McAfee Network Data Loss Prevention (NDLP): Multiple vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2017.0075
          McAfee Security Bulletin - Network Data Loss Prevention
                    update fixes seven vulnerabilities
                                18 May 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              McAfee Network Data Loss Prevention (NDLP)
Operating System:     Virtualisation
Impact/Access:        Execute Arbitrary Code/Commands -- Existing Account            
                      Modify Permissions              -- Existing Account            
                      Cross-site Scripting            -- Existing Account            
                      Provide Misleading Information  -- Remote with User Interaction
                      Access Confidential Data        -- Existing Account            
Resolution:           Patch/Upgrade
CVE Names:            CVE-2017-4017 CVE-2017-4016 CVE-2017-4015
                      CVE-2017-4014 CVE-2017-4013 CVE-2017-4012
                      CVE-2017-4011  
Member content until: Saturday, June 17 2017

OVERVIEW

        McAfee Network Data Loss Prevention (NDLP) fixes seven 
        vulnerabilities in NDLP 9.3.4.1.4 on the VM, 4400, and 5500 
        platforms. [1]


IMPACT

        The vendor has provided the following information about the 
        vulnerability:
        
        "This patch remediates the following issues:
        
        CVE-2017-4011: Embedding Script (XSS) in HTTP Headers vulnerability
        in the server in McAfee Network Data Loss Prevention (NDLP) 9.3.x 
        allows remote attackers to get session/cookie information via 
        modification of the HTTP request.
        
        CVE-2017-4012: Privilege Escalation vulnerability in the server in 
        McAfee Network Data Loss Prevention (NDLP) 9.3.x allows remote 
        authenticated users to view confidential information via 
        modification of the HTTP request.
        
        CVE-2017-4013: Banner Disclosure in the server in McAfee Network 
        Data Loss Prevention (NDLP) 9.3.x allows remote attackers to obtain
        product information via HTTP response header.
        
        CVE-2017-4014: Session Side jacking vulnerability in the server in 
        McAfee Network Data Loss Prevention (NDLP) 9.3.x allows remote 
        authenticated users to view, add, and remove users via modification
        of the HTTP request.
        
        CVE-2017-4015: Clickjacking vulnerability in the server in McAfee 
        Network Data Loss Prevention (NDLP) 9.3.x allows remote 
        authenticated users to inject arbitrary web script or HTML via HTTP
        response header.
        
        CVE-2017-4016: Web Server method disclosure in the server in McAfee
        Network Data Loss Prevention (NDLP) 9.3.x allows remote attackers to
        exploit and find another hole via the HTTP response header.
        
        CVE-2017-4017: User Name Disclosure in the server in McAfee Network
        Data Loss Prevention (NDLP) 9.3.x allows remote attackers to view 
        user information via the appliance web interface." [1]


MITIGATION

        The vendor recommends applying the relevant patches to address this issue.
        
        "Apply NDLP Hotfix "hotfix_1193129_47810_01" to NDLP 9.3.4.1.4.
        
        Go to the Product Downloads site and download the applicable product hotfix file:
         
        Product	Type 	Version 		File Name 			Release Date
        NDLP 	Hotfix 	hotfix_1193129_47810_01 hotfix_1193129_47810_01.tar.gz 	May 16, 2017."[1]


REFERENCES

        [1] McAfee Security Bulletin - Network Data Loss Prevention update
            fixes seven vulnerabilities
            https://kc.mcafee.com/corporate/index?page=content&id=SB10198

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWR0V5ox+lLeg9Ub1AQh8dg//XXJ3J/wv9WDg8dGiJ7xoQu+hpLOGS+rE
xDsdw9twv3dwNf7xKtMDtKN4coN9UoqlRiviCr1efshVDHXx1q5xNpVeGMonj9vC
wJQzvTt1ybMkImd03RfghUOvWKkrIuuR//cMzGn58/tr67ciamFwOMxltHD2oeg5
GLG9i81NEGkUXz5PAm1eHtGkSoOqLkOte4x+OK6G7qTsZbXAcydMJqKueu0d/B7P
oZyr10lCfOnUo/aDKGs509D6hUBmCpqtftKRVW8wMSNXTMnzq0NyrCQgN6xR1FJ9
PMlSzD3Ja0EF7JFjMjSvUb33G1c4f9laCQgm6t4Wp4v2kWDGYo5yOsmkKisGCEFd
HvpQzLAov3ZrBCJz91VuCrt5LZSanI8PQTWK07EnozvObhQgYlBSuCGx0r2Zw8gQ
fjeyIPEZWMwdyQqNfzxUZalLl8J5ZLMrbLg0NLevxbtpWhpZDfUDwGNiSfxqhQL0
fNrIsBBw5PYDnTeJ4tI7Z6Xm1Q3boBB8TLnXhPzqx/7GvtyJPgfqToiMF1b9PFlU
PPxKb1Uw9ksW/m6ktYLGgRV4iEqaodyvTdDpktK2JYdP7EOrYWu0nm16Kio75nE7
GsEWJMcQrIHwoEKfR0R4aG5cY+n49SFZnWu2iJu+Ts6noPaGaoeWSTi5zOu0kCXk
qe7HNzi6+J4=
=DuwC
-----END PGP SIGNATURE-----