 1 to the PrP server to resolve this issue.
Please see Installation steps for ProtectionPilot 1.1.1 & 1.5 under Section
3 - Remediation below for detailed steps on applying CMA 3.6.0 Patch 1 and
the HotFix.
Obtaining the Binaries:
https://mysupport.mcafee.com/eservice_enu/start.swe
Installation Requirements:
To use this release, you must have ePolicy Orchestrator 3.5, ePolicy
Orchestrator 3.6, or ePolicy Orchestrator 3.6.1, ProtectionPilot 1.1.1, or
ProtectionPilot 1.5 installed on the computer you intend to update with
this release.
Installation steps:
1. Create a temporary folder on the hard drive of the ePolicy Orchestrator
server.
2. Extract the CMA3601.ZIP file to the temporary folder that you created in
Step 1.
Installation steps for ePolicy Orchestrator 3.5, 3.6, 3.6.1:
Checking the agent package into the Master Repository:
NOTE: You cannot check in packages while pull or replication tasks are
executing.
1. Log on to the desired ePolicy Orchestrator server using a global
administrator user account.
2. In the console tree under ePolicy Orchestrator, <SERVER>, select
Repository.
3. In the details pane under AutoUpdate Tasks, click Check in package. The
Check in package wizard appears.
4. Click Next to open the package type dialog box.
5. Select Products or updates, then click Next. The catalog file dialog box
appears.
6. Select the package catalog (PKGCATALOG.Z) file from the temporary folder
you created in Step 1 of Installation Steps. You can type the path to this
file, or click Browse to select it, and click Next. The summary dialog box
appears.
7. Click Finish to check in the package.
8. Click Close after the package has been checked in.
The new agent package is automatically created.
Check in the new .NAP file:
1. In the console tree under ePolicy Orchestrator, <SERVER>, select
Repository.
2. In the details pane under AutoUpdate Tasks, click Check in NAP. The
Software Repository Configuration wizard appears.
3. Click Next to Add new software to be managed.
4. Select the NAP (CMA360.nap) file from the temporary folder you created
in Step 1 of Installation Steps.
5. Click Yes to overwrite existing NAP.
6. Click OK after the Software repository configuration has completed.
Replicating the agent package to Distributed Repositories:
NOTE: Since local distributed repositories can be accessed only from client
computers, replication tasks do not copy packages from the master
repository to local distributed repositories; you must manually update
local distributed repositories with the desired packages.
1. Log on to the desired ePolicy Orchestrator server using a global
administrator user account.
2. In the console tree under ePolicy Orchestrator, <SERVER>, select
Repository.
3. In the details pane under AutoUpdate Tasks, click Replicate now. The
Replicate Now wizard appears.
4. Click Next to open the distributed repositories dialog box.
5. Click Select All to select all global and SuperAgent distributed
repositories, then click Next. The replication type dialog box appears.
6. Select Incremental replication, then click Finish to run the task.
7. Click Close after the task has completed.
Deploying the agent to client computers:
Although there are numerous methods you can use to install the agent on
computers that you want to manage via ePolicy Orchestrator, we recommend
using the Deployment client task. For a list of other methods and
instructions for each, see Agent deployment in the ePolicy Orchestrator
Product Guide.
1. Log on to the desired ePolicy Orchestrator server.
2. In the console tree under ePolicy Orchestrator, <SERVER>, right-click
Directory, <SITE>, <GROUP>, or <COMPUTER>. The Policies, Properties, and
Tasks tabs appear in the details pane.
3. Click the Tasks tab.
4. Right-click the Deployment task, then select Edit Task. The ePolicy
Orchestrator Scheduler dialog box appears.
5. On the Task tab, click Settings. The Task Settings dialog box appears.
6. Deselect Inherit.
7. Next to Agent 3.6, select Install in Action.
8. Next to those products that you do not want to deploy, select Ignore in
Action.
9. To specify command-line options used when installing the agent, click
the '...' button next to Agent 3.6.0. For instructions, see Agent
installation command-line options in the ePolicy Orchestrator Product Guide.
10. If you want this task to also be enforced during the policy enforcement
interval, select Run this task at every policy enforcement interval.
11. Schedule the task. For instructions, see Scheduling client tasks in the
ePolicy Orchestrator Product Guide.
12. Click OK to save the current entries.
Monitoring agent deployment:
You can use the Agent Versions or the Compliance Issues reports to monitor
the deployment of the agent. For instructions and information, see Running
reports and Agent Versions report template or Compliance Issues report
template in the ePolicy Orchestrator Product Guide.
The new agent version number is 3.6.0.546
Installation steps for ProtectionPilot 1.1.1 & 1.5:
See the CAVEAT entry listed at the top of the Remediation section.
CMA 3.6.0 Patch 1 Installation steps:
1.
Log on to the ProtectionPilot 1.x.x server.
2.
Click Server (servername) entry.
3.
Click the Repository tab and select Check In Package.
4.
Select Products and updates and click Next.
5.
Click Browse to navigate to the folder where CMA 3.6.0 Patch 1 was
extracted to, double-click the PkgCatalog.z and click Next.
6.
Click Finish to check in CMA 3.6.0 Patch 1 into the Repository.
7.
Click OK to close the Check In Package Wizard.
IMPORTANT: After following the steps above, immediately apply the HotFix
contained within the 349919.zip file which is located in 613335.
HotFix Installation steps:
The following steps must be performed directly on the PrP server. The
HotFix should not be applied to any client computer.
1.
Extract 349919.zip located in the Attachments section at the bottom of
613335, to a temporary location.
2.
Restart the PrP server computer.
3.
Click Start, Run, type services.msc and click OK.
4.
Right-click on the McAfee ProtectionPilot 1.x.x Server service and select
Stop.
NOTE: If the ProtectionPilot Server service is already stopped, continue
to the next step.
5.
Open the temporary location where 349919.zip was extracted to and
double-click 349919.exe.
6.
Click Start, Run, type services.msc and click OK.
7.
Right-click on the McAfee ProtectionPilot 1.x.x Server service and select
Start.
4.
Work Around
There is a workaround for this security vulnerability in ePolicy
Orchestrator (ePO) if you do not install Common Management Agent (CMA)
3.6.0 patch 1. Deselect the Enable Agent wakeup call support and enable the
option to Accept connections only from IP addresses listed in the site list
in the the CMA NAP.
Steps to implement workaround on ePO 3.6.x:
1.
Log on to the ePO console. See KB42032 for information on logging on to
the ePO console.
2.
Navigate to the Directory level.
3.
Select ePO Agent 3.5.5 or ePO Agent 3.6.0 depending on which version of
the Common Management Agent is checked into the repository.
4.
Under Configuration create a new named policy.
5.
Deselect Enable Agent wakeup call support. A warning dialog box displays
when disabling agent wakeup call support. Select OK.
6.
Select Accept connections only from IP addresses listed in the site list.
7.
Click Apply All.
These policy settings will take affect at the next agent to server
communication interval.
5.
Acknowledgements
IBM Internet Security Systems X-Force member Neel Mehta.
6.
Support
Corporate Technical Support:
1-800-338-8754
http://www.mcafee.com/us/support/default.asp
7.
Frequently Asked Questions (FAQ) related to this security bulletin
Who is affected by this security vulnerability?
Common Management Agent 3.5.5.438 till 3.6.0.453.
McAfee urges all customers to verify that they have received the latest
updates.
Does this vulnerability affect McAfee enterprise products?
Yes, ePolicy Orchestrator's agent (CMA) is affected. The McAfee consumer
products are not affected by this issue.
How do I know if my Common Management Agent is vulnerable or not?
1. Login to ePO server reports as an admin.
2. Run the "Agent Version" report.
Check for the agent version that is used by ePO. The agent version should
be 3.6.0.546 or above.
What is CVSS?
CVSS, or Common Vulnerability Scoring System, is the result of the National
Infrastructure Advisory Council's effort to standardize a system of
assessing the criticality of a vulnerability. This system offers an
un-biased criticality score which customers can use to judge how critical a
vulnerability is and plan accordingly. For more information, please visit
the CVSS website at: http://www.first.org/cvss/.
What are the CVSS scoring metrics that have been used?
BaseScore 8
Access Vector Remote
Access Complexity High
Authentication Not Required
Confidentiality Impact Complete
Intergrity Impact Complete
Availability Impact Complete
Impact Bais Normal
Adjusted Temporal Score 5.9
Exploitability Unproven
Remediation Official Fix
Report Confidence Confirmed
What has McAfee done to resolve the issue? McAfee believes in providing the
most secure software to customers and has provided a new release to address
this security flaw.
Where do I download the fix from?
The fix can be downloaded from:
https://mysupport.mcafee.com/eservice_enu/start.swe
How does McAfee respond to this and any other security flaws? McAfee's key
priority is the security of its customers. In the event a vulnerability is
found within any of McAfee's software, a strong process is in place to work
closely with the relevant security research group to ensure the rapid and
effective development of a fix and communication plan. McAfee is an active
member of the Organization for Internet Safety (OIS) which is dedicated to
developing guidelines and best practices for the reporting and fixing of
software vulnerabilities.
8.
Resources
To submit possible vulnerabilities on any McAfee product, send email to:
security@mcafee.com
For contact information, see:
http://www.mcafee.com/pubs/contacts.html
For copyright, trademark attributions, and license information, see:
http://www.mcafee.com/pubs/copyright.html
For patents protecting this product, see the product documentation.
9.
Disclaimer
The information provided in this security bulletin is provided as is
without warranty of any kind. McAfee disclaims all warranties, either
express or implied, including the warranties of merchantability and fitness
for a particular purpose. In no event shall McAfee or its suppliers be
liable for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if McAfee
or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not
apply.
=================================================================
McAfee Security Bulletin - Crash of Framework service of McAfee Common
Management Agent (CMA)
Environment
McAfee ePolicy Orchestrator 3.5
McAfee ePolicy Orchestrator 3.6
McAfee ePolicy Orchestrator 3.6.1
McAfee ProtectionPilot 1.1.1
McAfee ProtectionPilot 1.5
McAfee Common Management Agent (CMA) 3.5.5.438
Summary
1.
Summary
Who should read this document: Technical and Security Personnel.
Impact of Vulnerability: Crash of Framework service of McAfee Common
Management Agent (CMA)
Severity Rating: Low
Overall CVSS Rating: 2
Recommendations:
Upgrade CMA 3.5.5 to CMA 3.5.5 Patch 2 (CMA3.5.5.580)
Security Bulletin Replacement: None.
Caveats: None.
Affected Software: Common Management Agent (CMA) 3.5.5.438.
Location of updated software:
https://mysupport.mcafee.com/eservice_enu/start.swe
2.
Description
A successful exploit of this security flaw would allow an attacker to crash
the Framework service of CMA. In order for this attack to work, the
attacker would have to reverse engineer the product to create a specially
crafted installation package. A remote attack would have the increased
complexity as it would require manipulations of the local network in order
to be successful. After successfully installing the patch, the issue will
no longer exist.
This exploit is only seen in Managed mode installations (CMA deployed and
managed by ePO or PrP) because the ports are open. Standalone (unmanaged)
installations of CMA are NOT affected by this vulnerability because the
ports are not open.
The new package has been published on the McAfee download servers and has
been available for download since December 2006. This update removes the
exploit described above.
3.
Remediation
Overview:
Download the appropriate CMA patch binaries and update CMA.
Obtaining the Binaries:
https://mysupport.mcafee.com/eservice_enu/start.swe
Installation Requirements:
To use this release, you must have ePolicy Orchestrator 3.5, ePolicy
Orchestrator 3.6, or ePolicy Orchestrator 3.6.1, ProtectionPilot 1.1.1, or
ProtectionPilot 1.5 installed on the computer you intend to update with
this release.
Installation steps:
1. Create a temporary folder on the hard drive of the ePolicy Orchestrator
server.
2. Extract the CMA3551.ZIP file to the temporary folder that you created in
Step 1.
Installation steps for ePolicy Orchestrator 3.5, 3.6, 3.6.1:
Checking the Agent Package into the Master Repository
NOTE: You cannot check in packages while pull or replication tasks are
executing.
1. Log on to the desired ePolicy Orchestrator server using a global
administrator user account.
2. In the console tree under ePolicy Orchestrator, <SERVER>, select
Repository.
3. In the details pane under AutoUpdate Tasks, click Check in package. The
Check in package wizard appears.
4. Click Next to open the package type dialog box.
5. Select Products or updates, then click Next. The catalog file dialog box
appears.
6. Select the package catalog (PKGCATALOG.Z) file from the temporary folder
you created in Step 1 of Installation Steps. You can type the path to this
file, or click Browse to select it, and click Next. The summary dialog box
appears.
7. Click Finish to check in the package.
8. Click Close after the package has been checked in.
The new agent package is automatically created.
Check in the new .NAP file:
1. In the console tree under ePolicy Orchestrator, <SERVER>, select
Repository.
2. In the details pane under AutoUpdate Tasks, click Check in NAP. The
Software Repository Configuration wizard appears.
3. Click Next to Add new software to be managed.
4. Select the NAP (CMA355.nap) file from the temporary folder you created
in Step 1 of Installation Steps.
5. Click Yes to overwrite existing NAP.
6. Click OK after the Software repository configuration has completed.
Replicating the Agent Package To Distributed Repositories:
NOTE: Since local distributed repositories can be accessed only from client
computers, replication tasks do not copy packages from the master
repository to local distributed repositories; you must manually update
local distributed repositories with the desired packages.
1. Log on to the desired ePolicy Orchestrator server using a global
administrator user account.
2. In the console tree under ePolicy Orchestrator, <SERVER>, select
Repository.
3. In the details pane under AutoUpdate Tasks, click Replicate now. The
Replicate Now wizard appears.
4. Click Next to open the distributed repositories dialog box.
5. Click Select All to select all global and SuperAgent distributed
repositories, then click Next. The replication type dialog box appears.
6. Select Incremental replication, then click Finish to run the task.
7. Click Close after the task has completed.
Deploying the agent to client computers:
Although there are numerous methods you can use to install the agent on
computers that you want to manage via ePolicy Orchestrator, we recommend
using the Deployment client task. For a list of other methods and
instructions for each, see Agent deployment in the ePolicy Orchestrator
Product Guide.
1. Log on to the desired ePolicy Orchestrator server.
2. In the console tree under ePolicy Orchestrator, <SERVER>, right-click
Directory, <SITE>, <GROUP>, or <COMPUTER>. The Policies, Properties, and
Tasks tabs appear in the details pane.
3. Click the Tasks tab.
4. Right-click the Deployment task, then select Edit Task. The ePolicy
Orchestrator Scheduler dialog box appears.
5. On the Task tab, click Settings. The Task Settings dialog box appears.
6. Deselect Inherit.
7. Next to Agent 3.6, select Install in Action.
8. Next to those products that you do not want to deploy, select Ignore in
Action.
9. To specify command-line options used when installing the agent, click
the '...' button next to Agent 3.6.0. For instructions, see Agent
installation command-line options in the ePolicy Orchestrator Product Guide.
10. If you want this task to also be enforced during the policy enforcement
interval, select Run this task at every policy enforcement interval.
11. Schedule the task. For instructions, see Scheduling client tasks in the
ePolicy Orchestrator Product Guide.
12. Click OK to save the current entries.
Monitoring Agent Deployment:
You can use the Agent Versions or the Compliance Issues reports to monitor
the deployment of the agent. For instructions and information, see "Running
reports" and "Agent Versions report template" or "Compliance Issues report
template" in the ePolicy Orchestrator Product Guide.
The new agent version number is 3.5.5.580
Installation steps for ProtectionPilot 1.1.1 & 1.5:
IMPORTANT: These steps are only applicable to checking CMA 3.5.5 Patch 2
(3.5.5.580) into PrP. McAfee recommends customers bypass this deployment by
upgrading to CMA 3.6.0 Patch 1. ProtectionPilot customers must immediately
apply the HotFix on the PrP server as detailed in KnowledgeBase article
613335 after completing the upgrade to CMA 3.6.0 Patch 1.
1. In ProtectionPilot from the Server section, click the Repository tab.
The Manage AutoUpdate Repositories page appears.
2. Click Check In Package under Management Tasks.
3. Select Products and updates, then click Next.
4. Click Browse to locate the file you downloaded, and select the package
(PKGCATALOG.Z) file for the product.
5. Click Finish, then OK. Stop and restart the ProtectionPilot server
service.
The agent upgrade begins immediately.
4.
Work Around
There is a workaround for this security vulnerability in ePolicy
Orchestrator (ePO) if you do not install Common Management Agent (CMA)
3.6.0 patch 1. Deselect the Enable Agent wakeup call support and enable the
option to Accept connections only from IP addresses listed in the site list
in the the CMA NAP.
Steps to implement workaround on ePO 3.6.x:
5.
1.
Log on to the ePO console. See KB42032 for information on logging on to
the ePO console.
2.
Navigate to the Directory level.
3.
Select ePO Agent 3.5.5 or ePO Agent 3.6.0 depending on which version of
the Common Management Agent is checked into the repository.
4.
Under Configuration create a new named policy.
5.
Deselect Enable Agent wakeup call support. A warning dialog box displays
when disabling agent wakeup call support. Select OK.
6.
Select Accept connections only from IP addresses listed in the site list.
7.
Click Apply All.
These policy settings will take affect at the next agent to server
communication interval.
6.
Acknowledgements
IBM Internet Security Systems X-Force member Neel Mehta.
7.
Support
Corporate Technical Support:
1-800-338-8754
http://www.mcafee.com/us/support/default.asp
8.
Frequently Asked Questions (FAQ) related to this security bulletin
Who is affected by this security vulnerability?
Common Management Agent 3.5.5.438.
McAfee urges all customers to verify that they have received the latest
updates.
Does this vulnerability affect McAfee enterprise products?
Yes, ePolicy Orchestrator's agent (CMA) is affected. The McAfee consumer
products are not affected by this issue.
How do I know if my Common Management Agent is vulnerable or not?
1. Login to ePO server reports as an admin.
2. Run the "Agent Version" report.
Check for the agent version that is used by ePO. The agent version should
be 3.5.5.580 or above.
What is CVSS?
CVSS, or Common Vulnerability Scoring System, is the result of the National
Infrastructure Advisory Council's effort to standardize a system of
assessing the criticality of a vulnerability. This system offers an
un-biased criticality score which customers can use to judge how critical a
vulnerability is and plan accordingly. For more information, please visit
the CVSS website at: http://www.first.org/cvss/.
What are the CVSS scoring metrics that have been used?
BaseScore 2.7
Access Vector Remote
Access Complexity High
Authentication Not Required
Confidentiality Impact None
Intergrity Impact None
Availability Impact Complete
Impact Bais Normal
Adjusted Temporal Score 2
Exploitability Unproven
Remediation Level Official Fix
Report Confidence Comfirmed
What has McAfee done to resolve the issue? McAfee believes in providing the
most secure software to customers and has provided a new release to address
this security flaw.
Where do I download the fix from?
The fix can be downloaded from:
https://mysupport.mcafee.com/eservice_enu/start.swe
How does McAfee respond to this and any other security flaws? McAfee's key
priority is the security of its customers. In the event a vulnerability is
found within any of McAfee's software, a strong process is in place to work
closely with the relevant security research group to ensure the rapid and
effective development of a fix and communication plan. McAfee is an active
member of the Organization for Internet Safety (OIS) which is dedicated to
developing guidelines and best practices for the reporting and fixing of
software vulnerabilities.
9.
Resources
To submit possible vulnerabilities on any McAfee product, send email to:
security@mcafee.com
For contact information, see:
http://www.mcafee.com/pubs/contacts.html
For copyright, trademark attributions, and license information, see:
http://www.mcafee.com/pubs/copyright.html
For patents protecting this product, see the product documentation.
10.
Disclaimer
The information provided in this security bulletin is provided as is
without warranty of any kind. McAfee disclaims all warranties, either
express or implied, including the warranties of merchantability and fitness
for a particular purpose. In no event shall McAfee or its suppliers be
liable for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if McAfee
or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not
apply.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBRpwmvCh9+71yA2DNAQJ4ZwP/ZtcEbY5Cgt5JlZxdsFCoStrikzGwqiQX
gJduFwW6wlxR6JtVN0D5xUj70+lAvZKX08XNxOekcyqBBxlDqTej4S8/7DbW8z6Z
m48sNHxDsNaem8hb7MTSyXrXLjuz3+4UDw7jSXA0cnOlULit4rrFiJR7IzbpgEzK
BpStRc8RKM0=
=ZAs2
-----END PGP SIGNATURE-----