-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.2593
Security Bulletin - Policy Auditor update fixes multiple vulnerabilities in
    third-party libraries (CVE-2016-0718, CVE-2016-4472, CVE-2016-5300,
      CVE-2017-17740, CVE-2017-9287, CVE-2019-13057, CVE-2020-15719,
CVE-2019-1543, CVE-2019-1547, CVE-2019-1552, CVE-2019-1563, CVE-2019-8457,
 CVE-2018-20506, CVE-2018-20346, CVE-2019-16168, CVE-2017-12627) (SB10365)
                               2 August 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           McAfee Policy Auditor
Publisher:         McAfee
Operating System:  Windows
                   Network Appliance
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated      
                   Modify Arbitrary Files          -- Existing Account            
                   Denial of Service               -- Remote/Unauthenticated      
                   Provide Misleading Information  -- Remote with User Interaction
                   Access Confidential Data        -- Remote/Unauthenticated      
                   Reduced Security                -- Remote/Unauthenticated      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-15719 CVE-2019-16168 CVE-2019-13057
                   CVE-2019-8457 CVE-2019-1563 CVE-2019-1552
                   CVE-2019-1547 CVE-2019-1543 CVE-2018-20506
                   CVE-2018-20346 CVE-2017-17740 CVE-2017-12627
                   CVE-2017-9287 CVE-2016-5300 CVE-2016-4472
                   CVE-2016-0718 CVE-2015-2716 CVE-2015-1283
                   CVE-2012-0876  

Reference:         ASB-2020.0190
                   ASB-2020.0087
                   ESB-2021.2515
                   ESB-2021.1679
                   ESB-2019.4148

Original Bulletin: 
   https://kc.mcafee.com/corporate/index?page=content&id=SB10365

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletins ID   : SB10365

Last Modified           : 7/30/2021

Summary

First Published: July 30, 2021
+-----------------------+--------------+--------------+-------------+---------+
|                       |Impacted      |              |Severity     |CVSS v3.1|
|Product:               |Versions:     |CVE ID:       |Ratings:     |Base     |
|                       |              |              |             |Scores:  |
+-----------------------+--------------+--------------+-------------+---------+
|Policy Auditor (PA)    |Prior to 6.5.1|CVE-2016-0718 |Critical     |9.8      |
+-----------------------+--------------+--------------+-------------+---------+
|PA                     |Prior to 6.5.1|CVE-2016-4472 |High         |8.1      |
+-----------------------+--------------+--------------+-------------+---------+
|PA                     |Prior to 6.5.1|CVE-2016-5300 |High         |7.5      |
+-----------------------+--------------+--------------+-------------+---------+
|PA                     |Prior to 6.5.1|CVE-2017-17740|High         |7.5      |
+-----------------------+--------------+--------------+-------------+---------+
|PA                     |Prior to 6.5.1|CVE-2017-9287 |Medium       |6.5      |
+-----------------------+--------------+--------------+-------------+---------+
|PA                     |Prior to 6.5.1|CVE-2019-13057|Medium       |4.9      |
+-----------------------+--------------+--------------+-------------+---------+
|PA                     |Prior to 6.5.1|CVE-2020-15719|Medium       |4.2      |
+-----------------------+--------------+--------------+-------------+---------+
|PA                     |Prior to 6.5.1|CVE-2019-1543 |High         |7.4      |
+-----------------------+--------------+--------------+-------------+---------+
|PA                     |Prior to 6.5.1|CVE-2019-1547 |Medium       |4.7      |
+-----------------------+--------------+--------------+-------------+---------+
|PA                     |Prior to 6.5.1|CVE-2019-1552 |Low          |3.3      |
+-----------------------+--------------+--------------+-------------+---------+
|PA                     |Prior to 6.5.1|CVE-2019-1563 |Low          |3.7      |
+-----------------------+--------------+--------------+-------------+---------+
|PA                     |Prior to 6.5.1|CVE-2019-8457 |Critical     |9.8      |
+-----------------------+--------------+--------------+-------------+---------+
|PA                     |Prior to 6.5.1|CVE-2018-20506|High         |8.1      |
+-----------------------+--------------+--------------+-------------+---------+
|PA                     |Prior to 6.5.1|CVE-2018-20346|High         |8.1      |
+-----------------------+--------------+--------------+-------------+---------+
|PA                     |Prior to 6.5.1|CVE-2019-16168|Medium       |6.5      |
+-----------------------+--------------+--------------+-------------+---------+
|PA                     |Prior to 6.5.1|CVE-2017-12627|Critical     |9.8      |
+-----------------------+--------------+--------------+-------------+---------+
|Recommendations:       |Update to Policy Auditor 6.5.1                       |
+-----------------------+-----------------------------------------------------+
|Security Bulletin      |None                                                 |
|Replacement:           |                                                     |
+-----------------------+-----------------------------------------------------+
|Location of updated    |Product Downloads site                               |
|software:              |                                                     |
+-----------------------+-----------------------------------------------------+

To receive email notification when this Security Bulletin is updated, click
Subscribe on the right side of the page. You must be logged on to subscribe.

Article contents:

  o Vulnerability Description
  o Remediation
  o Frequently Asked Questions (FAQs)
  o Resources
  o Disclaimer

Vulnerability Description
PA 6.5.1 contains updates for five third-party libraries. These updates are
grouped by library and ordered by CVSS rating.

Expat XML Parser:

 1. CVE-2016-0718
    Expat allows context-dependent attackers to cause a denial of service
    (crash) or possibly execute arbitrary code via a malformed input document,
    which triggers a buffer overflow.
    https://cve.mitre.org/cgi-bin/cvename.cginame=CVE-2016-0718
 2. CVE-2016-4472
    The overflow protection in Expat is removed by compilers with certain
    optimization settings, which allows remote attackers to cause a denial of
    service (crash) or possibly execute arbitrary code via crafted XML data.
    NOTE: This vulnerability exists because of an incomplete fix for
    CVE-2015-1283 and CVE-2015-2716.
    https://cve.mitre.org/cgi-bin/cvename.cginame=CVE-2016-4472
 3. CVE-2016-5300
    The XML parser in Expat does not use sufficient entropy for hash
    initialization, which allows context-dependent attackers to cause a denial
    of service (CPU consumption) via crafted identifiers in an XML document.
    NOTE: This vulnerability exists because of an incomplete fix for
    CVE-2012-0876.
    https://cve.mitre.org/cgi-bin/cvename.cginame=CVE-2016-5300

OpenLDAP:

 4. CVE-2017-17740
    contrib/slapd-modules/nops/nops.c in OpenLDAP through 2.4.45, when both the
    nops module and the memberof overlay are enabled, attempts to free a buffer
    that was allocated on the stack, which allows remote attackers to cause a
    denial of service (slapd crash) via a member MODDN operation.
    https://cve.mitre.org/cgi-bin/cvename.cginame=CVE-2017-17740
 5. CVE-2017-9287
    servers/slapd/back-mdb/search.c in OpenLDAP through 2.4.44 is prone to a
    double free vulnerability. A user with access to search the directory can
    crash slapd by issuing a search including the Paged Results control with a
    page size of 0.
    https://cve.mitre.org/cgi-bin/cvename.cginame=CVE-2017-9287
 6. CVE-2019-13057
    An issue was discovered in the server in OpenLDAP before 2.4.48. When the
    server administrator delegates rootDN (database admin) privileges for
    certain databases but wants to maintain isolation (e.g., for multi-tenant
    deployments), slapd does not properly stop a rootDN from requesting
    authorization as an identity from another database during a SASL bind or
    with a proxyAuthz (RFC 4370) control. (It is not a common configuration to
    deploy a system where the server administrator and a DB administrator enjoy
    different levels of trust.)
    https://cve.mitre.org/cgi-bin/cvename.cginame=CVE-2019-13057
 7. CVE-2020-15719
    libldap in certain third-party OpenLDAP packages has a
    certificate-validation flaw when the third-party package is asserting
    RFC6125 support. It considers CN even when there is a non-matching
    subjectAltName (SAN). This is fixed in, for example, openldap-2.4.46-10.el8
    in Red Hat Enterprise Linux.
    https://cve.mitre.org/cgi-bin/cvename.cginame=CVE-2020-15719

OpenSSL:

 8. CVE-2019-1543
    ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for
    every encryption operation. RFC 7539 specifies that the nonce value (IV)
    should be 96 bits (12 bytes). OpenSSL allows a variable nonce length and
    front pads the nonce with 0 bytes if it is less than 12 bytes. However it
    also incorrectly allows a nonce to be set of up to 16 bytes. In this case
    only the last 12 bytes are significant and any additional leading bytes are
    ignored. It is a requirement of using this cipher that nonce values are
    unique. Messages encrypted using a reused nonce value are susceptible to
    serious confidentiality and integrity attacks. If an application changes
    the default nonce length to be longer than 12 bytes and then makes a change
    to the leading bytes of the nonce expecting the new value to be a new
    unique nonce then such an application could inadvertently encrypt messages
    with a reused nonce. Additionally the ignored bytes in a long nonce are not
    covered by the integrity guarantee of this cipher. Any application that
    relies on the integrity of these ignored leading bytes of a long nonce may
    be further affected. Any OpenSSL internal use of this cipher, including in
    SSL/TLS, is safe because no such use sets such a long nonce value. However
    user applications that use this cipher directly and set a non-default nonce
    length to be longer than 12 bytes may be vulnerable. OpenSSL versions 1.1.1
    and 1.1.0 are affected by this issue. Due to the limited scope of affected
    deployments this has been assessed as low severity and therefore we are not
    creating new releases at this time. Fixed in OpenSSL 1.1.1c (Affected
    1.1.1-1.1.1b). Fixed in OpenSSL 1.1.0k (Affected 1.1.0-1.1.0j).
    https://cve.mitre.org/cgi-bin/cvename.cginame=CVE-2019-1543
 9. CVE-2019-1547
    Normally in OpenSSL EC groups always have a co-factor present and this is
    used in side channel resistant code paths. However, in some cases, it is
    possible to construct a group using explicit parameters (instead of using a
    named curve). In those cases it is possible that such a group does not have
    the cofactor present. This can occur even where all the parameters match a
    known named curve. If such a curve is used then OpenSSL falls back to
    non-side channel resistant code paths which may result in full key recovery
    during an ECDSA signature operation. In order to be vulnerable an attacker
    would have to have the ability to time the creation of a large number of
    signatures where explicit parameters with no co-factor present are in use
    by an application using libcrypto. For the avoidance of doubt libssl is not
    vulnerable because explicit parameters are never used. Fixed in OpenSSL
    1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected
    1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).
    https://cve.mitre.org/cgi-bin/cvename.cginame=CVE-2019-1547
10. CVE-2019-1563
    In situations where an attacker receives automated notification of the
    success or failure of a decryption attempt an attacker, after sending a
    very large number of messages to be decrypted, can recover a CMS/PKCS7
    transported encryption key or decrypt any RSA encrypted message that was
    encrypted with the public RSA key, using a Bleichenbacher padding oracle
    attack. Applications are not affected if they use a certificate together
    with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to
    select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d
    (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k).
    Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).
    https://cve.mitre.org/cgi-bin/cvename.cginame=CVE-2019-1563
11. CVE-2019-1552
    OpenSSL has internal defaults for a directory tree where it can find a
    configuration file as well as certificates used for verification in TLS.
    This directory is most commonly referred to as OPENSSLDIR, and is
    configurable with the --prefix / --openssldir configuration options. For
    OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume
    that resulting programs and libraries are installed in a Unix-like
    environment and the default prefix for program installation as well as for
    OPENSSLDIR should be '/usr/local'. However, mingw programs are Windows
    programs, and as such, find themselves looking at sub-directories of 'C:/
    usr/local', which may be world writable, which enables untrusted users to
    modify OpenSSL's default configuration, insert CA certificates, modify (or
    even replace) existing engine modules, etc. For OpenSSL 1.0.2, '/usr/local/
    ssl' is used as default for OPENSSLDIR on all Unix and Windows targets,
    including Visual C builds. However, some build instructions for the diverse
    Windows targets on 1.0.2 encourage you to specify your own --prefix.
    OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. Due to
    the limited scope of affected deployments this has been assessed as low
    severity and therefore we are not creating new releases at this time. Fixed
    in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l
    (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).
    https://cve.mitre.org/cgi-bin/cvename.cginame=CVE-2019-1552

SQLite:

12. CVE-2019-8457
    SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap
    out-of-bound read in the rtreenode() function when handling invalid rtree
    tables.
    https://cve.mitre.org/cgi-bin/cvename.cginame=CVE-2019-8457
13. CVE-2018-20346
    SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an
    integer overflow (and resultant buffer overflow) for FTS3 queries that
    occur after crafted changes to FTS3 shadow tables, allowing remote
    attackers to execute arbitrary code by leveraging the ability to run
    arbitrary SQL statements (such as in certain WebSQL use cases), aka
    Magellan.
    https://cve.mitre.org/cgi-bin/cvename.cginame=CVE-2018-20346
14. CVE-2018-20506
    SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an
    integer overflow (and resultant buffer overflow) for FTS3 queries in a
    "merge" operation that occurs after crafted changes to FTS3 shadow tables,
    allowing remote attackers to execute arbitrary code by leveraging the
    ability to run arbitrary SQL statements (such as in certain WebSQL use
    cases). This is a different vulnerability than CVE-2018-20346.
    https://cve.mitre.org/cgi-bin/cvename.cginame=CVE-2018-20506
15. CVE-2019-16168
    In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can crash a
    browser or other application because of missing validation of a
    sqlite_stat1 sz field, aka a "severe division by zero in the query
    planner."
    https://cve.mitre.org/cgi-bin/cvename.cginame=CVE-2019-16168

Xerces:

16. CVE-2017-12627
    In Apache Xerces-C XML Parser library before 3.2.1, processing of external
    DTD paths can result in a null pointer dereference under certain
    conditions.
    https://cve.mitre.org/cgi-bin/cvename.cginame=CVE-2017-12627

Remediation
To remediate this issue, go to the Product Downloads site , and download the
applicable product update/hotfix file:
+--------------+-------+------+-------------+
|Product       |Version|Type  |Release Date |
+--------------+-------+------+-------------+
|Policy Auditor|6.5.1  |Update|July 29, 2021|
+--------------+-------+------+-------------+

Download and Installation Instructions
For instructions to download product updates and hotfixes, see: KB56057 - How
to download Enterprise product updates and documentation . Review the Release
Notes and the Installation Guide for instructions on how to install these
updates. All documentation is available on the McAfee Enterprise Product
Documentation site .
Frequently Asked Questions (FAQs)
How do I know if my product is vulnerable or not
For Endpoint Security on Windows:
Use the following instructions for endpoint or client-based products:

 1. Right-click the McAfee tray shield icon on the Windows taskbar.
 2. Select McAfee Endpoint Security .
 3. In the console, select Action Menu .
 4. In the Action Menu, select About . The product version displays.

For endpoint products and ENS on other platforms:
Use the following instructions for endpoint or client-based products:

 1. Right-click the McAfee tray shield icon on the Windows taskbar.
 2. Select Open Console .
 3. In the console, select Action Menu .
 4. In the Action Menu, select Product Details . The product version displays.

For Appliances:
Use the following instructions for Appliance-based products:

 1. Open the Administrator's User Interface (UI).
 2. Click the About link. The product version displays.

What is CVSS
Common Vulnerability Scoring System (CVSS) is the result of the National
Infrastructure Advisory Council's effort to standardize a system of assessing
the criticality of a vulnerability. This system offers an unbiased criticality
score between 0 and 10 that customers can use to judge how critical a
vulnerability is and plan accordingly. For more information, visit the CVSS
website .

When calculating CVSS scores, McAfee Enterprise has adopted a philosophy that
fosters consistency and repeatability. Our guiding principle for CVSS scoring
is to score the exploit under consideration by itself. We consider only the
immediate and direct impact of the exploit under consideration. We do not
factor into a score any potential follow-on exploits that might be made
possible by the successful exploitation of the issue being scored.

Where can I find a list of all Security Bulletins
All Security Bulletins are published on our external PSIRT website . To see
Security Bulletins for McAfee Enterprise products on this website, click
Enterprise Security Bulletins . Security Bulletins are retired (removed) once a
product is both End of Sale and End of Support (End of Life).

How do I report a product vulnerability to McAfee Enterprise
If you have information about a security issue or vulnerability with a McAfee
Enterprise product, go to the PSIRT website , click Report a Security
Vulnerability , and follow the instructions.

How does McAfee Enterprise respond to this and any other reported security
flaws
Our key priority is the security of our customers. If a vulnerability is found
within any McAfee Enterprise software or services, we work closely with the
relevant security software development team to ensure the rapid and effective
development of a fix and communication plan.

McAfee Enterprise only publishes Security Bulletins if they include something
actionable such as a workaround, mitigation, version update, or hotfix.
Otherwise, we would simply be informing the hacker community that our products
are a target, putting our customers at greater risk. For products that are
updated automatically, a non-actionable Security Bulletin might be published to
acknowledge the discoverer.

View our PSIRT policy on the PSIRT website by clicking About PSIRT .
Resources
To contact Technical Support, go to the Create a Service Request page and log
on to the ServicePortal.

  o If you are a registered user, type your User ID and Password, and then
    click Log In .
  o If you are not a registered user, click Register and complete the fields to
    have your password and instructions emailed to you.

Disclaimer
The information provided in this Security Bulletin is provided as is without
warranty of any kind. McAfee Enterprise disclaims all warranties, either
express or implied, including the warranties of merchantability and fitness for
a particular purpose. In no event shall McAfee Enterprise or its suppliers be
liable for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if McAfee
Enterprise or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the preceding limitation may not apply.

Any future product release dates mentioned in this Security Bulletin are
intended to outline our general product direction, and they should not be
relied on in making a purchasing decision. The product release dates are for
information purposes only, and may not be incorporated into any contract. The
product release dates are not a commitment, promise, or legal obligation to
deliver any material, code, or functionality. The development, release, and
timing of any features or functionality described for our products remains at
our sole discretion and may be changed or canceled at any time

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYQeTz+NLKJtyKPYoAQiLtA/7BF4K4FkadzMiAwYD1MKCSpNK/fVPFRp1
n4m6+BuEXmZ8eijhXvbsA95G97OHHjpOKlgDtC0mehJlzjDRuuMsxzgNIGCDUYiV
0hOqv7MemkDL/d4U7GpAxGV46qu4qZPAGHfP5CUiFAv2f+GLWMxTU5wBq0W8yebj
CV8ooFy+SS3T5WDJnMVdlpnmjJwyRMZwoEM9W9pDYYfMyiM8f8wGfppLbEtsLocy
m8/8mLfLi9vk248z3P++kMyB+97mQ6SOz/ofxYA8FeTYyG/eAOkUmMugTGEzsyUu
QE+OpqU8wJjMbiJBP9Yyr+63piBBy7SfQJtDY5KfR10YEPSiUanM6FfeZneSMOxS
wzwvnbu2G9s9Rj93YyVidjFwxEo+aDbEYHi4AHIqai4cktMIzzM/47M+rIG95Yyk
1LDdHRkhiqVo0o5+lhFfBNU23EjmR0Br6rnXGkivuwQdSVZ35xcMnXBX2BCLtByh
TqujkJxQaYJZHZ3bufoaKAfmv9aVp5TvubDWrr0ikIGoKuZdCm77E1qD6gP9IbEH
EM6p0NaXpKhjiBPdGIEPcdqKC/edDKDsinZ0vafnMbKMzHhzNArPMg/fKyoeLtmN
Gx6oCT1eDZ5lfsJVO7jpFTcBHsAaFW3FiO0fQM0BS1wkpP7CcSQKFbreOOld/Upm
gsIpRjkoJBg=
=RPvB
-----END PGP SIGNATURE-----