Thursday, 15 March 2012

McAfee Security Gateway patched this week for the issues I reported

Fair play to McAfee for fixing these issues, giving an accurate description of the issues and crediting me with the discovery. This is probably one of the best customer notifications I have seen from the vendors I have dealt with during my research project.

Affected Software: McAfee Email and Web Security 5.x, McAfee Email Gateway 7.0

NGS00153 – Reflected XSS
McAfee Email and Web Security Appliance Software 5.x/ McAfee Email Gateway 7.0 is prone to reflective XSS allowing an attacker to gain session tokens and run arbitrary Javascript in the context of the administrators browser and the McAfee Security Appliance Management Console/Dashboard.

NGS00154 – Logout Failure (I would have called this session-management issues, but whatever)
When an administrator closes the Management console/Dashboard without clicking logout and returns to the Dashboard later, they appear to be logged out, however, this is simply the state of the Javascript in his browser, and the session-token is still be active on the server-side. If an attacker gains a session-cookie (perhaps using XSS, or by some other means), they can make a dummy login attempt (with a dummy password) and simply edit the (failure) response. They will then be logged-in, and can use the Dashboard as if he had logged-in as the administrator.

NGS00155 – Password Reset issue
Any logged-in user can bypass controls to reset passwords of other administrators.

NGS00156 – Session Disclosure
Active session tokens of other users are disclosed within the Dashboard.

NGS00157 – Weak Encryption of Backups
Password hashes can be recovered from a system backup and easily cracked.

NGS00158 – File Download Issue
Arbitrary file download is possible with a crafted URL, when logged in as any user.

NGS00159 – File Content Leakage
File contents disclosure as if root user, when logged in as any user.