McAfee has had to admit to an embarrassing vulnerability in one of its own products that could allow hackers to bypass the security in its Enterprise Security Manager product.
The flaw was discovered by Claudio Cinquino at Quantum Leap SRL. In an advisory, the firm said that the flaw could enable an attacker to use a “specially crafted username” to “bypass SIEM ESM authentication… if the ESM is configured to use Active Directory or LDAP authentication sources.
This can result in the attacker gaining NGCP (master user) access to the ESM.” “When configured to use Active Directory or LDAP authentication sources, allow remote attackers to bypass authentication by logging in with the username ‘NGCP|NGCP|NGCP;' and any password,” the advisory read. The bug, labelled CVE-2015-8024, affects McAfee Enterprise Security Manager (ESM), Enterprise Security Manager/Log Manager (ESMLM) and Enterprise Security Manager/Receiver (ESMREC) 9.3.x before 9.3.2MR19, 9.4.x before 9.4.2MR9, and 9.5.x before 9.5.0MR8.
The advisory comes with an update to the product that will fix the bug. There is also a workaround if organisations aren't able to apply the update. This workaround involves the ESM administrator disabling all Active Directory and LDAP authentication sources in the ESM. “ESM local authentication is not affected by this vulnerability,” stated the advisory.
Kevin O'Reilly, senior consultant at Context Information Security, told that the flaw is certainly something that attackers would seek to make use of if they had already established access to the network in question. “This is, however, quite a significant proviso as the flaw requires access to the portal of the McAfee Enterprise Security Manager in the first place. This is not a service that should be accessible externally from the internet, but should be instead restricted to internal access only,” he said.
According to O'Reilly, from the perspective of an attacker who has established low privileged access to the network, this flaw would allow unauthenticated access to the Enterprise Security Manager console with the most privileged account known as NGCP. “This might well allow an attacker to escalate privileges indirectly, and would provide privileged access to all the information present in the ESM console and control over the McAfee software installed on endpoints.
“From there, an attacker might disable security software on the endpoints to lower their security posture before attacking them to gain a further foothold. Alternatively, they might be able to cause a denial of service or other disruption by using the ESM console to, for example, isolate all the endpoints from the network, or by using any other of the features exposed by ESM to control the network endpoints,” he added.
Paco Hope, principal security evangelist at Cigital, told SC that the flaw reads like the software was susceptible to a classic LDAP injection attack. “The thing is, SQL injection tests will not find LDAP injection vulnerabilities because the syntax of the two query languages is totally different. And not all LDAP integrations dynamically create queries in a fashion that makes injections possible. It sounds like some other variables compound this problem. Perhaps the privileged user is always the first user in the database, or in some way is always the default user matched by the injection,” he said.
Hope added that LDAP injection is easier to find earlier in the lifecycle than later. Richard Cassidy, technical director EMEA at Alert Logic, told SC that the challenge with security generally is that it is only as strong as the weakest link, which in most cases comes down to username/password protection for access to key assets.
“Security vendors do all they can to stress test their own consoles or user portals from authentication vulnerabilities, including QA at a kernel level to ensure the underlying system itself cannot be exploited. However, it is inevitable that from time to time, we will see vulnerabilities crop-up where we least expect them, as a result of failed QA and security stress testing processes,” he said.
110 Reykjavik, Iceland