ESB-2017.2288 - [Win] McAfee Threat Intelligence Exchange Server: Multiple vulnerabilities 2017-09-11

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.2288
McAfee Security Bulletin - Threat Intelligence Exchange Server 2.1.0 Hotfix
        2 fixes two Linux kernel vulnerabilities (CVE-2017-1000111
                           and CVE-2017-1000112)
                             11 September 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           McAfee Threat Intelligence Exchange Server
Publisher:         McAfee
Operating System:  Windows
Impact/Access:     Root Compromise                 -- Existing Account
                   Execute Arbitrary Code/Commands -- Existing Account
                   Denial of Service               -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-1000112 CVE-2017-1000111 

Reference:         ESB-2017.2162
                   ESB-2017.2019

Original Bulletin: 
   https://kc.mcafee.com/corporate/index?page=content&id=SB10209

- --------------------------BEGIN INCLUDED TEXT--------------------

McAfee Security Bulletin - Threat Intelligence Exchange Server 2.1.0 Hotfix 2
fixes two Linux kernel vulnerabilities (CVE-2017-1000111 and CVE-2017-1000112)

Security Bulletins ID: SB10209

Last Modified: 9/6/2017

Summary

First Published: 9/6/2017

CVE Numbers: 

CVE-2017-1000111

CVE-2017-1000112

Severity Rating: High

CVSS v3 Base / Temporal Scores: 

CVE-2017-1000111: 7.0 / 5.9

CVE-2017-1000112: 7.0 / 5.9

Recommendations: Install or update to Threat Intelligence Exchange (TIE) 
Server 2.1.0 Hotfix 2

Security Bulletin Replacement: None

Affected Software: TIE Server 2.1.0, 2.0.1, 2.0.0, 1.3.0, 1.2.1, and 1.2.0

Location of Updated Software: 
http://www.mcafee.com/us/downloads/downloads.aspx

To receive email notification when this article is updated, click Subscribe on
the right side of the page. You must be logged in to subscribe.

Article contents:

Vulnerability Description

Remediation

Product Specific Notes

Frequently Asked Questions (FAQs)

Resources

Disclaimer

Description

This TIE Server hotfix resolves the following issues:

CVE-2017-1000111: kernel: Heap out-of-bounds in AF_PACKET sockets

A race condition issue leading to a use-after-free flaw was found in the way 
the raw packet sockets are implemented in the Linux kernel networking 
subsystem handling synchronization. A local user able to open a raw packet 
socket (requires the CAP_NET_RAW capability) could use this flaw to elevate 
their privileges on the system.

CVE-2017-1000112: kernel: Exploitable memory corruption due to UFO to non-UFO
path switch

A memory corruption issue was found in the Linux kernel. When building a UDP 
Fragmentation Offload (UFO) packet with MSG_MORE __ip_append_data() calls 
ip_ufo_append_data() to append. However, in between two send() calls, the 
append path can be switched from UFO to non-UFO one, which leads to a memory 
corruption.

Remediation

Go to the Product Downloads site and download the applicable product hotfix 
file:

Product Type Version File Name Release Date

TIE Server Hotfix 2.1.0 Hotfix 2 TIEServer_2.1.0.338.x86_64-MAIN.ova September
6, 2017

Download and Installation Instructions

See KB56057 for instructions on how to download McAfee products, 
documentation, security updates, patches, and hotfixes. Review the Release 
Notes and the Installation Guide, which you can download from the 
Documentation tab, for instructions on how to install these updates.

Product Specific Notes

CVE-2017-1000111: kernel: Heap out-of-bounds in AF_PACKET sockets

In TIE Server, there is a single user account for use by an administrator. 
Additionally, no files or non-privileged processes have CAP_NET_RAW 
capability.

CVE-2017-1000112: kernel: Exploitable memory corruption due to UFO to non-UFO
path switch

In TIE Server, UDP Fragmentation Offload is disabled, as reported by ethtool.

Frequently Asked Questions (FAQs)

How do I know whether my McAfee product is vulnerable or not?

To determine which TIE Server version is currently installed, refer to the 
"Verify the installation" section in the Threat Intelligence Exchange Server 
Release Notes.

What is CVSS?

CVSS, or Common Vulnerability Scoring System, is the result of the National 
Infrastructure Advisory Councils effort to standardize a system of assessing 
the criticality of a vulnerability. This system offers an unbiased criticality
score between 0 and 10 that customers can use to judge how critical a 
vulnerability is and plan accordingly. For more information, please visit the
CVSS website at: http://www.first.org/cvss/.

When calculating CVSS scores, McAfee has adopted a philosophy that fosters 
consistency and repeatability. Our guiding principle for CVSS scoring is to 
score the exploit under consideration by itself. We consider only the 
immediate and direct impact of the exploit under consideration. We do not 
factor into a score any potential follow-on exploits that might be made 
possible by successful exploitation of the issue being scored

What are the CVSS scoring metrics that have been used?

CVE-2017-1000111: kernel: Heap out-of-bounds in AF_PACKET sockets

Base Score 7.0

Attack Vector (AV) Local (L)

Attack Complexity (AC) High (H)

Privileges Required (PR) Low (L)

User Interaction (UI) None (N)

Scope (S) Unchanged (U)

Confidentiality (C) High (H)

Integrity (I) High (H)

Availability (A) High (H)

Temporal Score (Overall) 5.9

Exploitability (E) Unproven (U)

Remediation Level (RL) Official Fix (O)

Report Confidence (RC) Reasonable (R)

NOTE: The below CVSS version 3.0 vector was used to generate this score.

https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:R

CVE-2017-1000112: kernel: Exploitable memory corruption due to UFO to non-UFO
path switch

Base Score 7.0

Attack Vector (AV) Local (L)

Attack Complexity (AC) High (H)

Privileges Required (PR) Low (L)

User Interaction (UI) None (N)

Scope (S) Unchanged (U)

Confidentiality (C) High (H)

Integrity (I) High (H)

Availability (A) High (H)

Temporal Score (Overall) 5.9

Exploitability (E) Unproven (U)

Remediation Level (RL) Official Fix (O)

Report Confidence (RC) Reasonable (R)

NOTE: The below CVSS version 3.0 vector was used to generate this score.

https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:R

Where can I find a list of all security bulletins or how do I report a product
vulnerability?

To find a list of all security bulletins, or if you have information about a 
security issue or vulnerability with a McAfee product, please visit our 
product security website at: 
http://www.mcafee.com/us/threat-center/product-security-bulletins.aspx.

Resources

For Technical Support contact details:

Go to http://www.mcafee.com/us/about/contact-us.aspx#ht=tab-techsupport and 
select your country from the drop-down list.

Alternatively:

Log in to the ServicePortal at https://support.mcafee.com:

If you are a registered user, type your User Id and Password, and click Log 
In.

If you are not a registered user, click Register and complete the required 
fields. Your password and login instructions will be emailed to you.

Disclaimer

The information provided in this security bulletin is provided as is without 
warranty of any kind. McAfee disclaims all warranties, either express or 
implied, including the warranties of merchantability and fitness for a 
particular purpose. In no event shall McAfee or its suppliers be liable for 
any damages whatsoever including direct, indirect, incidental, consequential,
loss of business profits, or special damages, even if McAfee or its suppliers
have been advised of the possibility of such damages. Some states do not allow
the exclusion or limitation of liability for consequential or incidental 
damages so the foregoing limitation may not apply.

Any future product release dates mentioned in this security bulletin are 
intended to outline our general product direction and they should not be 
relied on in making a purchasing decision. The product release dates are for 
information purposes only, and may not be incorporated into any contract. The
product release dates are not a commitment, promise, or legal obligation to 
deliver any material, code, or functionality. The development, release, and 
timing of any features or functionality described for our products remains at
our sole discretion and may be changed or cancelled at any time.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWbYKAYx+lLeg9Ub1AQj4JhAArjJ+h2mtZ5aab2ljJM67OFAmgCgi+n4g
lZIGZ7vApu47LaBoHry5XHzzDErbC8J8i44Ws5xueWk8ughIUcmaL0mifYR2bdyF
c+okJF3lKKe7UXvgpjsXqWKbdO4nFkqxHt2JIOUoU62gGQycalqU6yM/0hsyx0d6
0dspt3QurlAiCKK41l5w3DPsbDjrzawvWq6Eb+b4fB5dB1M0qqOmH9d1NdwSqlF0
Xlh2ZoK2s21pPbPS5D0E8TAKnLWvwbSX+3N/3jnbxove/ccaDKlhUCmrZJTEWKGW
c1cMmnf9GxG6M5mVQpZWWPrBOyR+JuXftVWXbgzGnOaS/GWFQr7i/m68WKIDrx0l
HYBfCk0gayEneGz0mX9gmzrG+wRKF/JmWDMMSEwqeMvNeTHkFfqCyQ9lJY601LtP
OYf/8/fKdpnDR6qF6fQR/nRiZrJatbyYK3R1xLqx5vQFgLpcLvNvBNXN63xVU4RI
mEWzrBu58bFYtOlQbUA6ny1gF1QrMBHfJrOoCgcHGO5JSqn1nPNWdLxdJLZ0ayW5
66606Uhc2ld+bm1UacKJUp6yw8KYEETd3KKKk3/ehOtAtWnG+sXPJK3TtvUl5lnE
Bs2YrezonGG9Qjgg+r5c64wCUqf73y4XCMiHhvNIfPWaTB7KczAcw7Qkm0sd3FKc
CilBtrrh9fA=
=b1nM
-----END PGP SIGNATURE-----

« Back to bulletins