Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2007.0531 -- [Win] Multiple vulnerabilities in McAfee software 17 July 2007 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: McAfee ePolicy Orchestrator 3.5 McAfee ePolicy Orchestrator 3.6 McAfee ePolicy Orchestrator 3.6.1 McAfee ProtectionPilot 1.1.1 McAfee ProtectionPilot 1.5 McAfee Common Management Agent (CMA) 3.6.0.453 and prior Publisher: McAfee Operating System: Windows Impact: Execute Arbitrary Code/Commands Denial of Service Access: Remote/Unauthenticated Original Bulletin: https://knowledge.mcafee.com/article/761/613364_f.SAL_Public.html https://knowledge.mcafee.com/article/762/613365_f.SAL_Public.html https://knowledge.mcafee.com/article/763/613366_f.SAL_Public.html https://knowledge.mcafee.com/article/764/613367_f.SAL_Public.html Comment: There are four McAfee Security Bulletins contained in this ESB, each for a separate vulnerability in various McAfee products. - --------------------------BEGIN INCLUDED TEXT-------------------- McAfee Security Bulletin - Stack corruption of Common Management Agent (CMA) Environment McAfee ePolicy Orchestrator 3.5 McAfee ePolicy Orchestrator 3.6 McAfee ePolicy Orchestrator 3.6.1 McAfee ProtectionPilot 1.1.1 McAfee ProtectionPilot 1.5 McAfee Common Management Agent (CMA) 3.6.0.453 and earlier Summary 1. Summary Who should read this document: Technical and Security Personnel. Impact of Vulnerability: Stack corruption of Common Management Agent (CMA) Severity Rating: Critical Overall CVSS Rating: 5.9 Recommendations: Upgrade to McAfee Common Management Agent 3.6.0 Patch 1 (CMA3.6.0.546) Security Bulletin Replacement: None Caveats: Yes (see section 3 - Remediation) Affected Software: Common Management Agent (CMA) 3.6.0.453 and earlier Location of updated software: https://mysupport.mcafee.com/eservice_enu/start.swe 2. Description A successful exploit of this security flaw would allow an attacker to corrupt the memory of a machine that is running the McAfee Common Management Agent. Corruption of this memory may lead to remote code execution. In order for this attack to work, the attacker would have to reverse engineer the product and generate a custom crafted network attack. This specially crafted packet is processed by CMA on UDP port, which should only be open if this feature is turned on. After successfully installing the patch, the issue will no longer exist. This exploit is only seen in Managed mode installations (CMA deployed and managed by ePO or PrP) because the ports are open. Standalone (unmanaged) installations of CMA are NOT affected by this vulnerability because the ports are not open. The new packages have been pushed to download servers and available for download as of June 19, 2007. This update removes the risk associated with this security flaw. 3. Remediation Overview: Download the appropriate CMA patch binaries and update CMA. CAVEAT: IMPORTANT: McAfee strongly advises ProtectionPilot customers to review 613335 before applying CMA 3.6.0 Patch 1 because of a known compatibility issue. This article contains a HotFix that must be applied immediately after installing CMA 3.6.0 Patch 1 to the PrP server to resolve this issue. Please see Installation steps for ProtectionPilot 1.1.1 & 1.5 under Section 3 - Remediation below for detailed steps on applying CMA 3.6.0 Patch 1 and the HotFix. Obtaining the Binaries: https://mysupport.mcafee.com/eservice_enu/start.swe Installation Requirements: To use this release, you must have ePolicy Orchestrator 3.5, ePolicy Orchestrator 3.6, or ePolicy Orchestrator 3.6.1, ProtectionPilot 1.1.1, or ProtectionPilot 1.5 installed on the computer you intend to update with this release. Installation steps: 1. Create a temporary folder on the hard drive of the ePolicy Orchestrator server. 2. Extract the CMA3601.ZIP file to the temporary folder that you created in Step 1. Installation steps for ePolicy Orchestrator 3.5, 3.6, 3.6.1: Checking the agent package into the Master Repository: NOTE: You cannot check in packages while pull or replication tasks are executing. 1. Log on to the desired ePolicy Orchestrator server using a global administrator user account. 2. In the console tree under ePolicy Orchestrator, <SERVER>, select Repository. 3. In the details pane under AutoUpdate Tasks, click Check in package. The Check in package wizard appears. 4. Click Next to open the package type dialog box. 5. Select Products or updates, then click Next. The catalog file dialog box appears. 6. Select the package catalog (PKGCATALOG.Z) file from the temporary folder you created in Step 1 of Installation Steps. You can type the path to this file, or click Browse to select it, and click Next. The summary dialog box appears. 7. Click Finish to check in the package. 8. Click Close after the package has been checked in. The new agent package is automatically created. Check in the new .NAP file: 1. In the console tree under ePolicy Orchestrator, <SERVER>, select Repository. 2. In the details pane under AutoUpdate Tasks, click Check in NAP. The Software Repository Configuration wizard appears. 3. Click Next to Add new software to be managed. 4. Select the NAP (CMA360.nap) file from the temporary folder you created in Step 1 of Installation Steps. 5. Click Yes to overwrite existing NAP. 6. Click OK after the Software repository configuration has completed. Replicating the agent package to Distributed Repositories: NOTE: Since local distributed repositories can be accessed only from client computers, replication tasks do not copy packages from the master repository to local distributed repositories; you must manually update local distributed repositories with the desired packages. 1. Log on to the desired ePolicy Orchestrator server using a global administrator user account. 2. In the console tree under ePolicy Orchestrator, <SERVER>, select Repository. 3. In the details pane under AutoUpdate Tasks, click Replicate now. The Replicate Now wizard appears. 4. Click Next to open the distributed repositories dialog box. 5. Click Select All to select all global and SuperAgent distributed repositories, then click Next. The replication type dialog box appears. 6. Select Incremental replication, then click Finish to run the task. 7. Click Close after the task has completed. Deploying the agent to client computers: Although there are numerous methods you can use to install the agent on computers that you want to manage via ePolicy Orchestrator, we recommend using the Deployment client task. For a list of other methods and instructions for each, see Agent deployment in the ePolicy Orchestrator Product Guide. 1. Log on to the desired ePolicy Orchestrator server. 2. In the console tree under ePolicy Orchestrator, <SERVER>, right-click Directory, <SITE>, <GROUP>, or <COMPUTER>. The Policies, Properties, and Tasks tabs appear in the details pane. 3. Click the Tasks tab. 4. Right-click the Deployment task, then select Edit Task. The ePolicy Orchestrator Scheduler dialog box appears. 5. On the Task tab, click Settings. The Task Settings dialog box appears. 6. Deselect Inherit. 7. Next to Agent 3.6, select Install in Action. 8. Next to those products that you do not want to deploy, select Ignore in Action. 9. To specify command-line options used when installing the agent, click the '...' button next to Agent 3.6.0. For instructions, see Agent installation command-line options in the ePolicy Orchestrator Product Guide. 10. If you want this task to also be enforced during the policy enforcement interval, select Run this task at every policy enforcement interval. 11. Schedule the task. For instructions, see Scheduling client tasks in the ePolicy Orchestrator Product Guide. 12. Click OK to save the current entries. Monitoring agent deployment: You can use the Agent Versions or the Compliance Issues reports to monitor the deployment of the agent. For instructions and information, see Running reports and Agent Versions report template or Compliance Issues report template in the ePolicy Orchestrator Product Guide. The new agent version number is 3.6.0.546 Installation steps for ProtectionPilot 1.1.1 & 1.5: See the CAVEAT entry listed at the top of the Remediation section. CMA 3.6.0 Patch 1 Installation steps: 1. Log on to the ProtectionPilot 1.x.x server. 2. Click Server (servername) entry. 3. Click the Repository tab and select Check In Package. 4. Select Products and updates and click Next. 5. Click Browse to navigate to the folder where CMA 3.6.0 Patch 1 was extracted to, double-click the PkgCatalog.z and click Next. 6. Click Finish to check in CMA 3.6.0 Patch 1 into the Repository. 7. Click OK to close the Check In Package Wizard. IMPORTANT: After following the steps above, immediately apply the HotFix contained within the 349919.zip file which is located in 613335. HotFix Installation steps: The following steps must be performed directly on the PrP server. The HotFix should not be applied to any client computer. 1. Extract 349919.zip located in the Attachments section at the bottom of 613335, to a temporary location. 2. Restart the PrP server computer. 3. Click Start, Run, type services.msc and click OK. 4. Right-click on the McAfee ProtectionPilot 1.x.x Server service and select Stop. NOTE: If the ProtectionPilot Server service is already stopped, continue to the next step. 5. Open the temporary location where 349919.zip was extracted to and double-click 349919.exe. 6. Click Start, Run, type services.msc and click OK. 7. Right-click on the McAfee ProtectionPilot 1.x.x Server service and select Start. 4. Work Around There is a workaround for this security vulnerability in ePolicy Orchestrator (ePO) if you do not install Common Management Agent (CMA) 3.6.0 patch 1. Deselect the Enable Agent wakeup call support and enable the option to Accept connections only from IP addresses listed in the site list in the the CMA NAP. Steps to implement workaround on ePO 3.6.x: 1. Log on to the ePO console. See KB42032 for information on logging on to the ePO console. 2. Navigate to the Directory level. 3. Select ePO Agent 3.5.5 or ePO Agent 3.6.0 depending on which version of the Common Management Agent is checked into the repository. 4. Under Configuration create a new named policy. 5. Deselect Enable Agent wakeup call support. A warning dialog box displays when disabling agent wakeup call support. Select OK. 6. Select Accept connections only from IP addresses listed in the site list. 7. Click Apply All. These policy settings will take affect at the next agent to server communication interval. 5. Acknowledgements IBM Internet Security Systems X-Force member Neel Mehta. 6. Support Corporate Technical Support: 1-800-338-8754 http://www.mcafee.com/us/support/default.asp 7. Frequently Asked Questions (FAQ) related to this security bulletin Who is affected by this security vulnerability? Common Management Agent 3.6.0.453 and earlier. McAfee urges all customers to verify that they have received the latest updates. Does this vulnerability affect McAfee enterprise products? Yes, ePolicy Orchestrator's agent (CMA) is affected. The McAfee consumer products are not affected by this issue. How do I know if my Common Management Agent is vulnerable or not? 1. Log on to ePO server reports as an admin. 2. Run the Agent Version report. Check for the agent version that is used by ePO. The agent version should be 3.6.0.546 or above. What is CVSS? CVSS, or Common Vulnerability Scoring System, is the result of the National Infrastructure Advisory Council's effort to standardize a system of assessing the criticality of a vulnerability. This system offers an un-biased criticality score which customers can use to judge how critical a vulnerability is and plan accordingly. For more information, please visit the CVSS website at: http://www.first.org/cvss/. What are the CVSS scoring metrics that have been used? BaseScore 8 Access Vector Remote Access Complexity High Authentication Not Required Confidentiality Impact Complete Integrity Impact Complete Availability Impact Complete Impact Bias Normal Adjusted temporal Score 5.9 Exploitability Unproven Remediation level Official Fix Report Confidence Confirmed What has McAfee done to resolve the issue? McAfee believes in providing the most secure software to customers and has provided a new release to address this security flaw. Where do I download the fix from? The fix can be downloaded from: https://mysupport.mcafee.com/eservice_enu/start.swe How does McAfee respond to this and any other security flaws? McAfee's key priority is the security of its customers. In the event a vulnerability is found within any of McAfee's software, a strong process is in place to work closely with the relevant security research group to ensure the rapid and effective development of a fix and communication plan. McAfee is an active member of the Organization for Internet Safety (OIS) which is dedicated to developing guidelines and best practices for the reporting and fixing of software vulnerabilities. 8. Resources To submit possible vulnerabilities on any McAfee product, send email to: security@mcafee.com For contact information, see: http://www.mcafee.com/pubs/contacts.html For copyright, trademark attributions, and license information, see: http://www.mcafee.com/pubs/copyright.html For patents protecting this product, see the product documentation. 9. Disclaimer The information provided in this security bulletin is provided as is without warranty of any kind. McAfee disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall McAfee or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if McAfee or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. ============================================================================ McAfee Security Bulletin - Stack based buffer overflow of Common Management Agent (CMA) Environment McAfee ePolicy Orchestrator 3.5 McAfee ePolicy Orchestrator 3.6 McAfee ePolicy Orchestrator 3.6.1 McAfee ProtectionPilot 1.1.1 McAfee ProtectionPilot 1.5 McAfee Common Management Agent (CMA) 3.6.0.546 Summary 1. Summary Who should read this document: Technical and Security Personnel. Impact of Vulnerability: Stack based buffer overflow of Common Management Agent (CMA) Severity Rating: Critical Overall CVSS Rating: 5.9 Recommendations: Upgrade to McAfee Common Management Agent 3.6.0 Patch 1 (CMA3.6.0.546) Security Bulletin Replacement: None Caveats: Yes (see Section 3 - Remediation) Affected Software: Common Management Agent (CMA) 3.6.0.453 and earlier Location of updated software: https://mysupport.mcafee.com/eservice_enu/start.swe 2. Description A successful exploit of this security flaw could allow an attacker to crash a CMA node that is configured to receive updates from Super Agent and possibly perform arbitrary code execution. In order for this attack to work, ePO installation should have super agents deployed and the agents should be configured to receive the updates from super agent repository. When agents are configured in this manner, they may be susceptible to a specially crafted packet which could result in memory corruption and manipulation. An attacker would have to reverse engineer the product in order to create this attack, and is considered difficult. This patch will perform proper boundaries on the packet data, and will remove the risk associated with this flaw. This exploit is only seen in Managed mode installations (CMA deployed and managed by ePO or PrP) because the ports are open. Standalone (unmanaged) installations of CMA are NOT affected by this vulnerability because the ports are not open. The new packages have been pushed to download servers and available for download as of June 19, 2007. This update removes the risk associated with this security flaw. 3. Remediation Overview: Download the appropriate CMA patch binaries and update CMA. CAVEAT: IMPORTANT: McAfee strongly advises ProtectionPilot customers to review 613335 before applying CMA 3.6.0 Patch 1 because of a known compatibility issue. This article contains a HotFix that must be applied immediately after installing CMA 3.6.0 Patch 1 to the PrP server to resolve this issue. Please see Installation steps for ProtectionPilot 1.1.1 & 1.5 under Section 3 - Remediation below for detailed steps on applying CMA 3.6.0 Patch 1 and the HotFix. Obtaining the Binaries: https://mysupport.mcafee.com/eservice_enu/start.swe Installation Requirements: To use this release, you must have ePolicy Orchestrator 3.5, ePolicy Orchestrator 3.6, or ePolicy Orchestrator 3.6.1, ProtectionPilot 1.1.1, or ProtectionPilot 1.5 installed on the computer you intend to update with this release. Installation steps: 1. Create a temporary folder on the hard drive of the ePolicy Orchestrator server. 2. Extract the CMA3601.ZIP file to the temporary folder that you created in Step 1. Installation steps for ePolicy Orchestrator 3.5, 3.6, 3.6.1: Checking the agent package into the Master Repository: NOTE: You cannot check in packages while pull or replication tasks are executing. 1. Log on to the desired ePolicy Orchestrator server using a global administrator user account. 2. In the console tree under ePolicy Orchestrator, <SERVER>, select Repository. 3. In the details pane under AutoUpdate Tasks, click Check in package. The Check in package wizard appears. 4. Click Next to open the package type dialog box. 5. Select Products or updates, then click Next. The catalog file dialog box appears. 6. Select the package catalog (PKGCATALOG.Z) file from the temporary folder you created in Step 1 of Installation Steps. You can type the path to this file, or click Browse to select it, and click Next. The summary dialog box appears. 7. Click Finish to check in the package. 8. Click Close after the package has been checked in. The new agent package is automatically created. Check in the new .NAP file: 1. In the console tree under ePolicy Orchestrator, <SERVER>, select Repository. 2. In the details pane under AutoUpdate Tasks, click Check in NAP. The Software Repository Configuration wizard appears. 3. Click Next to Add new software to be managed. 4. Select the NAP (CMA360.nap) file from the temporary folder you created in Step 1 of Installation Steps. 5. Click Yes to overwrite existing NAP. 6. Click OK after the Software repository configuration has completed. Replicating the agent package to Distributed Repositories: NOTE: Since local distributed repositories can be accessed only from client computers, replication tasks do not copy packages from the master repository to local distributed repositories; you must manually update local distributed repositories with the desired packages. 1. Log on to the desired ePolicy Orchestrator server using a global administrator user account. 2. In the console tree under ePolicy Orchestrator, <SERVER>, select Repository. 3. In the details pane under AutoUpdate Tasks, click Replicate now. The Replicate Now wizard appears. 4. Click Next to open the distributed repositories dialog box. 5. Click Select All to select all global and SuperAgent distributed repositories, then click Next. The replication type dialog box appears. 6. Select Incremental replication, then click Finish to run the task. 7. Click Close after the task has completed. Deploying the agent to client computers: Although there are numerous methods you can use to install the agent on computers that you want to manage via ePolicy Orchestrator, we recommend using the Deployment client task. For a list of other methods and instructions for each, see Agent deployment in the ePolicy Orchestrator Product Guide. 1. Log on to the desired ePolicy Orchestrator server. 2. In the console tree under ePolicy Orchestrator, <SERVER>, right-click Directory, <SITE>, <GROUP>, or <COMPUTER>. The Policies, Properties, and Tasks tabs appear in the details pane. 3. Click the Tasks tab. 4. Right-click the Deployment task, then select Edit Task. The ePolicy Orchestrator Scheduler dialog box appears. 5. On the Task tab, click Settings. The Task Settings dialog box appears. 6. Deselect Inherit. 7. Next to Agent 3.6, select Install in Action. 8. Next to those products that you do not want to deploy, select Ignore in Action. 9. To specify command-line options used when installing the agent, click the '...' button next to Agent 3.6.0. For instructions, see Agent installation command-line options in the ePolicy Orchestrator Product Guide. 10. If you want this task to also be enforced during the policy enforcement interval, select Run this task at every policy enforcement interval. 11. Schedule the task. For instructions, see Scheduling client tasks in the ePolicy Orchestrator Product Guide. 12. Click OK to save the current entries. Monitoring agent deployment: You can use the Agent Versions or the Compliance Issues reports to monitor the deployment of the agent. For instructions and information, see Running reports and Agent Versions report template or Compliance Issues report template in the ePolicy Orchestrator Product Guide. The new agent version number is 3.6.0.546 Installation steps for ProtectionPilot 1.1.1 & 1.5: See the CAVEAT entry listed at the top of the Remediation section. CMA 3.6.0 Patch 1 Installation steps: 1. Log on to the ProtectionPilot 1.x.x server. 2. Click Server (servername) entry. 3. Click the Repository tab and select Check In Package. 4. Select Products and updates and click Next. 5. Click Browse to navigate to the folder where CMA 3.6.0 Patch 1 was extracted to, double-click the PkgCatalog.z and click Next. 6. Click Finish to check in CMA 3.6.0 Patch 1 into the Repository. 7. Click OK to close the Check In Package Wizard. IMPORTANT: After following the steps above, immediately apply the HotFix contained within the 349919.zip file which is located in 613335. HotFix Installation steps: The following steps must be performed directly on the PrP server. The HotFix should not be applied to any client computer. 1. Extract 349919.zip located in the Attachments section at the bottom of 613335, to a temporary location. 2. Restart the PrP server computer. 3. Click Start, Run, type services.msc and click OK. 4. Right-click on the McAfee ProtectionPilot 1.x.x Server service and select Stop. NOTE: If the ProtectionPilot Server service is already stopped, continue to the next step. 5. Open the temporary location where 349919.zip was extracted to and double-click 349919.exe. 6. Click Start, Run, type services.msc and click OK. 7. Right-click on the McAfee ProtectionPilot 1.x.x Server service and select Start. 4. Work Around There is a workaround for this security vulnerability in ePolicy Orchestrator (ePO) if you do not install Common Management Agent (CMA) 3.6.0 patch 1. Deselect the Enable Agent wakeup call support and enable the option to Accept connections only from IP addresses listed in the site list in the the CMA NAP. Steps to implement workaround on ePO 3.6.x: 1. Log on to the ePO console. See KB42032 for information on logging on to the ePO console. 2. Navigate to the Directory level. 3. Select ePO Agent 3.5.5 or ePO Agent 3.6.0 depending on which version of the Common Management Agent is checked into the repository. 4. Under Configuration create a new named policy. 5. Deselect Enable Agent wakeup call support. A warning dialog box displays when disabling agent wakeup call support. Select OK. 6. Select Accept connections only from IP addresses listed in the site list. 7. Click Apply All. These policy settings will take affect at the next agent to server communication interval. 5. Acknowledgements IBM Internet Security Systems X-Force member Neel Mehta. 6. Support Corporate Technical Support: 1-800-338-8754 http://www.mcafee.com/us/support/default.asp 7. Frequently Asked Questions (FAQ) related to this security bulletin Who is affected by this security vulnerability? Common Management Agent 3.6.0.453 and earlier. McAfee urges all customers to verify that they have received the latest updates. Does this vulnerability affect McAfee enterprise products? Yes, ePolicy Orchestrator's agent (CMA) is affected. The McAfee consumer products are not affected by this issue. How do I know if my Common Management Agent is vulnerable or not? 1. Login to ePO server reports as an admin. 2. Run the "Agent Version" report. Check for the agent version that is used by ePO. The agent version should be 3.6.0.546 or above. What is CVSS? CVSS, or Common Vulnerability Scoring System, is the result of the National Infrastructure Advisory Council's effort to standardize a system of assessing the criticality of a vulnerability. This system offers an un-biased criticality score which customers can use to judge how critical a vulnerability is and plan accordingly. For more information, please visit the CVSS website at: http://www.first.org/cvss/. What are the CVSS scoring metrics that have been used? BaseScore 8.0 Access Vector Remote Access Complexity High Authentication Not Required Confidentiality Impact Complete Integrity Impact Complete Availabliity Impact Complete Impact Bias Normal Adjusted Temporal score 5.9 Exploitability Unproven Remediation Level Official Fix Report Confidence Confirmed What has McAfee done to resolve the issue? McAfee believes in providing the most secure software to customers and has provided a new release to address this security flaw. Where do I download the fix from? The fix can be downloaded from: https://mysupport.mcafee.com/eservice_enu/start.swe How does McAfee respond to this and any other security flaws? McAfee's key priority is the security of its customers. In the event a vulnerability is found within any of McAfee's software, a strong process is in place to work closely with the relevant security research group to ensure the rapid and effective development of a fix and communication plan. McAfee is an active member of the Organization for Internet Safety (OIS) which is dedicated to developing guidelines and best practices for the reporting and fixing of software vulnerabilities. 8. Resources To submit possible vulnerabilities on any McAfee product, send email to: security@mcafee.com For contact information, see: http://www.mcafee.com/pubs/contacts.html For copyright, trademark attributions, and license information, see: http://www.mcafee.com/pubs/copyright.html For patents protecting this product, see the product documentation. 9. Disclaimer The information provided in this security bulletin is provided as is without warranty of any kind. McAfee disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall McAfee or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if McAfee or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. ============================================================ McAfee Security Bulletin - Heap based buffer overflow of Common Management Agent (CMA) Environment McAfee ePolicy Orchestrator 3.5 McAfee ePolicy Orchestrator 3.6 McAfee ePolicy Orchestrator 3.6.1 McAfee ProtectionPilot 1.1.1 McAfee ProtectionPilot 1.5 McAfee Common Management Agent (CMA) 3.6.0.438 to 3.6.0.453 Summary 1. Summary Who should read this document: Technical and Security Personnel. Impact of Vulnerability: Heap based buffer overflow of Common Management Agent (CMA) Severity Rating: Critical Overall CVSS Rating: 5.9 Recommendations: Upgrade to McAfee Common Management Agent 3.6.0 Patch 1 (CMA3.6.0.546) Security Bulletin Replacement: None Caveats: Yes (see Section 3 - Remediation) Affected Software: Common Management Agent (CMA) 3.5.5.438 till 3.6.0.453 Location of updated software: https://mysupport.mcafee.com/eservice_enu/start.swe 2. Description A successful exploit of this security flaw would allow an attacker to crash a CMA node or possibly perform arbitrary command execution. In order for this attack to occur, the attacker would have to reverse engineer the product, produce a specially crafted installation package, and reverse engineer the protocols. This would require several manipulations of the local network in order to be successful. After successfully installing the patch, the issue will no longer exist. This exploit is only seen in Managed mode installations (CMA deployed and managed by ePO or PrP) because the ports are open. Standalone (unmanaged) installations of CMA are NOT affected by this vulnerability because the ports are not open. The new packages have been pushed to download servers and available for download as of June 19, 2007. This update removes the risk associated with this security flaw. 3. Remediation Overview: Download the appropriate CMA patch binaries and update CMA. CAVEAT: IMPORTANT: McAfee strongly advises ProtectionPilot customers to review 613335 before applying CMA 3.6.0 Patch 1 because of a known compatibility issue. This article contains a HotFix that must be applied immediately after installing CMA 3.6.0 Patch 1 to the PrP server to resolve this issue. Please see Installation steps for ProtectionPilot 1.1.1 & 1.5 under Section 3 - Remediation below for detailed steps on applying CMA 3.6.0 Patch 1 and the HotFix. Obtaining the Binaries: https://mysupport.mcafee.com/eservice_enu/start.swe Installation Requirements: To use this release, you must have ePolicy Orchestrator 3.5, ePolicy Orchestrator 3.6, or ePolicy Orchestrator 3.6.1, ProtectionPilot 1.1.1, or ProtectionPilot 1.5 installed on the computer you intend to update with this release. Installation steps: 1. Create a temporary folder on the hard drive of the ePolicy Orchestrator server. 2. Extract the CMA3601.ZIP file to the temporary folder that you created in Step 1. Installation steps for ePolicy Orchestrator 3.5, 3.6, 3.6.1: Checking the agent package into the Master Repository: NOTE: You cannot check in packages while pull or replication tasks are executing. 1. Log on to the desired ePolicy Orchestrator server using a global administrator user account. 2. In the console tree under ePolicy Orchestrator, <SERVER>, select Repository. 3. In the details pane under AutoUpdate Tasks, click Check in package. The Check in package wizard appears. 4. Click Next to open the package type dialog box. 5. Select Products or updates, then click Next. The catalog file dialog box appears. 6. Select the package catalog (PKGCATALOG.Z) file from the temporary folder you created in Step 1 of Installation Steps. You can type the path to this file, or click Browse to select it, and click Next. The summary dialog box appears. 7. Click Finish to check in the package. 8. Click Close after the package has been checked in. The new agent package is automatically created. Check in the new .NAP file: 1. In the console tree under ePolicy Orchestrator, <SERVER>, select Repository. 2. In the details pane under AutoUpdate Tasks, click Check in NAP. The Software Repository Configuration wizard appears. 3. Click Next to Add new software to be managed. 4. Select the NAP (CMA360.nap) file from the temporary folder you created in Step 1 of Installation Steps. 5. Click Yes to overwrite existing NAP. 6. Click OK after the Software repository configuration has completed. Replicating the agent package to Distributed Repositories: NOTE: Since local distributed repositories can be accessed only from client computers, replication tasks do not copy packages from the master repository to local distributed repositories; you must manually update local distributed repositories with the desired packages. 1. Log on to the desired ePolicy Orchestrator server using a global administrator user account. 2. In the console tree under ePolicy Orchestrator, <SERVER>, select Repository. 3. In the details pane under AutoUpdate Tasks, click Replicate now. The Replicate Now wizard appears. 4. Click Next to open the distributed repositories dialog box. 5. Click Select All to select all global and SuperAgent distributed repositories, then click Next. The replication type dialog box appears. 6. Select Incremental replication, then click Finish to run the task. 7. Click Close after the task has completed. Deploying the agent to client computers: Although there are numerous methods you can use to install the agent on computers that you want to manage via ePolicy Orchestrator, we recommend using the Deployment client task. For a list of other methods and instructions for each, see Agent deployment in the ePolicy Orchestrator Product Guide. 1. Log on to the desired ePolicy Orchestrator server. 2. In the console tree under ePolicy Orchestrator, <SERVER>, right-click Directory, <SITE>, <GROUP>, or <COMPUTER>. The Policies, Properties, and Tasks tabs appear in the details pane. 3. Click the Tasks tab. 4. Right-click the Deployment task, then select Edit Task. The ePolicy Orchestrator Scheduler dialog box appears. 5. On the Task tab, click Settings. The Task Settings dialog box appears. 6. Deselect Inherit. 7. Next to Agent 3.6, select Install in Action. 8. Next to those products that you do not want to deploy, select Ignore in Action. 9. To specify command-line options used when installing the agent, click the '...' button next to Agent 3.6.0. For instructions, see Agent installation command-line options in the ePolicy Orchestrator Product Guide. 10. If you want this task to also be enforced during the policy enforcement interval, select Run this task at every policy enforcement interval. 11. Schedule the task. For instructions, see Scheduling client tasks in the ePolicy Orchestrator Product Guide. 12. Click OK to save the current entries. Monitoring agent deployment: You can use the Agent Versions or the Compliance Issues reports to monitor the deployment of the agent. For instructions and information, see Running reports and Agent Versions report template or Compliance Issues report template in the ePolicy Orchestrator Product Guide. The new agent version number is 3.6.0.546 Installation steps for ProtectionPilot 1.1.1 & 1.5: See the CAVEAT entry listed at the top of the Remediation section. CMA 3.6.0 Patch 1 Installation steps: 1. Log on to the ProtectionPilot 1.x.x server. 2. Click Server (servername) entry. 3. Click the Repository tab and select Check In Package. 4. Select Products and updates and click Next. 5. Click Browse to navigate to the folder where CMA 3.6.0 Patch 1 was extracted to, double-click the PkgCatalog.z and click Next. 6. Click Finish to check in CMA 3.6.0 Patch 1 into the Repository. 7. Click OK to close the Check In Package Wizard. IMPORTANT: After following the steps above, immediately apply the HotFix contained within the 349919.zip file which is located in 613335. HotFix Installation steps: The following steps must be performed directly on the PrP server. The HotFix should not be applied to any client computer. 1. Extract 349919.zip located in the Attachments section at the bottom of 613335, to a temporary location. 2. Restart the PrP server computer. 3. Click Start, Run, type services.msc and click OK. 4. Right-click on the McAfee ProtectionPilot 1.x.x Server service and select Stop. NOTE: If the ProtectionPilot Server service is already stopped, continue to the next step. 5. Open the temporary location where 349919.zip was extracted to and double-click 349919.exe. 6. Click Start, Run, type services.msc and click OK. 7. Right-click on the McAfee ProtectionPilot 1.x.x Server service and select Start. 4. Work Around There is a workaround for this security vulnerability in ePolicy Orchestrator (ePO) if you do not install Common Management Agent (CMA) 3.6.0 patch 1. Deselect the Enable Agent wakeup call support and enable the option to Accept connections only from IP addresses listed in the site list in the the CMA NAP. Steps to implement workaround on ePO 3.6.x: 1. Log on to the ePO console. See KB42032 for information on logging on to the ePO console. 2. Navigate to the Directory level. 3. Select ePO Agent 3.5.5 or ePO Agent 3.6.0 depending on which version of the Common Management Agent is checked into the repository. 4. Under Configuration create a new named policy. 5. Deselect Enable Agent wakeup call support. A warning dialog box displays when disabling agent wakeup call support. Select OK. 6. Select Accept connections only from IP addresses listed in the site list. 7. Click Apply All. These policy settings will take affect at the next agent to server communication interval. 5. Acknowledgements IBM Internet Security Systems X-Force member Neel Mehta. 6. Support Corporate Technical Support: 1-800-338-8754 http://www.mcafee.com/us/support/default.asp 7. Frequently Asked Questions (FAQ) related to this security bulletin Who is affected by this security vulnerability? Common Management Agent 3.5.5.438 till 3.6.0.453. McAfee urges all customers to verify that they have received the latest updates. Does this vulnerability affect McAfee enterprise products? Yes, ePolicy Orchestrator's agent (CMA) is affected. The McAfee consumer products are not affected by this issue. How do I know if my Common Management Agent is vulnerable or not? 1. Login to ePO server reports as an admin. 2. Run the "Agent Version" report. Check for the agent version that is used by ePO. The agent version should be 3.6.0.546 or above. What is CVSS? CVSS, or Common Vulnerability Scoring System, is the result of the National Infrastructure Advisory Council's effort to standardize a system of assessing the criticality of a vulnerability. This system offers an un-biased criticality score which customers can use to judge how critical a vulnerability is and plan accordingly. For more information, please visit the CVSS website at: http://www.first.org/cvss/. What are the CVSS scoring metrics that have been used? BaseScore 8 Access Vector Remote Access Complexity High Authentication Not Required Confidentiality Impact Complete Intergrity Impact Complete Availability Impact Complete Impact Bais Normal Adjusted Temporal Score 5.9 Exploitability Unproven Remediation Official Fix Report Confidence Confirmed What has McAfee done to resolve the issue? McAfee believes in providing the most secure software to customers and has provided a new release to address this security flaw. Where do I download the fix from? The fix can be downloaded from: https://mysupport.mcafee.com/eservice_enu/start.swe How does McAfee respond to this and any other security flaws? McAfee's key priority is the security of its customers. In the event a vulnerability is found within any of McAfee's software, a strong process is in place to work closely with the relevant security research group to ensure the rapid and effective development of a fix and communication plan. McAfee is an active member of the Organization for Internet Safety (OIS) which is dedicated to developing guidelines and best practices for the reporting and fixing of software vulnerabilities. 8. Resources To submit possible vulnerabilities on any McAfee product, send email to: security@mcafee.com For contact information, see: http://www.mcafee.com/pubs/contacts.html For copyright, trademark attributions, and license information, see: http://www.mcafee.com/pubs/copyright.html For patents protecting this product, see the product documentation. 9. Disclaimer The information provided in this security bulletin is provided as is without warranty of any kind. McAfee disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall McAfee or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if McAfee or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. ================================================================= McAfee Security Bulletin - Crash of Framework service of McAfee Common Management Agent (CMA) Environment McAfee ePolicy Orchestrator 3.5 McAfee ePolicy Orchestrator 3.6 McAfee ePolicy Orchestrator 3.6.1 McAfee ProtectionPilot 1.1.1 McAfee ProtectionPilot 1.5 McAfee Common Management Agent (CMA) 3.5.5.438 Summary 1. Summary Who should read this document: Technical and Security Personnel. Impact of Vulnerability: Crash of Framework service of McAfee Common Management Agent (CMA) Severity Rating: Low Overall CVSS Rating: 2 Recommendations: Upgrade CMA 3.5.5 to CMA 3.5.5 Patch 2 (CMA3.5.5.580) Security Bulletin Replacement: None. Caveats: None. Affected Software: Common Management Agent (CMA) 3.5.5.438. Location of updated software: https://mysupport.mcafee.com/eservice_enu/start.swe 2. Description A successful exploit of this security flaw would allow an attacker to crash the Framework service of CMA. In order for this attack to work, the attacker would have to reverse engineer the product to create a specially crafted installation package. A remote attack would have the increased complexity as it would require manipulations of the local network in order to be successful. After successfully installing the patch, the issue will no longer exist. This exploit is only seen in Managed mode installations (CMA deployed and managed by ePO or PrP) because the ports are open. Standalone (unmanaged) installations of CMA are NOT affected by this vulnerability because the ports are not open. The new package has been published on the McAfee download servers and has been available for download since December 2006. This update removes the exploit described above. 3. Remediation Overview: Download the appropriate CMA patch binaries and update CMA. Obtaining the Binaries: https://mysupport.mcafee.com/eservice_enu/start.swe Installation Requirements: To use this release, you must have ePolicy Orchestrator 3.5, ePolicy Orchestrator 3.6, or ePolicy Orchestrator 3.6.1, ProtectionPilot 1.1.1, or ProtectionPilot 1.5 installed on the computer you intend to update with this release. Installation steps: 1. Create a temporary folder on the hard drive of the ePolicy Orchestrator server. 2. Extract the CMA3551.ZIP file to the temporary folder that you created in Step 1. Installation steps for ePolicy Orchestrator 3.5, 3.6, 3.6.1: Checking the Agent Package into the Master Repository NOTE: You cannot check in packages while pull or replication tasks are executing. 1. Log on to the desired ePolicy Orchestrator server using a global administrator user account. 2. In the console tree under ePolicy Orchestrator, <SERVER>, select Repository. 3. In the details pane under AutoUpdate Tasks, click Check in package. The Check in package wizard appears. 4. Click Next to open the package type dialog box. 5. Select Products or updates, then click Next. The catalog file dialog box appears. 6. Select the package catalog (PKGCATALOG.Z) file from the temporary folder you created in Step 1 of Installation Steps. You can type the path to this file, or click Browse to select it, and click Next. The summary dialog box appears. 7. Click Finish to check in the package. 8. Click Close after the package has been checked in. The new agent package is automatically created. Check in the new .NAP file: 1. In the console tree under ePolicy Orchestrator, <SERVER>, select Repository. 2. In the details pane under AutoUpdate Tasks, click Check in NAP. The Software Repository Configuration wizard appears. 3. Click Next to Add new software to be managed. 4. Select the NAP (CMA355.nap) file from the temporary folder you created in Step 1 of Installation Steps. 5. Click Yes to overwrite existing NAP. 6. Click OK after the Software repository configuration has completed. Replicating the Agent Package To Distributed Repositories: NOTE: Since local distributed repositories can be accessed only from client computers, replication tasks do not copy packages from the master repository to local distributed repositories; you must manually update local distributed repositories with the desired packages. 1. Log on to the desired ePolicy Orchestrator server using a global administrator user account. 2. In the console tree under ePolicy Orchestrator, <SERVER>, select Repository. 3. In the details pane under AutoUpdate Tasks, click Replicate now. The Replicate Now wizard appears. 4. Click Next to open the distributed repositories dialog box. 5. Click Select All to select all global and SuperAgent distributed repositories, then click Next. The replication type dialog box appears. 6. Select Incremental replication, then click Finish to run the task. 7. Click Close after the task has completed. Deploying the agent to client computers: Although there are numerous methods you can use to install the agent on computers that you want to manage via ePolicy Orchestrator, we recommend using the Deployment client task. For a list of other methods and instructions for each, see Agent deployment in the ePolicy Orchestrator Product Guide. 1. Log on to the desired ePolicy Orchestrator server. 2. In the console tree under ePolicy Orchestrator, <SERVER>, right-click Directory, <SITE>, <GROUP>, or <COMPUTER>. The Policies, Properties, and Tasks tabs appear in the details pane. 3. Click the Tasks tab. 4. Right-click the Deployment task, then select Edit Task. The ePolicy Orchestrator Scheduler dialog box appears. 5. On the Task tab, click Settings. The Task Settings dialog box appears. 6. Deselect Inherit. 7. Next to Agent 3.6, select Install in Action. 8. Next to those products that you do not want to deploy, select Ignore in Action. 9. To specify command-line options used when installing the agent, click the '...' button next to Agent 3.6.0. For instructions, see Agent installation command-line options in the ePolicy Orchestrator Product Guide. 10. If you want this task to also be enforced during the policy enforcement interval, select Run this task at every policy enforcement interval. 11. Schedule the task. For instructions, see Scheduling client tasks in the ePolicy Orchestrator Product Guide. 12. Click OK to save the current entries. Monitoring Agent Deployment: You can use the Agent Versions or the Compliance Issues reports to monitor the deployment of the agent. For instructions and information, see "Running reports" and "Agent Versions report template" or "Compliance Issues report template" in the ePolicy Orchestrator Product Guide. The new agent version number is 3.5.5.580 Installation steps for ProtectionPilot 1.1.1 & 1.5: IMPORTANT: These steps are only applicable to checking CMA 3.5.5 Patch 2 (3.5.5.580) into PrP. McAfee recommends customers bypass this deployment by upgrading to CMA 3.6.0 Patch 1. ProtectionPilot customers must immediately apply the HotFix on the PrP server as detailed in KnowledgeBase article 613335 after completing the upgrade to CMA 3.6.0 Patch 1. 1. In ProtectionPilot from the Server section, click the Repository tab. The Manage AutoUpdate Repositories page appears. 2. Click Check In Package under Management Tasks. 3. Select Products and updates, then click Next. 4. Click Browse to locate the file you downloaded, and select the package (PKGCATALOG.Z) file for the product. 5. Click Finish, then OK. Stop and restart the ProtectionPilot server service. The agent upgrade begins immediately. 4. Work Around There is a workaround for this security vulnerability in ePolicy Orchestrator (ePO) if you do not install Common Management Agent (CMA) 3.6.0 patch 1. Deselect the Enable Agent wakeup call support and enable the option to Accept connections only from IP addresses listed in the site list in the the CMA NAP. Steps to implement workaround on ePO 3.6.x: 5. 1. Log on to the ePO console. See KB42032 for information on logging on to the ePO console. 2. Navigate to the Directory level. 3. Select ePO Agent 3.5.5 or ePO Agent 3.6.0 depending on which version of the Common Management Agent is checked into the repository. 4. Under Configuration create a new named policy. 5. Deselect Enable Agent wakeup call support. A warning dialog box displays when disabling agent wakeup call support. Select OK. 6. Select Accept connections only from IP addresses listed in the site list. 7. Click Apply All. These policy settings will take affect at the next agent to server communication interval. 6. Acknowledgements IBM Internet Security Systems X-Force member Neel Mehta. 7. Support Corporate Technical Support: 1-800-338-8754 http://www.mcafee.com/us/support/default.asp 8. Frequently Asked Questions (FAQ) related to this security bulletin Who is affected by this security vulnerability? Common Management Agent 3.5.5.438. McAfee urges all customers to verify that they have received the latest updates. Does this vulnerability affect McAfee enterprise products? Yes, ePolicy Orchestrator's agent (CMA) is affected. The McAfee consumer products are not affected by this issue. How do I know if my Common Management Agent is vulnerable or not? 1. Login to ePO server reports as an admin. 2. Run the "Agent Version" report. Check for the agent version that is used by ePO. The agent version should be 3.5.5.580 or above. What is CVSS? CVSS, or Common Vulnerability Scoring System, is the result of the National Infrastructure Advisory Council's effort to standardize a system of assessing the criticality of a vulnerability. This system offers an un-biased criticality score which customers can use to judge how critical a vulnerability is and plan accordingly. For more information, please visit the CVSS website at: http://www.first.org/cvss/. What are the CVSS scoring metrics that have been used? BaseScore 2.7 Access Vector Remote Access Complexity High Authentication Not Required Confidentiality Impact None Intergrity Impact None Availability Impact Complete Impact Bais Normal Adjusted Temporal Score 2 Exploitability Unproven Remediation Level Official Fix Report Confidence Comfirmed What has McAfee done to resolve the issue? McAfee believes in providing the most secure software to customers and has provided a new release to address this security flaw. Where do I download the fix from? The fix can be downloaded from: https://mysupport.mcafee.com/eservice_enu/start.swe How does McAfee respond to this and any other security flaws? McAfee's key priority is the security of its customers. In the event a vulnerability is found within any of McAfee's software, a strong process is in place to work closely with the relevant security research group to ensure the rapid and effective development of a fix and communication plan. McAfee is an active member of the Organization for Internet Safety (OIS) which is dedicated to developing guidelines and best practices for the reporting and fixing of software vulnerabilities. 9. Resources To submit possible vulnerabilities on any McAfee product, send email to: security@mcafee.com For contact information, see: http://www.mcafee.com/pubs/contacts.html For copyright, trademark attributions, and license information, see: http://www.mcafee.com/pubs/copyright.html For patents protecting this product, see the product documentation. 10. Disclaimer The information provided in this security bulletin is provided as is without warranty of any kind. McAfee disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall McAfee or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if McAfee or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBRpwmvCh9+71yA2DNAQJ4ZwP/ZtcEbY5Cgt5JlZxdsFCoStrikzGwqiQX gJduFwW6wlxR6JtVN0D5xUj70+lAvZKX08XNxOekcyqBBxlDqTej4S8/7DbW8z6Z m48sNHxDsNaem8hb7MTSyXrXLjuz3+4UDw7jSXA0cnOlULit4rrFiJR7IzbpgEzK BpStRc8RKM0= =ZAs2 -----END PGP SIGNATURE-----