Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.2593 Security Bulletin - Policy Auditor update fixes multiple vulnerabilities in third-party libraries (CVE-2016-0718, CVE-2016-4472, CVE-2016-5300, CVE-2017-17740, CVE-2017-9287, CVE-2019-13057, CVE-2020-15719, CVE-2019-1543, CVE-2019-1547, CVE-2019-1552, CVE-2019-1563, CVE-2019-8457, CVE-2018-20506, CVE-2018-20346, CVE-2019-16168, CVE-2017-12627) (SB10365) 2 August 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: McAfee Policy Auditor Publisher: McAfee Operating System: Windows Network Appliance Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Modify Arbitrary Files -- Existing Account Denial of Service -- Remote/Unauthenticated Provide Misleading Information -- Remote with User Interaction Access Confidential Data -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-15719 CVE-2019-16168 CVE-2019-13057 CVE-2019-8457 CVE-2019-1563 CVE-2019-1552 CVE-2019-1547 CVE-2019-1543 CVE-2018-20506 CVE-2018-20346 CVE-2017-17740 CVE-2017-12627 CVE-2017-9287 CVE-2016-5300 CVE-2016-4472 CVE-2016-0718 CVE-2015-2716 CVE-2015-1283 CVE-2012-0876 Reference: ASB-2020.0190 ASB-2020.0087 ESB-2021.2515 ESB-2021.1679 ESB-2019.4148 Original Bulletin: https://kc.mcafee.com/corporate/index?page=content&id=SB10365 - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletins ID : SB10365 Last Modified : 7/30/2021 Summary First Published: July 30, 2021 +-----------------------+--------------+--------------+-------------+---------+ | |Impacted | |Severity |CVSS v3.1| |Product: |Versions: |CVE ID: |Ratings: |Base | | | | | |Scores: | +-----------------------+--------------+--------------+-------------+---------+ |Policy Auditor (PA) |Prior to 6.5.1|CVE-2016-0718 |Critical |9.8 | +-----------------------+--------------+--------------+-------------+---------+ |PA |Prior to 6.5.1|CVE-2016-4472 |High |8.1 | +-----------------------+--------------+--------------+-------------+---------+ |PA |Prior to 6.5.1|CVE-2016-5300 |High |7.5 | +-----------------------+--------------+--------------+-------------+---------+ |PA |Prior to 6.5.1|CVE-2017-17740|High |7.5 | +-----------------------+--------------+--------------+-------------+---------+ |PA |Prior to 6.5.1|CVE-2017-9287 |Medium |6.5 | +-----------------------+--------------+--------------+-------------+---------+ |PA |Prior to 6.5.1|CVE-2019-13057|Medium |4.9 | +-----------------------+--------------+--------------+-------------+---------+ |PA |Prior to 6.5.1|CVE-2020-15719|Medium |4.2 | +-----------------------+--------------+--------------+-------------+---------+ |PA |Prior to 6.5.1|CVE-2019-1543 |High |7.4 | +-----------------------+--------------+--------------+-------------+---------+ |PA |Prior to 6.5.1|CVE-2019-1547 |Medium |4.7 | +-----------------------+--------------+--------------+-------------+---------+ |PA |Prior to 6.5.1|CVE-2019-1552 |Low |3.3 | +-----------------------+--------------+--------------+-------------+---------+ |PA |Prior to 6.5.1|CVE-2019-1563 |Low |3.7 | +-----------------------+--------------+--------------+-------------+---------+ |PA |Prior to 6.5.1|CVE-2019-8457 |Critical |9.8 | +-----------------------+--------------+--------------+-------------+---------+ |PA |Prior to 6.5.1|CVE-2018-20506|High |8.1 | +-----------------------+--------------+--------------+-------------+---------+ |PA |Prior to 6.5.1|CVE-2018-20346|High |8.1 | +-----------------------+--------------+--------------+-------------+---------+ |PA |Prior to 6.5.1|CVE-2019-16168|Medium |6.5 | +-----------------------+--------------+--------------+-------------+---------+ |PA |Prior to 6.5.1|CVE-2017-12627|Critical |9.8 | +-----------------------+--------------+--------------+-------------+---------+ |Recommendations: |Update to Policy Auditor 6.5.1 | +-----------------------+-----------------------------------------------------+ |Security Bulletin |None | |Replacement: | | +-----------------------+-----------------------------------------------------+ |Location of updated |Product Downloads site | |software: | | +-----------------------+-----------------------------------------------------+ To receive email notification when this Security Bulletin is updated, click Subscribe on the right side of the page. You must be logged on to subscribe. Article contents: o Vulnerability Description o Remediation o Frequently Asked Questions (FAQs) o Resources o Disclaimer Vulnerability Description PA 6.5.1 contains updates for five third-party libraries. These updates are grouped by library and ordered by CVSS rating. Expat XML Parser: 1. CVE-2016-0718 Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a malformed input document, which triggers a buffer overflow. https://cve.mitre.org/cgi-bin/cvename.cginame=CVE-2016-0718 2. CVE-2016-4472 The overflow protection in Expat is removed by compilers with certain optimization settings, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via crafted XML data. NOTE: This vulnerability exists because of an incomplete fix for CVE-2015-1283 and CVE-2015-2716. https://cve.mitre.org/cgi-bin/cvename.cginame=CVE-2016-4472 3. CVE-2016-5300 The XML parser in Expat does not use sufficient entropy for hash initialization, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted identifiers in an XML document. NOTE: This vulnerability exists because of an incomplete fix for CVE-2012-0876. https://cve.mitre.org/cgi-bin/cvename.cginame=CVE-2016-5300 OpenLDAP: 4. CVE-2017-17740 contrib/slapd-modules/nops/nops.c in OpenLDAP through 2.4.45, when both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. https://cve.mitre.org/cgi-bin/cvename.cginame=CVE-2017-17740 5. CVE-2017-9287 servers/slapd/back-mdb/search.c in OpenLDAP through 2.4.44 is prone to a double free vulnerability. A user with access to search the directory can crash slapd by issuing a search including the Paged Results control with a page size of 0. https://cve.mitre.org/cgi-bin/cvename.cginame=CVE-2017-9287 6. CVE-2019-13057 An issue was discovered in the server in OpenLDAP before 2.4.48. When the server administrator delegates rootDN (database admin) privileges for certain databases but wants to maintain isolation (e.g., for multi-tenant deployments), slapd does not properly stop a rootDN from requesting authorization as an identity from another database during a SASL bind or with a proxyAuthz (RFC 4370) control. (It is not a common configuration to deploy a system where the server administrator and a DB administrator enjoy different levels of trust.) https://cve.mitre.org/cgi-bin/cvename.cginame=CVE-2019-13057 7. CVE-2020-15719 libldap in certain third-party OpenLDAP packages has a certificate-validation flaw when the third-party package is asserting RFC6125 support. It considers CN even when there is a non-matching subjectAltName (SAN). This is fixed in, for example, openldap-2.4.46-10.el8 in Red Hat Enterprise Linux. https://cve.mitre.org/cgi-bin/cvename.cginame=CVE-2020-15719 OpenSSL: 8. CVE-2019-1543 ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for every encryption operation. RFC 7539 specifies that the nonce value (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length and front pads the nonce with 0 bytes if it is less than 12 bytes. However it also incorrectly allows a nonce to be set of up to 16 bytes. In this case only the last 12 bytes are significant and any additional leading bytes are ignored. It is a requirement of using this cipher that nonce values are unique. Messages encrypted using a reused nonce value are susceptible to serious confidentiality and integrity attacks. If an application changes the default nonce length to be longer than 12 bytes and then makes a change to the leading bytes of the nonce expecting the new value to be a new unique nonce then such an application could inadvertently encrypt messages with a reused nonce. Additionally the ignored bytes in a long nonce are not covered by the integrity guarantee of this cipher. Any application that relies on the integrity of these ignored leading bytes of a long nonce may be further affected. Any OpenSSL internal use of this cipher, including in SSL/TLS, is safe because no such use sets such a long nonce value. However user applications that use this cipher directly and set a non-default nonce length to be longer than 12 bytes may be vulnerable. OpenSSL versions 1.1.1 and 1.1.0 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1c (Affected 1.1.1-1.1.1b). Fixed in OpenSSL 1.1.0k (Affected 1.1.0-1.1.0j). https://cve.mitre.org/cgi-bin/cvename.cginame=CVE-2019-1543 9. CVE-2019-1547 Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s). https://cve.mitre.org/cgi-bin/cvename.cginame=CVE-2019-1547 10. CVE-2019-1563 In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s). https://cve.mitre.org/cgi-bin/cvename.cginame=CVE-2019-1563 11. CVE-2019-1552 OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be '/usr/local'. However, mingw programs are Windows programs, and as such, find themselves looking at sub-directories of 'C:/ usr/local', which may be world writable, which enables untrusted users to modify OpenSSL's default configuration, insert CA certificates, modify (or even replace) existing engine modules, etc. For OpenSSL 1.0.2, '/usr/local/ ssl' is used as default for OPENSSLDIR on all Unix and Windows targets, including Visual C builds. However, some build instructions for the diverse Windows targets on 1.0.2 encourage you to specify your own --prefix. OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s). https://cve.mitre.org/cgi-bin/cvename.cginame=CVE-2019-1552 SQLite: 12. CVE-2019-8457 SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-of-bound read in the rtreenode() function when handling invalid rtree tables. https://cve.mitre.org/cgi-bin/cvename.cginame=CVE-2019-8457 13. CVE-2018-20346 SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow (and resultant buffer overflow) for FTS3 queries that occur after crafted changes to FTS3 shadow tables, allowing remote attackers to execute arbitrary code by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases), aka Magellan. https://cve.mitre.org/cgi-bin/cvename.cginame=CVE-2018-20346 14. CVE-2018-20506 SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow (and resultant buffer overflow) for FTS3 queries in a "merge" operation that occurs after crafted changes to FTS3 shadow tables, allowing remote attackers to execute arbitrary code by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases). This is a different vulnerability than CVE-2018-20346. https://cve.mitre.org/cgi-bin/cvename.cginame=CVE-2018-20506 15. CVE-2019-16168 In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can crash a browser or other application because of missing validation of a sqlite_stat1 sz field, aka a "severe division by zero in the query planner." https://cve.mitre.org/cgi-bin/cvename.cginame=CVE-2019-16168 Xerces: 16. CVE-2017-12627 In Apache Xerces-C XML Parser library before 3.2.1, processing of external DTD paths can result in a null pointer dereference under certain conditions. https://cve.mitre.org/cgi-bin/cvename.cginame=CVE-2017-12627 Remediation To remediate this issue, go to the Product Downloads site , and download the applicable product update/hotfix file: +--------------+-------+------+-------------+ |Product |Version|Type |Release Date | +--------------+-------+------+-------------+ |Policy Auditor|6.5.1 |Update|July 29, 2021| +--------------+-------+------+-------------+ Download and Installation Instructions For instructions to download product updates and hotfixes, see: KB56057 - How to download Enterprise product updates and documentation . Review the Release Notes and the Installation Guide for instructions on how to install these updates. All documentation is available on the McAfee Enterprise Product Documentation site . Frequently Asked Questions (FAQs) How do I know if my product is vulnerable or not For Endpoint Security on Windows: Use the following instructions for endpoint or client-based products: 1. Right-click the McAfee tray shield icon on the Windows taskbar. 2. Select McAfee Endpoint Security . 3. In the console, select Action Menu . 4. In the Action Menu, select About . The product version displays. For endpoint products and ENS on other platforms: Use the following instructions for endpoint or client-based products: 1. Right-click the McAfee tray shield icon on the Windows taskbar. 2. Select Open Console . 3. In the console, select Action Menu . 4. In the Action Menu, select Product Details . The product version displays. For Appliances: Use the following instructions for Appliance-based products: 1. Open the Administrator's User Interface (UI). 2. Click the About link. The product version displays. What is CVSS Common Vulnerability Scoring System (CVSS) is the result of the National Infrastructure Advisory Council's effort to standardize a system of assessing the criticality of a vulnerability. This system offers an unbiased criticality score between 0 and 10 that customers can use to judge how critical a vulnerability is and plan accordingly. For more information, visit the CVSS website . When calculating CVSS scores, McAfee Enterprise has adopted a philosophy that fosters consistency and repeatability. Our guiding principle for CVSS scoring is to score the exploit under consideration by itself. We consider only the immediate and direct impact of the exploit under consideration. We do not factor into a score any potential follow-on exploits that might be made possible by the successful exploitation of the issue being scored. Where can I find a list of all Security Bulletins All Security Bulletins are published on our external PSIRT website . To see Security Bulletins for McAfee Enterprise products on this website, click Enterprise Security Bulletins . Security Bulletins are retired (removed) once a product is both End of Sale and End of Support (End of Life). How do I report a product vulnerability to McAfee Enterprise If you have information about a security issue or vulnerability with a McAfee Enterprise product, go to the PSIRT website , click Report a Security Vulnerability , and follow the instructions. How does McAfee Enterprise respond to this and any other reported security flaws Our key priority is the security of our customers. If a vulnerability is found within any McAfee Enterprise software or services, we work closely with the relevant security software development team to ensure the rapid and effective development of a fix and communication plan. McAfee Enterprise only publishes Security Bulletins if they include something actionable such as a workaround, mitigation, version update, or hotfix. Otherwise, we would simply be informing the hacker community that our products are a target, putting our customers at greater risk. For products that are updated automatically, a non-actionable Security Bulletin might be published to acknowledge the discoverer. View our PSIRT policy on the PSIRT website by clicking About PSIRT . Resources To contact Technical Support, go to the Create a Service Request page and log on to the ServicePortal. o If you are a registered user, type your User ID and Password, and then click Log In . o If you are not a registered user, click Register and complete the fields to have your password and instructions emailed to you. Disclaimer The information provided in this Security Bulletin is provided as is without warranty of any kind. McAfee Enterprise disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall McAfee Enterprise or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if McAfee Enterprise or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the preceding limitation may not apply. Any future product release dates mentioned in this Security Bulletin are intended to outline our general product direction, and they should not be relied on in making a purchasing decision. The product release dates are for information purposes only, and may not be incorporated into any contract. The product release dates are not a commitment, promise, or legal obligation to deliver any material, code, or functionality. The development, release, and timing of any features or functionality described for our products remains at our sole discretion and may be changed or canceled at any time - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYQeTz+NLKJtyKPYoAQiLtA/7BF4K4FkadzMiAwYD1MKCSpNK/fVPFRp1 n4m6+BuEXmZ8eijhXvbsA95G97OHHjpOKlgDtC0mehJlzjDRuuMsxzgNIGCDUYiV 0hOqv7MemkDL/d4U7GpAxGV46qu4qZPAGHfP5CUiFAv2f+GLWMxTU5wBq0W8yebj CV8ooFy+SS3T5WDJnMVdlpnmjJwyRMZwoEM9W9pDYYfMyiM8f8wGfppLbEtsLocy m8/8mLfLi9vk248z3P++kMyB+97mQ6SOz/ofxYA8FeTYyG/eAOkUmMugTGEzsyUu QE+OpqU8wJjMbiJBP9Yyr+63piBBy7SfQJtDY5KfR10YEPSiUanM6FfeZneSMOxS wzwvnbu2G9s9Rj93YyVidjFwxEo+aDbEYHi4AHIqai4cktMIzzM/47M+rIG95Yyk 1LDdHRkhiqVo0o5+lhFfBNU23EjmR0Br6rnXGkivuwQdSVZ35xcMnXBX2BCLtByh TqujkJxQaYJZHZ3bufoaKAfmv9aVp5TvubDWrr0ikIGoKuZdCm77E1qD6gP9IbEH EM6p0NaXpKhjiBPdGIEPcdqKC/edDKDsinZ0vafnMbKMzHhzNArPMg/fKyoeLtmN Gx6oCT1eDZ5lfsJVO7jpFTcBHsAaFW3FiO0fQM0BS1wkpP7CcSQKFbreOOld/Upm gsIpRjkoJBg= =RPvB -----END PGP SIGNATURE-----