-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2019.0169
          Multiple vulnerabilities have been identified in McAfee
                        Enterprise Security Manager
                               27 June 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              McAfee Enteprise Security Manager (ESM)
Operating System:     Virtualisation
Impact/Access:        Execute Arbitrary Code/Commands -- Existing Account            
                      Increased Privileges            -- Existing Account            
                      Denial of Service               -- Remote/Unauthenticated      
                      Provide Misleading Information  -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2019-3632 CVE-2019-3631 CVE-2019-3630
                      CVE-2019-3629 CVE-2019-3628 CVE-2019-3623
                      CVE-2018-18258 CVE-2018-11784 CVE-2018-10858
                      CVE-2017-18258 CVE-2016-10708 CVE-2015-7704
Member content until: Saturday, July 27 2019
Reference:            ASB-2019.0128
                      ASB-2019.0122
                      ASB-2019.0117
                      ASB-2019.0110
                      ASB-2019.0033
                      ASB-2019.0010

OVERVIEW

        Multiple vulnerabilities have been identified in McAfee Enterprise 
        Security Manager (ESM). [1]


IMPACT

        The vendor has provided the following details regarding the vulnerabilities:
        
        "This Security Bulletin contains details of vulnerabilities discovered in the
        ESM code base and in third-party libraries.
        
        They range in severity from medium to high and McAfee recommends that you
        update to the latest versions. Most ESM instances have access restricted to
        local (internal) networks. To exploit these issues, attackers would first need
        to gain access to the network.
        
        Third-party libraries:
        
         1. CVE-2015-7704
            The ntpd client in NTP 4.x before 4.2.8p4 and 4.3.x before 4.3.77 allows
            remote attackers to cause a denial of service via a number of crafted "KOD"
            messages.
            https://web.nvd.nist.gov/view/vuln/detail=vulnId=CVE-2015-7704
        
         2. CVE-2016-10708
            sshd in OpenSSH before 7.4 allows remote attackers to cause a denial of
            service (NULL pointer dereference and daemon crash) via an out-of-sequence
            NEWKEYS message, as demonstrated by Honggfuzz, related to kex.c and
            packet.c.
            https://web.nvd.nist.gov/view/vuln/detail=vulnId=CVE-2016-10708
        
         3. CVE-2018-10858
            A heap-buffer overflow was found in the way samba clients processed extra
            long filename in a directory listing. A malicious samba server could use
            this flaw to cause arbitrary code execution on a samba client. Samba
            versions before 4.6.16, 4.7.9 and 4.8.4 are vulnerable.
            https://web.nvd.nist.gov/view/vuln/detail=vulnId=CVE-2018-10858
        
         4. CVE-2018-18258
            The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote
            attackers to cause a denial of service (memory consumption) via a crafted
            LZMA file, because the decoder functionality does not restrict memory usage
            to what is required for a legitimate file.
            https://web.nvd.nist.gov/view/vuln/detail=vulnId=CVE-2017-18258
        
         5. CVE-2018-11784
            When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11,
            8.5.0 to 8.5.33, and 7.0.23 to 7.0.90 returned a redirect to a directory
            (for example, redirecting to '/foo/' when the user requested '/foo') a
            specially crafted URL could be used to cause the redirect to be generated
            to any URI of the attackers choice.
            https://web.nvd.nist.gov/view/vuln/detail=vulnId=CVE-2018-11784
        
        ESM code base:
        
         1. CVE-2019-3628
            Privilege escalation in McAfee Enterprise Security Manager (ESM) 11.x
            earlier than 11.2.0 allows authenticated user to gain access to a core
            system component via incorrect access control.
            https://web.nvd.nist.gov/view/vuln/detail=vulnId=CVE-2019-3628
            https://cve.mitre.org/cgi-bin/cvename.cgi=name=CVE-2019-3628
        
         2. CVE-2019-3629
            Application protection bypass vulnerability in McAfee Enterprise Security
            Manager (ESM) earlier than 11.2.0 and earlier than 10.4.0 allows
            unauthenticated user to impersonate system users via specially crafter
            parameters.
            https://web.nvd.nist.gov/view/vuln/detail=vulnId=CVE-2019-3629
            https://cve.mitre.org/cgi-bin/cvename.cgi=name=CVE-2019-3629
        
         3. CVE-2019-3630
            Command Injection vulnerability in McAfee Enterprise Security Manager (ESM)
            earlier than 11.2.0 and earlier than 10.4.0 allows authenticated user to
            execute arbitrary code via specially crafter parameters.
            https://web.nvd.nist.gov/view/vuln/detail=vulnId=CVE-2019-3630
            https://cve.mitre.org/cgi-bin/cvename.cgi=name=CVE-2019-3630
        
         4. CVE-2019-3631
            Command Injection vulnerability in McAfee Enterprise Security Manager (ESM)
            earlier than 11.2.0 and earlier than 10.4.0 allows authenticated user to
            execute arbitrary code via specially crafter parameters.
            https://web.nvd.nist.gov/view/vuln/detail=vulnId=CVE-2019-3631
            https://cve.mitre.org/cgi-bin/cvename.cgi=name=CVE-2019-3631
        
         5. CVE-2019-3632
            Directory Traversal vulnerability in McAfee Enterprise Security Manager
            (ESM) earlier than 11.2.0 and earlier than 10.4.0 allows authenticated user
            to gain elevated privileges via crafted input.
            https://web.nvd.nist.gov/view/vuln/detail=vulnId=CVE-2019-3632
            https://cve.mitre.org/cgi-bin/cvename.cgi=name=CVE-2019-3632" [1]


MITIGATION

        The vendor recommends users upgrade to the latest version to fix these issues.
        
        "Install or update to the following versions:
        
          o ESM 10.x - Upgrade to 11.2.0 or update to 10.4.0.
          o ESM 11.x - Update to 11.2.0.
        
        Go to the Product Downloads site, and download the applicable product update
        file:
        
        +-------+-------+-----+---------------------------------+-------------+
        |Product|Version|Type |File Name                        |Release Date |
        +-------+-------+-----+---------------------------------+-------------+
        |       |       |     |ESSREC_Update_11.2.0.signed.tgz  |             |
        |       |       |     |ESS_Update_11.2.0.signed.tgz     |             |
        |ESM    |11.2.0 |Minor|RECEIVER_Update_11.2.0.signed.tgz|June 25, 2019|
        |       |       |     |APM_Update_11.2.0.signed.tgz     |             |
        |       |       |     |DBM_Update_11.2.0.signed.tgz     |             |
        +-------+-------+-----+---------------------------------+-------------+
        |       |       |     |ESSREC_Update_10.4.0.signed.tgz  |             |
        |       |       |     |ESS_Update_10.4.0.signed.tgz     |             |
        |ESM    |10.4.0 |Minor|RECEIVER_Update_10.4.0.signed.tgz|June 25, 2019|
        |       |       |     |APM_Update_10.4.0.signed.tgz     |             |
        |       |       |     |DBM_Update_10.4.0.signed.tgz     |             |
        +-------+-------+-----+---------------------------------+-------------+ [1]
        See https://kc.mcafee.com/corporate/index?page=content&id=KB56057 for
        download and installation instructions.


REFERENCES

        [1] McAfee Security Bulletin - SIEM update fixes multiple
            vulnerabilities (CVE-2015-7704, CVE-2016-10708, CVE-2018-10858,
            CVE-2018-11784, CVE-2018-18258, CVE-2019-3628, CVE-2019-3629,
            CVE-2019-3630, CVE-2019-3631, CVE-2019-3623)
            https://kc.mcafee.com/corporate/index?page=content&id=SB10284

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXRQyN2aOgq3Tt24GAQj0vBAAlIjkrejuY38LrNBcwHAwhXCE4Rpkb7fw
iOjRCwGMoUcxejN6GBe5jXHtn6vLs2hT6X08fAL+ZtXwIX9odkhEKG44yWSKpZw9
GSq0cY5UZuP2aJ1KMvobzQz/tyyrmtbVSzCf8xl0/2ogC42/KbQ4aNLMx+cCnTfS
DjK9EZPfM0mliswe4Ai8qaxR4YzEAU79fMMDGMkTPpFpyUsrD5fbkV7ZpImSQbFT
IUuTGJ5twx7YgU/8ZlVLn1Xy2RSwB3W0bdyPocL+dMJ8fkGeIqS6nbzpSsW923Y6
kBbllstg8kvKIYz8ha+enGEr1QqjL7a87eTSC3Q3o0mEgHfCGT7xHcLTKgtWylT1
v2UqJxikW8V8wK90u8XTVHPayPmzd/7wVGHEnZjWpcFAWGzVwX5DOMwgo8pdSbYX
dDWHUV7troz5MHlS/Ortn8MzHcIt1sytM6X2os74YX19rBn54C8P3KgDdtanl2ex
hgc2Z6AN+TRaIxZZx0jm4akqt9wtuhQQ6cCLAy0qMxubsDQN/tHmcHDpRRfOh0bp
f0fUYuYYZJaCiyT6meJ6Tj54ljXoeH4l198fCN7cr3d+ncQYjgj1A6xgeZJ54Sk0
CHGtERyvLEXgrOiKgTBfOxTPHJgtkN6xL+OVghas41iKXyMJ+73Se2QFT0cl3uxX
N85/JBFa/Co=
=7oHF
-----END PGP SIGNATURE-----