Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.2288 McAfee Security Bulletin - Threat Intelligence Exchange Server 2.1.0 Hotfix 2 fixes two Linux kernel vulnerabilities (CVE-2017-1000111 and CVE-2017-1000112) 11 September 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: McAfee Threat Intelligence Exchange Server Publisher: McAfee Operating System: Windows Impact/Access: Root Compromise -- Existing Account Execute Arbitrary Code/Commands -- Existing Account Denial of Service -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2017-1000112 CVE-2017-1000111 Reference: ESB-2017.2162 ESB-2017.2019 Original Bulletin: https://kc.mcafee.com/corporate/index?page=content&id=SB10209 - --------------------------BEGIN INCLUDED TEXT-------------------- McAfee Security Bulletin - Threat Intelligence Exchange Server 2.1.0 Hotfix 2 fixes two Linux kernel vulnerabilities (CVE-2017-1000111 and CVE-2017-1000112) Security Bulletins ID: SB10209 Last Modified: 9/6/2017 Summary First Published: 9/6/2017 CVE Numbers: CVE-2017-1000111 CVE-2017-1000112 Severity Rating: High CVSS v3 Base / Temporal Scores: CVE-2017-1000111: 7.0 / 5.9 CVE-2017-1000112: 7.0 / 5.9 Recommendations: Install or update to Threat Intelligence Exchange (TIE) Server 2.1.0 Hotfix 2 Security Bulletin Replacement: None Affected Software: TIE Server 2.1.0, 2.0.1, 2.0.0, 1.3.0, 1.2.1, and 1.2.0 Location of Updated Software: http://www.mcafee.com/us/downloads/downloads.aspx To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged in to subscribe. Article contents: Vulnerability Description Remediation Product Specific Notes Frequently Asked Questions (FAQs) Resources Disclaimer Description This TIE Server hotfix resolves the following issues: CVE-2017-1000111: kernel: Heap out-of-bounds in AF_PACKET sockets A race condition issue leading to a use-after-free flaw was found in the way the raw packet sockets are implemented in the Linux kernel networking subsystem handling synchronization. A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this flaw to elevate their privileges on the system. CVE-2017-1000112: kernel: Exploitable memory corruption due to UFO to non-UFO path switch A memory corruption issue was found in the Linux kernel. When building a UDP Fragmentation Offload (UFO) packet with MSG_MORE __ip_append_data() calls ip_ufo_append_data() to append. However, in between two send() calls, the append path can be switched from UFO to non-UFO one, which leads to a memory corruption. Remediation Go to the Product Downloads site and download the applicable product hotfix file: Product Type Version File Name Release Date TIE Server Hotfix 2.1.0 Hotfix 2 TIEServer_2.1.0.338.x86_64-MAIN.ova September 6, 2017 Download and Installation Instructions See KB56057 for instructions on how to download McAfee products, documentation, security updates, patches, and hotfixes. Review the Release Notes and the Installation Guide, which you can download from the Documentation tab, for instructions on how to install these updates. Product Specific Notes CVE-2017-1000111: kernel: Heap out-of-bounds in AF_PACKET sockets In TIE Server, there is a single user account for use by an administrator. Additionally, no files or non-privileged processes have CAP_NET_RAW capability. CVE-2017-1000112: kernel: Exploitable memory corruption due to UFO to non-UFO path switch In TIE Server, UDP Fragmentation Offload is disabled, as reported by ethtool. Frequently Asked Questions (FAQs) How do I know whether my McAfee product is vulnerable or not? To determine which TIE Server version is currently installed, refer to the "Verify the installation" section in the Threat Intelligence Exchange Server Release Notes. What is CVSS? CVSS, or Common Vulnerability Scoring System, is the result of the National Infrastructure Advisory Councils effort to standardize a system of assessing the criticality of a vulnerability. This system offers an unbiased criticality score between 0 and 10 that customers can use to judge how critical a vulnerability is and plan accordingly. For more information, please visit the CVSS website at: http://www.first.org/cvss/. When calculating CVSS scores, McAfee has adopted a philosophy that fosters consistency and repeatability. Our guiding principle for CVSS scoring is to score the exploit under consideration by itself. We consider only the immediate and direct impact of the exploit under consideration. We do not factor into a score any potential follow-on exploits that might be made possible by successful exploitation of the issue being scored What are the CVSS scoring metrics that have been used? CVE-2017-1000111: kernel: Heap out-of-bounds in AF_PACKET sockets Base Score 7.0 Attack Vector (AV) Local (L) Attack Complexity (AC) High (H) Privileges Required (PR) Low (L) User Interaction (UI) None (N) Scope (S) Unchanged (U) Confidentiality (C) High (H) Integrity (I) High (H) Availability (A) High (H) Temporal Score (Overall) 5.9 Exploitability (E) Unproven (U) Remediation Level (RL) Official Fix (O) Report Confidence (RC) Reasonable (R) NOTE: The below CVSS version 3.0 vector was used to generate this score. https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:R CVE-2017-1000112: kernel: Exploitable memory corruption due to UFO to non-UFO path switch Base Score 7.0 Attack Vector (AV) Local (L) Attack Complexity (AC) High (H) Privileges Required (PR) Low (L) User Interaction (UI) None (N) Scope (S) Unchanged (U) Confidentiality (C) High (H) Integrity (I) High (H) Availability (A) High (H) Temporal Score (Overall) 5.9 Exploitability (E) Unproven (U) Remediation Level (RL) Official Fix (O) Report Confidence (RC) Reasonable (R) NOTE: The below CVSS version 3.0 vector was used to generate this score. https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:R Where can I find a list of all security bulletins or how do I report a product vulnerability? To find a list of all security bulletins, or if you have information about a security issue or vulnerability with a McAfee product, please visit our product security website at: http://www.mcafee.com/us/threat-center/product-security-bulletins.aspx. Resources For Technical Support contact details: Go to http://www.mcafee.com/us/about/contact-us.aspx#ht=tab-techsupport and select your country from the drop-down list. Alternatively: Log in to the ServicePortal at https://support.mcafee.com: If you are a registered user, type your User Id and Password, and click Log In. If you are not a registered user, click Register and complete the required fields. Your password and login instructions will be emailed to you. Disclaimer The information provided in this security bulletin is provided as is without warranty of any kind. McAfee disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall McAfee or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits, or special damages, even if McAfee or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any future product release dates mentioned in this security bulletin are intended to outline our general product direction and they should not be relied on in making a purchasing decision. The product release dates are for information purposes only, and may not be incorporated into any contract. The product release dates are not a commitment, promise, or legal obligation to deliver any material, code, or functionality. The development, release, and timing of any features or functionality described for our products remains at our sole discretion and may be changed or cancelled at any time. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWbYKAYx+lLeg9Ub1AQj4JhAArjJ+h2mtZ5aab2ljJM67OFAmgCgi+n4g lZIGZ7vApu47LaBoHry5XHzzDErbC8J8i44Ws5xueWk8ughIUcmaL0mifYR2bdyF c+okJF3lKKe7UXvgpjsXqWKbdO4nFkqxHt2JIOUoU62gGQycalqU6yM/0hsyx0d6 0dspt3QurlAiCKK41l5w3DPsbDjrzawvWq6Eb+b4fB5dB1M0qqOmH9d1NdwSqlF0 Xlh2ZoK2s21pPbPS5D0E8TAKnLWvwbSX+3N/3jnbxove/ccaDKlhUCmrZJTEWKGW c1cMmnf9GxG6M5mVQpZWWPrBOyR+JuXftVWXbgzGnOaS/GWFQr7i/m68WKIDrx0l HYBfCk0gayEneGz0mX9gmzrG+wRKF/JmWDMMSEwqeMvNeTHkFfqCyQ9lJY601LtP OYf/8/fKdpnDR6qF6fQR/nRiZrJatbyYK3R1xLqx5vQFgLpcLvNvBNXN63xVU4RI mEWzrBu58bFYtOlQbUA6ny1gF1QrMBHfJrOoCgcHGO5JSqn1nPNWdLxdJLZ0ayW5 66606Uhc2ld+bm1UacKJUp6yw8KYEETd3KKKk3/ehOtAtWnG+sXPJK3TtvUl5lnE Bs2YrezonGG9Qjgg+r5c64wCUqf73y4XCMiHhvNIfPWaTB7KczAcw7Qkm0sd3FKc CilBtrrh9fA= =b1nM -----END PGP SIGNATURE-----