6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
0.018 Low
EPSS
Percentile
88.1%
McAfee VirusScan for Linux contains multiple vulnerabilities.
McAfee VirusScan for Linux version 2.0.3 and prior is vulnerable to the following:
CWE-200**: Information Exposure -**CVE-2016-8016
Multiple pages within the web interface utilize a tplt
parameter. An authenticated remote attacker can manipulate the value of the tlpt
parameter to produce error messages that can reveal the existence of unauthorized files on the system, if the attacker can guess the filename.
CWE-75**: Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) -**CVE-2016-8017
An authenticated remote attacker may be able to place special text elements such as “REPLACE_THIS” or “[%” and “%]” with special meaning to the software parser into user input such that the special element may be injected into system processes such as log readers. When the log is read, the software will read these special elements as commands and take appropriate actions. An attacker may be able to use this vulnerability to remotely read files on the webserver as the nails user.
CWE-352**: Cross-Site Request Forgery (CSRF) -**CVE-2016-8018
The web interface does not make use of anti-CSRF tokens and therefore may be vulnerable to CSRF.
CWE-79**: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) -**CVE-2016-8019
Multiple pages within the web interface utilize a tplt parameter. When _tplt _is set to _NailsConfig.html _or MonitorHost.html, parameters _info:7 _and _info:5 _contain user input and are not properly verified. An unauthenticated remote attacker may spoof the values of info:7 and info:5 to execute arbitrary JavaScript code.
CWE-94**: Improper Control of Generation of Code (‘Code Injection’) -**CVE-2016-8020
On the final page of the system scan form, the _nailsd.profile.ODS_9.scannerPath _variable contains the path that the system will execute to run the scan. An authenticated remote user may manipulate this value in the HTTP request to execute an arbitrary binary as the root user.
CWE-347**: Improper Verification of Cryptographic Signature -**CVE-2016-8021
The web interface does not properly verify the cryptographic signature of the file, allowing a remote attacker to spoof the update server and execute arbitrary code.
CWE-290**: Authentication Bypass by Spoofing -**CVE-2016-8022
The web interface uses an authentication cookie that embeds the users’ IP address into the cookie. A remote attacker may be able to manipulate the cookie in such a way that the service believes the cookie was sent from the victim’s IP address.
CWE-302**: Authentication Bypass by Assumed-Immutable Data -**CVE-2016-8023
The web interface uses an authentication cookie that embeds the server start time as the DATE parameter. A remote attacker may be able to brute-force guess the server start time stored in DATE, which may lead to authentication bypass.
CWE-113**: Improper Neutralization of CRLF Sequences in HTTP Headers (‘HTTP Response Splitting’) -**CVE-2016-8024
A remote attacker may be able to spoof an HTTP GET request for a CSV export of the system logs with newlines encoded in the URL in such a manner that arbitrary HTTP headers may be spoofed in the server response.
CWE-89**: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) -**CVE-2016-8025
The web interface’s CSV log export functionality encodes a SQL command into the URL. A remote attacker may be able to include arbitrary SQL commands URL-encoded in an HTTP request, thereby executing SQL commands on the backend SQLite database. This database does not contain authentication information, only data about settings and previously scanned files.
For more information, please see McAfee Security Bulletin SB10181 and the researcher’s blog post.
The CVSS score below is based on CVE-2016-8023. For further CVSS scoring and analysis, please see McAfee Security Bulletin SB10181.
Previously this Vulnerability Note also contained one vulnerability for the Windows platform. This issue was republished as its own VU#535111 to prevent product confusion.
A remote unauthenticated attacker may be able to read limited subsets of files and logs on the system, execute arbitrary JavaScript code in the web interface, or execute arbitrary code on the system.
Upgrade to a new product
McAfee has discontinued the VirusScan for Linux product in favor of the new McAfee Endpoint Security product, which addresses these vulnerabilities. McAfee recommends that affected users upgrade to Endpoint Security version 10.2 or later as soon as possible. The upgrade is available free of charge to existing users with current licenses.
245327
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: December 05, 2016 Updated: December 12, 2016
Statement Date: December 12, 2016
Affected
We have not received a statement from the vendor.
McAfee has released Security Bulletin SB10181 for this issue.
Group | Score | Vector |
---|---|---|
Base | 9.3 | AV:N/AC:M/Au:N/C:C/I:C/A:C |
Temporal | 7.3 | E:POC/RL:OF/RC:C |
Environmental | 5.5 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
Thanks to Andrew Fasano for reporting these vulnerabilities to us.
This document was written by Garret Wassermann.
CVE IDs: | CVE-2016-8016, CVE-2016-8017, CVE-2016-8018, CVE-2016-8019, CVE-2016-8020, CVE-2016-8021, CVE-2016-8022, CVE-2016-8023, CVE-2016-8024, CVE-2016-8025 |
---|---|
Date Public: | 2016-12-09 Date First Published: |
6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
0.018 Low
EPSS
Percentile
88.1%