0 Replies Latest reply: Mar 27, 2012 9:43 PM by SamSwift RSS

    Updated Product Coverage

    SamSwift

      Please note this is a temporary posting whilst the updated document is being approved.

       

      EXECUTIVE SUMMARY

      March 27, 2012 | MTIS12-052

      Since the last McAfee® Labs Security Advisory (March 26), the following noteworthy event has taken place:

      • McAfee product coverage has been updated for a vulnerability in Microsoft Remote Desktop.

       

      PREVIOUS THREAT UPDATES

       

      (MS12-020) Microsoft Remote Desktop Protocol Remote Code Execution (2671387)
      MTIS12-038-D

      IMPORTANCE:

      High

      NOW COVERED:

      DAT | Network Security Platform | Vulnerability Manager | Web Gateway |
      Remediation Manager


      Back to top

       

      THREAT DETAILS

      (MS12-020) Microsoft Remote Desktop Protocol Remote Code Execution (2671387)MTIS12-038-D

      THREAT IDENTIFIER(S)

      CVE-2012-0002; MS12-020

      THREAT TYPE

      Vulnerability

      RISK ASSESSMENT

      High

      MAIN THREAT VECTORS

      WAN; LAN

      USER INTERACTION REQUIRED

      No

      DESCRIPTION

      A vulnerability in some versions of Microsoft Remote Desktop could lead to remote code execution. The Remote Desktop Protocol improperly accesses an object in memory. Specifically a use-after-free condition can occur, resulting in heap memory corruption following calls to NMDetachUserReq. In-the-wild Proof of Concept (PoC) code targeting this vulnerability has been observed. Successful exploitation could allow an attacker to execute remote code. Partial AV/MWG (DAT) coverage is now available.

      IMPORTANCE

      High. On March 27, a new attack tool exploiting this vulnerability was discovered in the wild.

      MCAFEE PRODUCT COVERAGE

       

         DAT FILES

      Partial coverage for known PoC code is provided as "Exploit-CVE2012-0002" in the 6652 DATs, released on March 17. Some more recent executable attack tools are detected via GTI as Artemis!2720ADCEEE54. Updated coverage will be provided as "Exploit-CVE2012-0002" in the 6663 DATs, scheduled to be released on March 28. The files associated with the Metasploit module (released March 19) are detected as "Metasploit" (Potentially Unwanted Program) in the current DATs.

         VIRUS SCAN ENTERPRISE SCAN BOP

      Out of scope

         HOST IPS

      Out of scope

         NETWORK SECURITY PLATFORM

      The sigset release of March 13 includes the signature "RDP: Microsoft Remote Desktop Protocol Remote Code Execution II," which provides coverage.

         VULNERABILITY MANAGER

      The FSL/MVM package of March 14 includes a vulnerability check to assess if your systems are at risk.

         WEB GATEWAY

      Partial coverage for known PoC code is provided as "Exploit-CVE2012-0002" in the current Gateway Anti-Malware Database Update. Some more recent executable attack tools are detected via GTI as Artemis!2720ADCEEE54. Updated coverage will be provided as "Exploit-CVE2012-0002" in the Gateway Anti-Malware Database An update is scheduled to be released on March 28. The files associated with the Metasploit module (released March 19) are detected as "Metasploit" (Potentially Unwanted Program) in the current DATs.

         REMEDIATION MANAGER

      The V-Flash release of March 13 contains coverage as "Covered via MS12-020 Vulnerabilities in Remote Desktop Could Allow Remote Code Execution (2671387)."

         POLICY AUDITOR

      Under analysis

         NETWORK ACCESS CONTROL

      Under analysis

         FIREWALL ENTERPRISE

      Under analysis

         APPLICATION CONTROL

      Out of scope

      ADDITIONAL INFORMATION

      http://vil.nai.com/vil/Content/v_vul68595.htm McAfee: Exploit-CVE2012-0002 McAfee KB: Threat Advisory ? Microsoft Remote Desktop Protocol Remote Code Execution http://technet.microsoft.com/en-us/security/bulletin/ms12-020.aspx McAfee Labs Blog: RDP+RCE=Bad News McAfee AudioParasitics: Episode 125 ? RDP, RCE, and You Microsoft: CVE-2012-0002 - A closer look at MS12-020's critical issue


      Back to top