copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Training
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login

  Home » Security Bul... » Security Bul... » AusCERT Secu... » ASB-2012.0170 - [VMware ESX][Appliance] McAfee Email...
 

ASB-2012.0170 - [VMware ESX][Appliance] McAfee Email Gateway: Cross-site scripting - Remote with user interaction
Date: 04 December 2012

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2012.0170
 A number of vulnerabilities have been identified in McAfee Email Gateway
                              4 December 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              McAfee Email Gateway (MEG) 7.0
                      McAfee Email Gateway (MEG) 7.0.1
                      McAfee Email Gateway (MEG) 7.0.2
Operating System:     Network Appliance
                      VMWare ESX Server
Impact/Access:        Cross-site Scripting -- Remote with User Interaction
                      Denial of Service    -- Existing Account            
Resolution:           Patch/Upgrade
Member content until: Thursday, January  3 2013

OVERVIEW

        A number of vulnerabilities have been identified in McAfee Email 
        Gateway (MEG) prior to version 7.0.2 Hotfix 116. [1]


IMPACT

        The vendor has provided the following details regarding these 
        vulnerabilities:
        
        "Cross-Site Scripting 
        The MEG 7.x Secure Web Delivery Client does not correctly handle email 
        attachment names, allowing specifically named files to execute as 
        scripts. A successful attack could invoke JavaScript when the webmail 
        user subsequently accesses their draft messages.
        
        A malicious email can be constructed that results in an end-user 
        signing into a secure webmail account and running an arbitrary 
        JavaScript fragment when interacting with the message attachments. 
        The interaction can be as simple as hovering over the attachment. 
        Note that the invocation of this attack is limited by the need to 
        highjack an active session cookie.
        
        Denial of Service 
        MEG 7.x does not correctly verify administrative settings for 
        generating email via the Secure Web Mail Client. This allows a user 
        who would normally be unable to compose, forward, or reply to 
        messages the ability to generate messages on the Appliance.
        
        The unauthorized generation of many messages could cause a potential
        Denial of Service (DoS) if the messages consume all available disk 
        space. Note that the severity of this attack is limited by the need
        to highjack an active session cookie." [1]


MITIGATION

        The vendor recommends updating to the latest version of McAfee Email
        Gateway (MEG) to correct these issues. [1]


REFERENCES

        [1] McAfee Security Bulletin - MEG 7.0.2 Hotfix resolves multiple
            issues
            https://kc.mcafee.com/corporate/index?page=content&id=SB10037

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUL1cf+4yVqjM2NGpAQLE+hAAnxtumm7xg59s1bk00fq/V26I3CAvHLxq
loll66lMNTvKiRmoiOWjSjE2Mh9yirKnvzT+cXUShB1y6juBuR7WF81fbcMdFaSz
VAqj8tPbjJSjphqlCskAEZALM8UnD7bKXHbN94HEvvaNfoqqMS7S7+5JOBwoI/ut
LUY31qGoIKt87kfYFIAcm7l8w5njFcO/xrSfe9305v+CWO+c7Zly/YZea95PvPxf
/GtCm33Qb/Fe4QC+jit+zyJupi8B7Zyl6OmYZCAZlTBzMLNCz+iKC/Cnd+b4UkCD
TeBO/6UpaAQLoj9Qf9JYpzzmYHe6NSAb++pUPlY0X6q0JGWBixtHAxYOlN8kRlq2
uDfipk2DV05x1Mkl1u/ZOBNp7Y5fZUhmIdULlJpykZ8AhXAyaIoJkEK1lZAjxazp
2sEqADAz7USu8RkJ9H0NiXcvsifGdHOaNzBrqRrir0pFeINzljwrAjnuLzNbrZm3
XvNJpJTaWFV+J/1hYfiSIku1itmMS9iMoBd8/ZU3fBPPIFknZdsKvtUjAHuWK6+M
PPd8362vlmogBKOkotfDEf7NvWd770vx3lBHUp4X/OBJipwfIw3OelLUsDSPSw+l
ulBneMbFLjQJMBcdY9sbUU6rxoR5jxJYVK7jmRVsMbB3h/iT1AxZmMkQUV+bqoAx
kcD6b3w9M40=
=IRiO
-----END PGP SIGNATURE-----




Comments? Click here http://www.auscert.org.au/render.html?cid=10415&it=16652