McAfee Email and Web Security Appliance v5.6 – Active session tokens of other users are disclosed within the UI
Summary
Name: McAfee Email and Web Security Appliance v5.6 – Active session tokens
of other users are disclosed within the UI
Release Date: 30 November 2012
Reference: NGS00156
Discoverer: Ben Williams
Vendor: McAfee
Vendor Reference:
Systems Affected:
Risk: Medium
Status: Published
TimeLine
Discovered: 8 November 2011
Released: 29 November 2011
Approved: 29 November 2011
Reported: 4 December 2011
Fixed: 13 March 2012
Published: 30 November 2012
Description
McAfee Email and Web Security Appliance v5.6 – Active sesssion tokens of
other users are disclosed within the UI
McAfee Email and Web Security Appliance v5.6 (v5.6 1741.115) is prone to
session-token disclosure, meaning that (if multiple users are logged in) it
is possible to see the session tokens of other users.
The exploit would enable an attacker to:
– Having gained access to the UI, and attacker could see session tokens of
other users enabling session hijacking and horizontal/vertical privilege
escalation
Technical Details
I. VULNERABILITY
McAfee Email and Web Security Appliance v5.6 – Active sesssion tokens of
other users are disclosed within the UI
II. BACKGROUND
McAfee (Owned by Intel) is one of the worlds best known providers of IT
security products.
The McAfee Email and Web Security Appliance provides security for Email and
Web protocols, and acts as a Firewall and Gateway solution.
III. DESCRIPTION
McAfee Email and Web Security Appliance v5.6 – Active sesssion tokens of
other users are disclosed within the UI
IV. PROOF OF CONCEPT
There are at least two areas of the product where session tokens are
diplayed to users.
These are:
1) In the diskspace useage file browser, session-tokens are seen in
directory names (see screenshots attached)
Troubleshoot > Troubleshooting Tools > Disk Space > /tmp/session
Active session tokens, are highlighted with an arrow (because the directory
has contents) making it easier to see which session tokens are currently
active
2) In the configuration history
System > Cluster Management > Backup and Restore Configuration
Session tokens are visible in the backup history (see screenshot attached)
This issue can be used in combination with NGS00154 (Session hijacking) for
horizontal, and vertical privilege escalation
Fix Information
Session tokens are for authentication, and have a simlar function to a
short-term username/password combination.
Session tokesn should not be made visible in a Web UI, treat them as if the
are passwords (because this is what they are).
Update to Email and Web Security 5.5 Patch 6, Email and Web Security 5.6
Patch 3, McAfee Email Gateway 7.0 Patch 1