ESB-2018.0546 - [Win][UNIX/Linux] McAfee ePolicy Orchestrator: Multiple vulnerabilities 2018-02-23

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.0546
       McAfee ePolicy Orchestrator patches multiple vulnerabilities
                             23 February 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           McAfee ePolicy Orchestrator
Publisher:         McAfee
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Modify Arbitrary Files          -- Remote/Unauthenticated      
                   Denial of Service               -- Remote/Unauthenticated      
                   Unauthorised Access             -- Remote/Unauthenticated      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-2678 CVE-2018-2663 CVE-2018-2657
                   CVE-2018-2637 CVE-2018-2633 CVE-2018-2629
                   CVE-2018-2618 CVE-2018-2603 CVE-2018-2599
                   CVE-2018-2588 CVE-2018-2582 CVE-2018-2579

Reference:         ASB-2018.0024
                   ESB-2018.0180

Original Bulletin: 
   https://kc.mcafee.com/corporate/index?page=content&id=SB10225

- --------------------------BEGIN INCLUDED TEXT--------------------

McAfee Security Bulletin - ePolicy Orchestrator update fixes multiple Java
vulnerabilities
First Published: February 20, 2018
Impact of Vulnerability: Unauthorized Access Denial of Service (CWE-730, OWASP 2004:A9)
 
CVE Numbers: CVE-2018-2633 CVE-2018-2637 CVE-2018-2582 CVE-2018-2618
CVE-2018-2629 CVE-2018-2603 CVE-2018-2657 CVE-2018-2599 CVE-2018-2678
CVE-2018-2588 CVE-2018-2663 CVE-2018-2579
Severity Rating: High, Medium, Low
 
CVSS v3 Base and Overall Scores: CVE-2018-2633: 8.3/7.2 CVE-2018-2637: 7.4/6.4
CVE-2018-2582: 6.5/5.7 CVE-2018-2618: 5.9/5.2 CVE-2018-2629: 5.3/4.6
CVE-2018-2603: 5.3/4.6 CVE-2018-2657: 5.3/4.6 CVE-2018-2599: 4.8/4.2
CVE-2018-2678: 4.3/3.8 CVE-2018-2588: 4.3/3.8 CVE-2018-2663: 4.3/3.8
CVE-2018-2579: 3.7/3.2

Recommendations: Apply the hotfix specified in the Remediation table
Replacement: None

Affected Software:
• ePolicy Orchestrator (ePO) 5.3.3, 5.3.2, 5.3.1, and 5.3.0
• ePO 5.9.1 and 5.9.0
Location of updated software:
http://www.mcafee.com/us/downloads/downloads.aspx
 
Vulnerability Description
ePO is vulnerable to the Java CVEs mentioned above.
This ePO update resolves the following issues:

1) CVE-2018-2633 Difficult to exploit vulnerability allows unauthenticated
attacker with network access via multiple protocols to compromise Java SE.
Successful attacks require human interaction from a person other than the
attacker and while the vulnerability is in Java SE, attacks may significantly
impact additional products. Successful attacks of this vulnerability can result
in takeover of Java SE.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2633

2) CVE-2018-2637 Difficult to exploit vulnerability allows unauthenticated
attacker with network access via multiple protocols to compromise Java SE.
Successful attacks of this vulnerability can result in unauthorized creation,
deletion, or modification access to critical data or all Java SE accessible data
as well as unauthorized access to critical data or complete access to all Java
SE accessible data. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2637

3) CVE-2018-2582 Easily exploitable vulnerability allows unauthenticated
attacker with network access via multiple protocols to compromise Java SE.
Successful attacks require human interaction from a person other than the
attacker. Successful attacks of this vulnerability can result in unauthorized
creation, deletion, or modification access to critical data or all Java SE
accessible data. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2582

4) CVE-2018-2618 Difficult to exploit vulnerability allows unauthenticated
attacker with network access via multiple protocols to compromise Java SE.
Successful attacks of this vulnerability can result in unauthorized access to
critical data or complete access to all Java SE accessible data.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2618

5) CVE-2018-2629 Difficult to exploit vulnerability allows unauthenticated
attacker with network access via multiple protocols to compromise Java SE.
Successful attacks require human interaction from a person other than the
attacker. Successful attacks of this vulnerability can result in unauthorized
creation, deletion, or modification access to critical data or all Java SE
accessible data. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2629

6) CVE-2018-2603 Easily exploitable vulnerability allows unauthenticated
attacker with network access via multiple protocols to compromise Java SE.
Successful attacks of this vulnerability can result in unauthorized ability to
cause a partial denial of service (partial DOS) of Java SE.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2603

7) CVE-2018-2657 Easily exploitable vulnerability allows unauthenticated
attacker with network access via multiple protocols to compromise Java SE.
Successful attacks of this vulnerability can result in unauthorized ability to
cause a partial denial of service (partial DOS) of Java SE.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2657

8) CVE-2018-2599 Difficult to exploit vulnerability allows unauthenticated
attacker with network access via multiple protocols to compromise Java SE.
Successful attacks of this vulnerability can result in unauthorized update,
insert, or delete access to some of Java SE accessible data and unauthorized
ability to cause a partial denial of service (partial DOS) of Java SE.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2599

9) CVE-2018-2678 Easily exploitable vulnerability allows unauthenticated
attacker with network access via multiple protocols to compromise Java SE.
Successful attacks require human interaction from a person other than the
attacker. Successful attacks of this vulnerability can result in unauthorized
ability to cause a partial denial of service (partial DOS) of Java SE.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2678

10) CVE-2018-2588 Easily exploitable vulnerability allows low privileged
attacker with network access via multiple protocols to compromise Java SE.
Successful attacks of this vulnerability can result in unauthorized read access
to a subset of Java SE accessible data.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2588 11) CVE-2018-2663
Easily exploitable vulnerability allows unauthenticated attacker with network
access via multiple protocols to compromise Java SE. Successful attacks require
human interaction from a person other than the attacker. Successful attacks of
this vulnerability can result in unauthorized ability to cause a partial denial
of service (partial DOS) of Java SE.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2663

12) CVE-2018-2579 Difficult to exploit vulnerability allows unauthenticated
attacker with network access via multiple protocols to compromise Java SE.
Successful attacks of this vulnerability can result in unauthorized read access
to a subset of Java SE accessible data.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2579

Affected Components:
• ePO Java core web services

Remediation
To remediate this issue:
• Users of ePO 5.3.2 or earlier are recommended to upgrade to ePO 5.3.3
  or 5.9.1 and apply EPO5xHF1225856. 
• Users of ePO 5.3.3 are recommended to apply EPO5xHF1225856. 
• Users of ePO 5.9.0 are recommended to upgrade to ePO 5.9.1 and
  apply EPO5xHF1225856. 
• Users of ePO 5.9.1 are recommended to apply EPO5xHF1225856.

Go to the Product Downloads site and download the applicable
product hotfix files.

Download and Installation Instructions
See KB56057 for instructions on how to download McAfee products, documentation,
security updates, patches, and hotfixes. Review the Release Notes and the
Installation Guide, which you can download from the Documentation tab, for
instructions on how to install these updates.

Product Specific Notes
ePO 5.1.x reached End of Life on December 31, 2017.
McAfee highly recommends that all customers upgrade to ePO 5.3.x or 5.9.x.

Workaround
None. McAfee strongly encourages installing the latest ePO hotfix specified in
the Remediation table.

Acknowledgements
None.

1.) CVE-2018-2633:McAfeeePOandJava NOTE: The below CVSS version 3.0 vector was
used to generate this score. https://nvd.nist.gov/vuln-metrics/cvss/v3-
calculator?vector=AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C

2.) CVE-2018-2637:McAfeeePOandJava NOTE: The below CVSS version 3.0 vector was
used to generate this score. https://nvd.nist.gov/vuln-metrics/cvss/v3-
calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C

3.) CVE-2018-2582:McAfeeePOandJava NOTE: The below CVSS version 3.0 vector was
used to generate this score. https://nvd.nist.gov/vuln-metrics/cvss/v3-
calculator?vector=AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C

4.) CVE-2018-2618:McAfeeePOandJava NOTE: The below CVSS version 3.0 vector was
used to generate this score. https://nvd.nist.gov/vuln-metrics/cvss/v3-
calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C

5.) CVE-2018-2629:McAfeeePOandJava NOTE: The below CVSS version 3.0 vector was
used to generate this score. https://nvd.nist.gov/vuln-metrics/cvss/v3-
calculator?vector=AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C

6.) CVE-2018-2603: McAfee ePO and Java NOTE: The below CVSS version 3.0 vector
was used to generate this score. https://nvd.nist.gov/vuln-metrics/cvss/v3-
calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C

7.) CVE-2018-2657: McAfee ePO and Java NOTE: The below CVSS version 3.0 vector
was used to generate this score. https://nvd.nist.gov/vuln-metrics/cvss/v3-
calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C

8.) CVE-2018-2599: McAfee ePO and Java NOTE: The below CVSS version 3.0 vector
was used to generate this score. https://nvd.nist.gov/vuln-metrics/cvss/v3-
calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L/E:U/RL:O/RC:C

9.) CVE-2018-2678: McAfee ePO and Java NOTE: The below CVSS version 3.0 vector
was used to generate this score. https://nvd.nist.gov/vuln-metrics/cvss/v3-
calculator?vector=AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C

10.) CVE-2018-2588: McAfee ePO and Java NOTE: The below CVSS version 3.0 vector
was used to generate this score. https://nvd.nist.gov/vuln-metrics/cvss/v3-
calculator?vector=AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C

11.) CVE-2018-2663: McAfee ePO and Java NOTE: The below CVSS version 3.0 vector
was used to generate this score. https://nvd.nist.gov/vuln-metrics/cvss/v3-
calculator?vector=AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C

12.) CVE-2018-2579: McAfee ePO and Java NOTE: The below CVSS version 3.0 vector
was used to generate this score. https://nvd.nist.gov/vuln-metrics/cvss/v3-
calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWo+z3ox+lLeg9Ub1AQhxJg/+Kxj0ZLX3I5Ridw+xfJEDbMLgArrBNzuc
EgZ5wJJePg8tUdj2K7hFCIYHIAEXPEsDT7woiTcGU4u+pOKD3rMz3Qtti5lNVcii
tdM/1o8wA1/HGMBSC7AUqh5urFNVH6ImJ1UzB3b7R9JdpK+yfaL2I8C5XqIPQmHG
I+XZhuO6zRdG5sfey1D/i0g3Nfslu4rOiv0a42U0ti4re4iDKdSqjizBfbXX35Ow
J0l1SFMOc0CkJusQTYyGbOny+Rd/tAwDVLsgRidN570EkrWp6HeDIaNvluIgbyB1
+CkiLoOVjSM6Z6Hn2kdXe0ECOS2yjEznB0kLvUdxBreYInSH2zfSAuiSQn//z7LG
SnszfQocDOlNz6FKuBOaV7k3U3/LMyVZGr6dclSUypQQpZ5XlB6aoCsUtrGSAV9h
u0w77bSGQiGYY0S47NKQJwSfB0mF92MjSfQTJXxLTrcETYCxD5p5fq2dcHHwmoEB
geMrwi44l3CYGCQIdcaTxIYdK81iwtcA+JEDwEVUv655oMHrpp5LW/YqpIh26UKE
0uQ98zZWjG9CBoJOJOHl46LddqNmTF0ou0WjnojPXEvgLp3H5MDdG8n3k3KG0J7S
RGRqFixpBpXjKZj8A8UKSv/IT7Gc4KvZglph5Je1oviYjBLakrnor+HjugK49N12
Lq3vUSxerxM=
=xKvD
-----END PGP SIGNATURE-----

« Back to bulletins