1 2 Previous Next 13 Replies Latest reply on Jun 25, 2009 3:17 PM by jdswanson

    McAfee Security Bulletin - ActiveX security issue in CMA and McAfee Agent

    twenden
      FYI,


      McAfee Security Bulletin - ActiveX security issue in CMA and McAfee Agent

      Security Bulletins ID: SB10002
      Published: April 29, 2009

      Summary

      Impact of Vulnerability: File overwrite leading to data loss or DoS in CMA and McAfee Agent. Specific to Windows - activated through Internet Explorer

      Recommendations: Apply killbit steps as described in this article. Ensure your Internet Explorer settings are correct.

      Affected Software:
      Common Management Agent 3.5.5 up to and including Hotfix 2 (version 3.5.5.588)
      Common Management Agent 3.6.0 up to and including Patch 4 (version 3.6.0.608)
      McAfee Agent 4.0 Windows up to and including Hotfix 481017 (version 4.0.0.1449)

      Location of updated software: See Remediation section below.


      Description
      The issue is caused by an attacker requesting services of an ActiveX (COM) object that Common Management Agent (CMA) and McAfee Agent use to handle writing reports. While the ActiveX object is not intended for use over the Internet, in certain situations, it can be triggered through a browser.

      Successful exploitation of this security flaw would allow an attacker to overwrite a file on the disk with a status report. The attacker does not control the contents of the file that is written. This would likely lead to a crash scenario depending on the files that the attacker chooses to overwrite.

      The exploit is not likely to work in most scenarios. Only Microsoft Internet Explorer (IE) browsers allow using ActiveX across HTTP in the method described by the attack. By default, IE 6, 7, and 8 disallow ActiveX components from working in the “Internet Zone”. To be vulnerable, the offensive HTML must come from a trusted site and, by default, browser security settings will typically warn the user.
      Remediation

      CAUTION: This article contains information about opening or modifying the registry.

      * The following information is intended for System Administrators. Registry modifications are irreversible and could cause system failure if done incorrectly.
      * Before proceeding, McAfee strongly recommends backing up your registry and understanding the restore process. For more information, see: http://support.microsoft.com/kb/256986
      * Do not run a .REG file that is not confirmed to be a genuine registry import file.

      McAfee is utilizing a technique known as “setting the killbit”. This is a configuration change that Microsoft has used to remediate similar issues.

      Implement the following killbit steps for the affected component:

      1. Click Start, Run, type regedit.exe and click OK.
      2. Navigate to:

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\]


      3. Create a key for the component called: {04D18721-749F-4140-AEB0-CAC099CA4741}
      4. Create a DWORD value in that component called: Compatibility Flags
      5. Set the Compatibility Flags hexadecimal value to: 400

      NOTE: A restart is not necessary, however restarting IE is required.

      This will resolve the issue.

      NOTE: McAfee will wrap the killbit solution in an executable for ePO deployment. Please check the ServicePortal for further information in the next 24 hours.


      Alternatively, you can implement this key using a .reg file. Using .reg file scripts are an easy way to deploy registry setting modifications.

      1. From the Attachments section below, download the ma.zip file.
      2. Extract the ma.reg entry from the ma.zip file to a temporary folder on the affected system.
      3. Double-click the ma.reg file from the temporary folder.
      4. Accept the changes to apply the .reg key and resolve the issue.


      Workaround

      Ensure that your IE security settings are set to block ActiveX on untrusted sites and warn on trusted sites.

      Details on setting your ActiveX behavior for IE are available here:

      http://www.microsoft.com/windows/ie/ie6/using/howto/security/setup.mspx

      http://www.microsoft.com/downloads/details.aspx?FamilyID=6aa4c1da-6021-468e-a8cf -af4afe4c84b2&DisplayLang=en


      Support
      For contact details:

      * Go to: http://www.mcafee.com/us/about/contact/index.html
      * Non-US customers - select your country from the list of Worldwide Offices.


      Alternatively:
      Log in to the ServicePortal at: https://mysupport.mcafee.com:

      * If you are a registered user, type your User Id and Password and click OK.
      * If you are not a registered user, click New User and complete the required fields. Your password and login instructions will be emailed to you.


      Frequently Asked Questions (FAQs)
      Who is affected by this security vulnerability?

      Systems running:

      - Common Management Agent 3.5.5 up to and including Hotfix 2 (version 3.5.5.588)
      - Common Management Agent 3.6.0 up to and including Patch 4 (version 3.6.0.608)
      - McAfee Agent 4.0 Widnows up to and including Hotfix 481017 (version 4.0.0.1449)

      Does this vulnerability affect McAfee Enterprise products?

      Yes, the agent used for communication to the ePolicy Orchestrator server is affected. Unmanaged Windows systems using products that utilize the McAfee Framework Service for updating their content, or .DAT files are affected as well.

      McAfee consumer products are not affected by this issue.

      How do I know if my CMA or McAfee Agent is vulnerable?

      Every version of CMA or McAfee Agent is vulnerable. However, the ability to exploit the vulnerability is extremely low. The killbit remediation will resolve this vulnerability.

      Will there be a code fix?

      There will not be a code fix for CMA 3.5.5 or 3.6 . For CMA 4.0 , a code fix will be included in a future patch. Again, the killbit remediation will resolve this vulnerability.

      What is CVSS?

      CVSS, or Common Vulnerability Scoring System, is the result of the National Infrastructure Advisory Council’s effort to standardize a system of assessing the criticality of a vulnerability. This system offers an unbiased criticality score that customers can use to judge how critical a vulnerability is and plan accordingly. For more information, please visit the CVSS website at: http://www.first.org/cvss/


      What are the CVSS scoring metrics that have been used?

      Base Score 2.8
      Access Vector Remote
      Access Complexity Low
      Authentication Required
      Confidentiality Impact None
      Integrity Impact Partial
      Availability Impact Partial
      Impact Bias Normal
      Adjusted Temporal Score 2.2
      Exploitability Proof of Concept
      Remediation Level Official Fix
      Report Confidence Confirmed


      What has McAfee done to resolve the issue?
      McAfee has provided a viable fix to mitigate all risks posed by this issue.
        • 1. RE: McAfee Security Bulletin - ActiveX security issue in CMA and McAfee Agent
          tonyb99
          Will there be a code fix?

          There will not be a code fix for CMA 3.5.5 or 3.6 . For CMA 4.0 , a code fix will be included in a future patch. Again, the killbit remediation will resolve this vulnerability.

          [SIZE=2]So looking at the earlier comment:

          NOTE: McAfee will wrap the killbit solution in an executable for ePO deployment. Please check the ServicePortal for further information in the next 24 hours.[/SIZE]


          [SIZE=2]Does this mean no hotfix for 3.6.0.608 only for epo agent 4.xx???

          bah need plain engrish

          [/SIZE]
          • 2. What's HF481017
            psolinski
            BTW What's HF481017?
            Cant find it in the KB.

            The latest CMA I can find is 4.0.0.1444
            • 3. RE: What's HF481017
              Just ran the killbit solution via ePO deployment. (ePO 4, with 25 8.7 clients)

              Went without a hitch.

              Here's the link.

              https://kc.mcafee.com/corporate/index?page=content&id=SB10002&actp=LIST_RECENT

              All the way at the bottom you'll find the "Attachment" section and the link to download the executable with the fix.

              -B
              • 4. RE: What's HF481017


                I was thinking the same thing, except I thought 4.0.0.1421 was the latest version? Is that what you mean, or have I missed something (quite possible)

                I had a quick search just now and couldn't find anything about such a hotfix 481017, all irrellivant really, just interesting to see what they are on about happy I guess possibly it is some testing/devlopment version, or something....anyone?

                Anyway, anyone had any issues after deploying this superdat?
                • 5. RE: What's HF481017
                  psolinski
                  Superdat deployed last night on 2200+ computers. No issues.

                  Agent 4.0.0.1444 comes with McAfee Agent 4.0 Hotfix 481806 available from mysupport page.

                  Issues that are resolved in this release are listed below.

                  1. Issue: Updates via local and distributed UNC repositories failed when the catalog.z file was larger than 4,096 bytes. When this occurred, the error message “Error occurred while downloading catalog.z” appeared in the Agent_ log file. (Reference: 480163, 485171) Resolution: The success of an update via local and distributed UNC repositories is no longer dependent on the size of the catalog.z file.
                  2. Issue: The McAfee Agent installation process checked for the existence of the “My Documents” folder. If it was not present or mapped to a network folder, the installation failed. (Reference: 474870) Resolution: The McAfee Agent installation process no longer requires the “My Documents” folder to be present.

                  • 6. RE: What's HF481017
                    Forgive my ignorance, but is there some way to create a query that will show how many agents have been successfully hotfixed?
                    • 7. verify success?
                      tb_ng


                      I was wondering the same thing... Without querying the registry (which I don't have access to do), how do I know if it has been successfully applied?
                      • 8. RE: verify success?


                        Hi,
                        in the System Details Page from an client click under VirusScan Enterprise right side on more.

                        On the following Page you can find a field called "Fixes" but u cant query this atm.
                        • 9. RE: verify success?
                          tb_ng



                          The only thing I see there is a field called szHotfix with a value of 1...
                          1 2 Previous Next