3 Replies Latest reply on Jul 20, 2017 3:56 AM by bretzeli

    ATD 4.0: PDF check with E-Mail Connectors stays at VERDICT FAILED

    bretzeli

      ATD 4.0 checks the TIE PDF manual ;-)

       

      Did anybody get the E-mail Connector running. Our sample testing submission with PDF stays at FAILED... (ATD rebooted)

       

       

       

      Manual upload of same PDF to sandbox brings another surprise the Official MCAFEE TIE Release Notes get a MEDIUM with TIE 4.0

      tie_120_pg_en-us.pdf

       

      @mcafee before you ASK us to send the PDF and open a ticket you can download it with a valid NAI from your servers ;-)

       

       

      Detail:

       

       

        • 1. Re: ATD 4.0: PDF check with E-Mail Connectors stays at VERDICT FAILED
          Troja

          Hello,

          the new feature is planned within the next time. I´m interested who this feature will work in real life.

          Cheers

          • 2. Re: ATD 4.0: PDF check with E-Mail Connectors stays at VERDICT FAILED
            bretzeli

            @Thorsten, This is out and productive in the 4.0 release as we understood. And all by todays release SNS should update at once. So the 4.0 has to work.

             

            There is Youtube video showing the Integration with CISCO E-Mail appliance and they show PDF attachment scanning.

             

             

            ATD 4.0 ALL have to update to it right now IF they would like to secure:

             

            (11.07.2017)

             

             

             

             

            Five vulnerabilities in Advanced Threat Defense (ATD) have been discovered and resolved.

             

            AFFECTED SOFTWARE
            • ATD 3.8.x and earlier
            • Virtual ATD 3.10.x and ealier
            REMEDIATED/PATCHED VERSIONS
            The vulnerability is remediated in these versions:
            • ATD 4.0
            • CVE-2017-4052: Administrator password can be reset without authentication (CVSS 7.2, Severity High) – Authentication Bypass vulnerability in the web interface in McAfee Advanced Threat Defense (ATD) 3.10, 3.8, 3.6, 3.4 allows remote unauthenticated users/remote attackers to change or update any configuration settings, or gain administrator functionality via a crafted HTTP request parameter.
            • CVE-2017-4053: Unauthenticated RCE as root (CVSS 8.3, Severity High) - Command Injection vulnerability in the web interface in McAfee Advanced Threat Defense (ATD) 3.10, 3.8, 3.6, 3.4 allows remote unauthenticated users/remote attackers to execute a command of their choice via a crafted HTTP request parameter.
            • CVE-2017-4054: Authenticated RCE (as a normal user)(CVSS 5.2, Severity Medium) - Command Injection vulnerability in the web interface in McAfee Advanced Threat Defense (ATD) 3.10, 3.8, 3.6, 3.4 allows remote authenticated users to execute a command of their choice via a crafted HTTP request parameter.
            • CVE-2017-4055: Unauthenticated sample whitelisting (CVSS 3.5, Severity Low) - Exploitation of Authentication vulnerability in the web interface in McAfee Advanced Threat Defense (ATD) 3.10, 3.8, 3.6, 3.4 allows remote unauthenticated users/remote attackers to bypass ATD detection via loose enforcement of authentication and authorization.
            • CVE-2017-4057: Privilege Escalation (CVSS 6.5, Severity Medium) - Privilege Escalation vulnerability in the web interface in McAfee Advanced Threat Defense (ATD) 3.10, 3.8, 3.6, 3.4 allows remote authenticated users to gain elevated privileges via the GUI or GUI terminal commands.
            IMPACT RECOMMENDATION
            McAfee recommends that all customers verify that they have applied the latest updates. Impacted users should install the relevant patches or hotfixes. For full instructions and information, see Knowledge Base article SB10204, McAfee Security Bulletin - Advanced Threat Defense update fixes various web vulnerabilities (CVE-2017-4052, CVE-2017-4053, CVE-2017-4054, CVE-2017-4055, and CVE-2017-4057)(https://kc.mcafee.com/corporate/index?

             

            • 3. Re: ATD 4.0: PDF check with E-Mail Connectors stays at VERDICT FAILED
              bretzeli

              SOLUTION:

               

              We found 1/2 ourself and 1/2 part Mcafee TIER 2 with Hakim (Thank you).

               

              There must a BUG related to Analyzer Profiles DURING the Installation of the E-Mail Connector.

              By default the PROFILE marked as DEFAULT is choosen. However in one case this was EMPTY

              under the user ATDEC which is used for that. There is a MARK * for mandatory but the field was empty.

               

              1) Choose a VM profile there again

              2 ) SAVE

              3 ) MOST important connect to the ATD with cliadmin and use the reboot command to restart the ATD

               

              After that the E-Mail connector works.