Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2019.0169 Multiple vulnerabilities have been identified in McAfee Enterprise Security Manager 27 June 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: McAfee Enteprise Security Manager (ESM) Operating System: Virtualisation Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Increased Privileges -- Existing Account Denial of Service -- Remote/Unauthenticated Provide Misleading Information -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2019-3632 CVE-2019-3631 CVE-2019-3630 CVE-2019-3629 CVE-2019-3628 CVE-2019-3623 CVE-2018-18258 CVE-2018-11784 CVE-2018-10858 CVE-2017-18258 CVE-2016-10708 CVE-2015-7704 Member content until: Saturday, July 27 2019 Reference: ASB-2019.0128 ASB-2019.0122 ASB-2019.0117 ASB-2019.0110 ASB-2019.0033 ASB-2019.0010 OVERVIEW Multiple vulnerabilities have been identified in McAfee Enterprise Security Manager (ESM). [1] IMPACT The vendor has provided the following details regarding the vulnerabilities: "This Security Bulletin contains details of vulnerabilities discovered in the ESM code base and in third-party libraries. They range in severity from medium to high and McAfee recommends that you update to the latest versions. Most ESM instances have access restricted to local (internal) networks. To exploit these issues, attackers would first need to gain access to the network. Third-party libraries: 1. CVE-2015-7704 The ntpd client in NTP 4.x before 4.2.8p4 and 4.3.x before 4.3.77 allows remote attackers to cause a denial of service via a number of crafted "KOD" messages. https://web.nvd.nist.gov/view/vuln/detail=vulnId=CVE-2015-7704 2. CVE-2016-10708 sshd in OpenSSH before 7.4 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence NEWKEYS message, as demonstrated by Honggfuzz, related to kex.c and packet.c. https://web.nvd.nist.gov/view/vuln/detail=vulnId=CVE-2016-10708 3. CVE-2018-10858 A heap-buffer overflow was found in the way samba clients processed extra long filename in a directory listing. A malicious samba server could use this flaw to cause arbitrary code execution on a samba client. Samba versions before 4.6.16, 4.7.9 and 4.8.4 are vulnerable. https://web.nvd.nist.gov/view/vuln/detail=vulnId=CVE-2018-10858 4. CVE-2018-18258 The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality does not restrict memory usage to what is required for a legitimate file. https://web.nvd.nist.gov/view/vuln/detail=vulnId=CVE-2017-18258 5. CVE-2018-11784 When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33, and 7.0.23 to 7.0.90 returned a redirect to a directory (for example, redirecting to '/foo/' when the user requested '/foo') a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice. https://web.nvd.nist.gov/view/vuln/detail=vulnId=CVE-2018-11784 ESM code base: 1. CVE-2019-3628 Privilege escalation in McAfee Enterprise Security Manager (ESM) 11.x earlier than 11.2.0 allows authenticated user to gain access to a core system component via incorrect access control. https://web.nvd.nist.gov/view/vuln/detail=vulnId=CVE-2019-3628 https://cve.mitre.org/cgi-bin/cvename.cgi=name=CVE-2019-3628 2. CVE-2019-3629 Application protection bypass vulnerability in McAfee Enterprise Security Manager (ESM) earlier than 11.2.0 and earlier than 10.4.0 allows unauthenticated user to impersonate system users via specially crafter parameters. https://web.nvd.nist.gov/view/vuln/detail=vulnId=CVE-2019-3629 https://cve.mitre.org/cgi-bin/cvename.cgi=name=CVE-2019-3629 3. CVE-2019-3630 Command Injection vulnerability in McAfee Enterprise Security Manager (ESM) earlier than 11.2.0 and earlier than 10.4.0 allows authenticated user to execute arbitrary code via specially crafter parameters. https://web.nvd.nist.gov/view/vuln/detail=vulnId=CVE-2019-3630 https://cve.mitre.org/cgi-bin/cvename.cgi=name=CVE-2019-3630 4. CVE-2019-3631 Command Injection vulnerability in McAfee Enterprise Security Manager (ESM) earlier than 11.2.0 and earlier than 10.4.0 allows authenticated user to execute arbitrary code via specially crafter parameters. https://web.nvd.nist.gov/view/vuln/detail=vulnId=CVE-2019-3631 https://cve.mitre.org/cgi-bin/cvename.cgi=name=CVE-2019-3631 5. CVE-2019-3632 Directory Traversal vulnerability in McAfee Enterprise Security Manager (ESM) earlier than 11.2.0 and earlier than 10.4.0 allows authenticated user to gain elevated privileges via crafted input. https://web.nvd.nist.gov/view/vuln/detail=vulnId=CVE-2019-3632 https://cve.mitre.org/cgi-bin/cvename.cgi=name=CVE-2019-3632" [1] MITIGATION The vendor recommends users upgrade to the latest version to fix these issues. "Install or update to the following versions: o ESM 10.x - Upgrade to 11.2.0 or update to 10.4.0. o ESM 11.x - Update to 11.2.0. Go to the Product Downloads site, and download the applicable product update file: +-------+-------+-----+---------------------------------+-------------+ |Product|Version|Type |File Name |Release Date | +-------+-------+-----+---------------------------------+-------------+ | | | |ESSREC_Update_11.2.0.signed.tgz | | | | | |ESS_Update_11.2.0.signed.tgz | | |ESM |11.2.0 |Minor|RECEIVER_Update_11.2.0.signed.tgz|June 25, 2019| | | | |APM_Update_11.2.0.signed.tgz | | | | | |DBM_Update_11.2.0.signed.tgz | | +-------+-------+-----+---------------------------------+-------------+ | | | |ESSREC_Update_10.4.0.signed.tgz | | | | | |ESS_Update_10.4.0.signed.tgz | | |ESM |10.4.0 |Minor|RECEIVER_Update_10.4.0.signed.tgz|June 25, 2019| | | | |APM_Update_10.4.0.signed.tgz | | | | | |DBM_Update_10.4.0.signed.tgz | | +-------+-------+-----+---------------------------------+-------------+ [1] See https://kc.mcafee.com/corporate/index?page=content&id=KB56057 for download and installation instructions. REFERENCES [1] McAfee Security Bulletin - SIEM update fixes multiple vulnerabilities (CVE-2015-7704, CVE-2016-10708, CVE-2018-10858, CVE-2018-11784, CVE-2018-18258, CVE-2019-3628, CVE-2019-3629, CVE-2019-3630, CVE-2019-3631, CVE-2019-3623) https://kc.mcafee.com/corporate/index?page=content&id=SB10284 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXRQyN2aOgq3Tt24GAQj0vBAAlIjkrejuY38LrNBcwHAwhXCE4Rpkb7fw iOjRCwGMoUcxejN6GBe5jXHtn6vLs2hT6X08fAL+ZtXwIX9odkhEKG44yWSKpZw9 GSq0cY5UZuP2aJ1KMvobzQz/tyyrmtbVSzCf8xl0/2ogC42/KbQ4aNLMx+cCnTfS DjK9EZPfM0mliswe4Ai8qaxR4YzEAU79fMMDGMkTPpFpyUsrD5fbkV7ZpImSQbFT IUuTGJ5twx7YgU/8ZlVLn1Xy2RSwB3W0bdyPocL+dMJ8fkGeIqS6nbzpSsW923Y6 kBbllstg8kvKIYz8ha+enGEr1QqjL7a87eTSC3Q3o0mEgHfCGT7xHcLTKgtWylT1 v2UqJxikW8V8wK90u8XTVHPayPmzd/7wVGHEnZjWpcFAWGzVwX5DOMwgo8pdSbYX dDWHUV7troz5MHlS/Ortn8MzHcIt1sytM6X2os74YX19rBn54C8P3KgDdtanl2ex hgc2Z6AN+TRaIxZZx0jm4akqt9wtuhQQ6cCLAy0qMxubsDQN/tHmcHDpRRfOh0bp f0fUYuYYZJaCiyT6meJ6Tj54ljXoeH4l198fCN7cr3d+ncQYjgj1A6xgeZJ54Sk0 CHGtERyvLEXgrOiKgTBfOxTPHJgtkN6xL+OVghas41iKXyMJ+73Se2QFT0cl3uxX N85/JBFa/Co= =7oHF -----END PGP SIGNATURE-----