===================================================================== CERT-Renater Note d'Information No. 2006/VULN425 _____________________________________________________________________ DATE : 03/08/2006 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running McAfee SecurityCenter. ====================================================================== Notice: A patch is available for this vulnerability. Follow the instructions below to update your McAfee product. Published: July 31, 2006 Version: 0.6 1. Summary * Who should read this document: McAfee Customers * Impact of Vulnerability: Arbitrary Command Execution with the assistance of an authenticated user * Severity Rating: Medium * Recommendations: Update SecurityCenter to SecurityCenter 7.0 * Security Bulletin Replacement: None * Caveats: None * Affected Software: McAfee SecurityCenter 4.3 through McAfee SecurityCenter 6.0.22 * Location of updated software: Login at http://us.mcafee.com/root/login.asp or click 'update' in SecurityCenter 2. Description This attack requires the end user to perform certain actions in order to be exploited. For example receiving an e-mail from an un-trusted source and clicking on a URL. A successful exploit of the security flaw would allow an attacker to remotely execute arbitrary code on the machine running the indicated software. These arbitrary commands would be limited to the privileges of the user which the product is running as on the machine. In order to accomplish this exploit, a user would have to force internet explorer to render a malicious web page which has been generated by the attacker. The attack requires reverse engineering of the software as well as the assistance of the user. This vulnerability was privately researched and reported to McAfee on July 19th of 2006. It was validated by July 24th, and fixed on July 25th. The updated code is currently undergoing quality assurance testing, and will be pushed out as a patch for these earlier versions of Security Center starting August 2nd of 2006. Security Center 7.0 has been pushed to all live update servers and available for download as of July 29, 2006. Most users will automatically receive this update. This update will remedy the risk associated with this security flaw. 3. Remediation * Validation of Version: 1. Right click on the McAfee icon located in your system tray by your clock 2. If "Quick Links" is an option, then SecurityCenter 7.0 is installed, and the system is not vulnerable. 3. Otherwise, Select "Open McAfee SecurityCenter" 4. Double click on the McAfee SecurityCenter logo to view the "about" screen 5. If the build number says 6.0.22 or earlier, then proceed with the Detailed Steps for Installing Patch * Detailed Steps for installing the update: 1. Make sure that are connected to the Internet 2. Right click the McAfee SecurityCenter icon located in your system tray by your clock 3. Click "Update" 4. The "SecurityCenter Updates" window appears. 5. Click "Check Now" 6. If an update is available, click "Update" 7. If prompted, enter your registered email address and password 8. Click "Log In" 9. Wait while the update downloads and installs 10. Click "Finish" * Detailed Steps for validating the update install: 1. Right click on the McAfee icon located in your system tray by your clock 2. "Quick Links" should be an option, and the system is no longer vulnerable 3. Otherwise, the patch for your system will be available starting August 1st of 2006. 4. Work Around * None 5. Acknowledgements * eEye Digital Security 6. Support * Corporate Technical Support: 866-622-3911 http://www.mcafee.com/us/support/default.asp 7. Frequently Asked Questions (FAQ) related to this security bulletin * Who is affected by this security vulnerability? McAfee SecurityCenter 4.3 through McAfee Security Center 6.0 and could be affected by this vulnerability. McAfee urges all customers to verify that they have received the latest updates. * How do you know if you are vulnerable? 1. Right click on the McAfee icon located in your system tray by your clock 2. If "Quick Links" is an option, then SecurityCenter 7.0 is installed, and the system is not vulnerable. 3. Otherwise, Select "Open McAfee SecurityCenter" 4. Double click on the McAfee SecurityCenter logo to view the "about" screen 5. If the build number says 6.0.22 or earlier, then proceed with the Detailed Steps for Installing Patch * Why is this ranked medium? This vulnerability requires the attacker to construct the infrastructure of the attack web page as well as the assistance of an authenticated end user on the machine. The McAfee security ranking scale that is used classifies that any remote assisted flaw that results in arbitrary code execution is a medium threat to the end user. The Criticality scale ranges from critical to high to medium to low to informational. * Does this vulnerability affect McAfee enterprise products? No. This vulnerability only affects Security Center 4.3 through 6.0.22 which is not considered an enterprise product. * What has McAfee done to resolve the issue? McAfee believes in providing the most secure software to customers and has provided an update to this security flaw. * When did McAfee first learn about this issue? This finder first disclosed this vulnerability to McAfee on July 19th of 2006 * How does McAfee respond to this and any other security flaw? McAfee's key priority is the security of its customers. In the event that a vulnerability is found within any of McAfee's software, a strong process is in place to work closely with the relevant security research group to ensure the rapid and effective development of a fix and communication plan. McAfee is an active member of the Organization for Internet Safety (OIS) which is dedicated to developing guidelines and best practices for the reporting and fixing of software vulnerabilities. 8. Resources * To download new beta software or to read about the latest beta information, visit the beta website: http://www.mcafeesecurity.com/us/downloads/beta/mcafeebetahome.htm * To submit beta feedback on any McAfee product, send email to: mcafee_beta@mcafee.com * For contact information, see: http://www.mcafee.com/pubs/contacts.html * For copyright, trademark attributions, and license information, see: http://www.mcafee.com/pubs/copyright.html * For patents protecting this product, see the product documentation. 9. Disclaimer The information provided in this security bulletin is provided "as is" without warranty of any kind. McAfee disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall McAfee or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if McAfee or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Last Modified: 08/01/06 Modified by: jag-wcmou ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================