SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
9 Dec 2015

McAfee Enterprise Security Manager failed to manage own security

McAfee has had to admit to an embarrassing vulnerability in one of its own products that could allow hackers to bypass the security in its Enterprise Security Manager product.

The flaw was discovered by Claudio Cinquino at Quantum Leap SRL. In an advisory, the firm said that the flaw could enable an attacker to use a “specially crafted username” to “bypass SIEM ESM authentication… if the ESM is configured to use Active Directory or LDAP authentication sources.

This can result in the attacker gaining NGCP (master user) access to the ESM.” “When configured to use Active Directory or LDAP authentication sources, allow remote attackers to bypass authentication by logging in with the username ‘NGCP|NGCP|NGCP;' and any password,” the advisory read. The bug, labelled CVE-2015-8024, affects McAfee Enterprise Security Manager (ESM), Enterprise Security Manager/Log Manager (ESMLM) and Enterprise Security Manager/Receiver (ESMREC) 9.3.x before 9.3.2MR19, 9.4.x before 9.4.2MR9, and 9.5.x before 9.5.0MR8.

The advisory comes with an update to the product that will fix the bug. There is also a workaround if organisations aren't able to apply the update. This workaround involves the ESM administrator disabling all Active Directory and LDAP authentication sources in the ESM. “ESM local authentication is not affected by this vulnerability,” stated the advisory.

Kevin O'Reilly, senior consultant at Context Information Security, told that the flaw is certainly something that attackers would seek to make use of if they had already established access to the network in question. “This is, however, quite a significant proviso as the flaw requires access to the portal of the McAfee Enterprise Security Manager in the first place. This is not a service that should be accessible externally from the internet, but should be instead restricted to internal access only,” he said.

According to O'Reilly, from the perspective of an attacker who has established low privileged access to the network, this flaw would allow unauthenticated access to the Enterprise Security Manager console with the most privileged account known as NGCP. “This might well allow an attacker to escalate privileges indirectly, and would provide privileged access to all the information present in the ESM console and control over the McAfee software installed on endpoints.

“From there, an attacker might disable security software on the endpoints to lower their security posture before attacking them to gain a further foothold. Alternatively, they might be able to cause a denial of service or other disruption by using the ESM console to, for example, isolate all the endpoints from the network, or by using any other of the features exposed by ESM to control the network endpoints,” he added.

Paco Hope, principal security evangelist at Cigital, told SC that the flaw reads like the software was susceptible to a classic LDAP injection attack. “The thing is, SQL injection tests will not find LDAP injection vulnerabilities because the syntax of the two query languages is totally different. And not all LDAP integrations dynamically create queries in a fashion that makes injections possible. It sounds like some other variables compound this problem. Perhaps the privileged user is always the first user in the database, or in some way is always the default user matched by the injection,” he said.

Hope added that LDAP injection is easier to find earlier in the lifecycle than later. Richard Cassidy, technical director EMEA at Alert Logic, told SC that the challenge with security generally is that it is only as strong as the weakest link, which in most cases comes down to username/password protection for access to key assets.

“Security vendors do all they can to stress test their own consoles or user portals from authentication vulnerabilities, including QA at a kernel level to ensure the underlying system itself cannot be exploited. However, it is inevitable that from time to time, we will see vulnerabilities crop-up where we least expect them, as a result of failed QA and security stress testing processes,” he said.

Tags:
information leaks McAfee
Source:
SCMagazine
1934
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015