5 Replies Latest reply on Mar 14, 2008 9:48 AM by tonyb99

    Common Management Agent 3.6.0 format string vulnerability with debug level set to 8

      McAfee Security Bulletin - Common Management Agent 3.6.0 format string vulnerability with debug level set to 8


      McAfee Common Management Agent (Patch 3) or earlier McAfee Agent 4.0


      1. SUMMARY

      Who should read this document: Technical and Security Personnel

      Impact of Vulnerability: Format String Vulnerability in Common Management Agent (CMA) with debug level set to 8

      Severity Rating: High

      Overall CVSS Rating: 4.5

      Recommendations: Ensure debug log level is set to 7 (default) or lower.

      Security Bulletin Replacement: None

      Only affected if debug level is changed from default level of 7 to its highest level of 8. See Workaround for details on checking the debug level.

      CMA (Patch3) or earlier
      McAfee Agent (MA) 4.0


      This bulletin is in response to a post to a public mailing list. The finder published proof of concept code designed to cause a crash in CMA agents set to debug level 8. The existing proof of concept exploit does not execute code.

      This vulnerability exists on all versions of CMA for Windows where the user has changed the default debug level of 7 to its highest level of 8. A successful exploit of the security flaw would allow an attacker to corrupt the memory of a computer that is running McAfee Common Management Agent. Corruption of this memory may lead to remote code execution. Successfully exploiting the vulnerability is quite complicated and requires several steps of reverse engineering of the software as well as generating a custom crafted network attack. This specially crafted packet is processed by CMA on UDP port, which should only be open if this feature is turned on.

      This exploit is only seen if you have set the debug level to its highest setting (8). This is typically only used to diagnose problems when in contact with support, and it generates a large amount of logging data. Because of this, most installations will not have this enabled and are therefore not vulnerable. Additionally, this exploit is only effective in Managed mode installations (CMA deployed and managed by ePO or PrP) because the ports are open. Standalone (unmanaged) installations of CMA are NOT affected by this vulnerability because the ports are not open..


      There is no code fix yet for this issue when running CMA under log level 8. McAfee is diligently working to isolate the cause and create a fix for this issue. A fix will be available soon.


      Workaround 1:

      The most effective way of working around this vulnerability involves lowering the debug level to below 8. By default, CMA ships with a debug level of 7. To check your debug level and verify that it is set to below 8, use the following steps:

      1. Click Start, Run, type regedit and click OK.
      2. Navigate to the following registry key:

      [HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator]

      3. Right-click on LogLevel and select Modify from the menu.
      4. Verify that the Type is REG_DWORD.
      5. If the value is 8, replace this value with a 7.
      6. Click OK.

      Workaround 2:

      The vulnerability identified above can be prevented if buffer overflow is enabled in VirusScan Enterprise (VSE) 8.0i or 8.5i.

      Host Intrusion Prevention System (Host IPS) also includes a buffer overflow feature, which is enabled by default, that blocks this vulnerability.

      Steps to enable Buffer Overflow for VSE 8.0i or 8.5i in ePO:

      1. Log on to the ePO console.
      2. Navigate to the Directory level.
      3. Expand the policy for VirusScan Enterprise 8.0.0 or VirusScan Enterprise 8.5.0.
      4. Click the McAfee Default entry for Buffer Overflow Protection Policies.
      5. Verify the Enable buffer overflow protection option is selected and set for Protection mode.
      6. If not, deselect Inherit, select Enable buffer overflow protection, and click Duplicate.
      7. Click Create a policy in which all tabs inherit and type a name for this in the New policy name: field.
      8. Click OK.
      9. Click Close.

      5. SUPPORT

      Corporate Technical Support:


      What McAfee products are affected by this security vulnerability?

      Computers running Common Management Agent Patch 3 and earlier with debug level set to 8.

      Does this vulnerability affect McAfee Enterprise products?

      Yes, the ePolicy Orchestrator agent is affected. The McAfee consumer products are not affected by this issue.

      How do I know if my Common Management Agent is vulnerable?

      1. Open the ePO console.
      2. Expand Reporting, ePO Databases and log on using ePO authentication.
      3. Expand Reports, Anti-Virus, Coverage and click Agent Versions.
      4. Click No to the Do you want to set a data filter for your Report prompt.
      5. Check for the agent version that is used by ePO. The agent version should not be 3.6.0 or 4.0
      6. Follow the steps defined in Workaround 1 above to determine if your log level is set to 8.