McAfee Email and Web Security Appliance v5.6 – Active session tokens of other users are disclosed within the UI

Summary

Name: McAfee Email and Web Security Appliance v5.6 – Active session tokens
of other users are disclosed within the UI
Release Date: 30 November 2012
Reference: NGS00156
Discoverer: Ben Williams 
Vendor: McAfee
Vendor Reference:
Systems Affected:
Risk: Medium
Status: Published

TimeLine

Discovered:  8 November 2011
Released: 29 November 2011
Approved: 29 November 2011
Reported:  4 December 2011
Fixed: 13 March 2012
Published: 30 November 2012

Description

McAfee Email and Web Security Appliance v5.6 – Active sesssion tokens of
other users are disclosed within the UI

McAfee Email and Web Security Appliance v5.6 (v5.6 1741.115) is prone to
session-token disclosure, meaning that (if multiple users are logged in) it
is possible to see the session tokens of other users.
The exploit would enable an attacker to:

 – Having gained access to the UI, and attacker could see session tokens of
other users enabling session hijacking and horizontal/vertical privilege
escalation

Technical Details

I. VULNERABILITY

McAfee Email and Web Security Appliance v5.6 – Active sesssion tokens of
other users are disclosed within the UI

II. BACKGROUND

McAfee (Owned by Intel) is one of the worlds best known providers of IT
security products.

The McAfee Email and Web Security Appliance provides security for Email and
Web protocols, and acts as a Firewall and Gateway solution.

http://www.mcafee.com

III. DESCRIPTION

McAfee Email and Web Security Appliance v5.6 – Active sesssion tokens of
other users are disclosed within the UI

IV. PROOF OF CONCEPT

There are at least two areas of the product where session tokens are
diplayed to users.

These are:

1) In the diskspace useage file browser, session-tokens are seen in
directory names (see screenshots attached)

Troubleshoot > Troubleshooting Tools > Disk Space > /tmp/session

Active session tokens, are highlighted with an arrow (because the directory
has contents) making it easier to see which session tokens are currently
active

2) In the configuration history

System > Cluster Management > Backup and Restore Configuration

Session tokens are visible in the backup history (see screenshot attached)

This issue can be used in combination with NGS00154 (Session hijacking) for
horizontal, and vertical privilege escalation

Fix Information

Session tokens are for authentication, and have a simlar function to a
short-term username/password combination.

Session tokesn should not be made visible in a Web UI, treat them as if the
are passwords (because this is what they are).

Update to Email and Web Security 5.5 Patch 6, Email and Web Security 5.6
Patch 3, McAfee Email Gateway 7.0 Patch 1