Vulnerabilities > CVE-2016-8021 - Improper Verification of Cryptographic Signature vulnerability in Mcafee Virusscan Enterprise

047910
CVSS 5.0 - MEDIUM
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
NONE
Integrity impact
HIGH
Availability impact
NONE
local
low complexity
mcafee
CWE-347
nessus
exploit available

Summary

Improper verification of cryptographic signature vulnerability in Intel Security VirusScan Enterprise Linux (VSEL) 2.0.3 (and earlier) allows remote authenticated users to spoof update server and execute arbitrary code via a crafted input file.

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Padding Oracle Crypto Attack
    An attacker is able to efficiently decrypt data without knowing the decryption key if a target system leaks data on whether or not a padding error happened while decrypting the ciphertext. A target system that leaks this type of information becomes the padding oracle and an attacker is able to make use of that oracle to efficiently decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). In addition to performing decryption, an attacker is also able to produce valid ciphertexts (i.e., perform encryption) by using the padding oracle, all without knowing the encryption key. Any cryptosystem can be vulnerable to padding oracle attacks if the encrypted messages are not authenticated to ensure their validity prior to decryption, and then the information about padding error is leaked to the attacker. This attack technique may be used, for instance, to break CAPTCHA systems or decrypt/modify state information stored in client side objects (e.g., hidden fields or cookies). This attack technique is a side-channel attack on the cryptosystem that uses a data leak from an improperly implemented decryption routine to completely subvert the cryptosystem. The one bit of information that tells the attacker whether a padding error during decryption has occurred, in whatever form it comes, is sufficient for the attacker to break the cryptosystem. That bit of information can come in a form of an explicit error message about a padding error, a returned blank page, or even the server taking longer to respond (a timing attack). This attack can be launched cross domain where an attacker is able to use cross-domain information leaks to get the bits of information from the padding oracle from a target system / service with which the victim is communicating. To do so an attacker sends a request containing ciphertext to the target system. Due to the browser's same origin policy, the attacker is not able to see the response directly, but can use cross-domain information leak techniques to still get the information needed (i.e., information on whether or not a padding error has occurred). For instance, this can be done using "img" tag plus the onerror()/onload() events. The attacker's JavaScript can make web browsers to load an image on the target site, and know if the image is loaded or not. This is 1-bit information needed for the padding oracle attack to work: if the image is loaded, then it is valid padding, otherwise it is not.

Exploit-Db

descriptionMcAfee Virus Scan Enterprise for Linux - Remote Code Execution. CVE-2016-8016,CVE-2016-8017,CVE-2016-8018,CVE-2016-8019,CVE-2016-8020,CVE-2016-8021,CVE-2016-...
fileexploits/linux/remote/40911.py
idEDB-ID:40911
last seen2016-12-13
modified2016-12-13
platformlinux
port
published2016-12-13
reporterExploit-DB
sourcehttps://www.exploit-db.com/download/40911/
titleMcAfee Virus Scan Enterprise for Linux - Remote Code Execution
typeremote

Nessus

NASL familyMisc.
NASL idMCAFEE_VSEL_SB10181.NASL
descriptionThe remote host has a version of McAfee VirusScan Enterprise for Linux (VSEL) installed that is prior or equal to 2.0.3. It is, therefore, affected by multiple vulnerabilities : - An information disclosure vulnerability exists in the web interface due to improper error reporting. An authenticated, remote attacker can exploit this, by manipulating the
last seen2020-06-01
modified2020-06-02
plugin id95812
published2016-12-14
reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/95812
titleMcAfee VirusScan Enterprise for Linux <= 2.0.3 Multiple vulnerabilities (SB10181)
code
#TRUSTED 7fa1e66ff358b6d8b86cacbe4b2c2437d7cbb4bf031024a4bda74b06877986e1cb98f80d3c86c2537bf6e283abc17a2be76805aa430945058044479762c9f554dd59a1dcb29536c25623b7af3d3b83c830353e3f1e167e1b4b912a064f086f6b78fa32d13cecb5adc30cdfeb49ea3da353dc1e843d9d7e6bb3842c8de4d4d489e9056f8f7aa6cc03b1b558ce616399466f0678075d180b8e7fe78bc4bd7123a9efcc8d65af99a7aa1a135521298518b13c5b8ce44aafda28427001a37fd1fb1853752e8005feeaf518f0e82ddd8ff70a5c57a5a32ead531e7931440d7b51eafce530f7d4c325432c6daf2a05081b8023e22886586a51aa72fe6447e857294f254ffd49b2d012620c3bba7d5ce1bb711b1f869a7c3a5904b017b9dd0d927ce092259e0d1f59398bdb5aa719de81a365dd454d9fb8f84d1938f91878736dad09476bfa169b58d7361fb3014047522b39728613efaa6165fc1dc7c695f2054ae676961a08578b45fed102542f959d81a346518de39f7ab237970ca1ea7ea2cd0974e665ae1f34d49d152aea6597fed319e0b9905ee80346d04bececd732aed7b67e543965c33b1d36a1d5eefd3c8f6864db912440e0f2fbb28f78ea2b2eeaa304cd2d0cc953514b9a08a608d73f15ae186c2b7588cc3541ce32e5b3d762c33b63db5d8128491433bda989b1fb0542fca8535a42b9be0fe06543f562aaf0ecbf8b0b
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(95812);
  script_version("1.9");
  script_cvs_date("Date: 2019/11/13");

  script_cve_id(
    "CVE-2016-8016",
    "CVE-2016-8017",
    "CVE-2016-8018",
    "CVE-2016-8019",
    "CVE-2016-8020",
    "CVE-2016-8021",
    "CVE-2016-8022",
    "CVE-2016-8023",
    "CVE-2016-8024",
    "CVE-2016-8025"
  );
  script_bugtraq_id(94823);
  script_xref(name:"MCAFEE-SB", value:"SB10181");
  script_xref(name:"CERT", value:"245327");
  script_xref(name:"EDB-ID", value:"40911");

  script_name(english:"McAfee VirusScan Enterprise for Linux <= 2.0.3 Multiple vulnerabilities (SB10181)");
  script_summary(english:"Checks VSEL version");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The remote host has a version of McAfee VirusScan Enterprise for Linux
(VSEL) installed that is prior or equal to 2.0.3. It is, therefore,
affected by multiple vulnerabilities :

  - An information disclosure vulnerability exists in the
    web interface due to improper error reporting. An
    authenticated, remote attacker can exploit this, by
    manipulating the 'tplt' parameter, to disclose filenames
    on the system. (CVE-2016-8016)

  - An information disclosure vulnerability exists in the
    parser due to improper handling of template files. An
    authenticated, remote attacker can exploit this, via
    specially crafted text elements, to disclose the
    contents of arbitrary files subject to the privileges of
    the 'nails' account. (CVE-2016-8017)

  - Multiple cross-site request forgery (XSRF)
    vulnerabilities exist in the web interface due to a
    failure to require multiple steps, explicit
    confirmation, or a unique token when performing certain
    sensitive actions. An unauthenticated, remote attacker
    can exploit these vulnerabilities, by convincing a user
    to follow a specially crafted link, to execute arbitrary
    script code or commands in a user's browser session.
    (CVE-2016-8018)

  - Multiple cross-site scripting (XSS) vulnerabilities
    exist due to improper validation of user-supplied input
    to the 'info:7' and 'info:5' parameters when the 'tplt'
    parameter is set in NailsConfig.html or
    MonitorHost.html. An unauthenticated, remote attacker
    can exploit these vulnerabilities, via a specially
    crafted request, to execute arbitrary script code in a
    user's browser session. (CVE-2016-8019)

  - A remote code execution vulnerability exists due to
    improper validation of user-supplied input to the
    'nailsd.profile.ODS_9.scannerPath' variable in the last
    page of the system scan form. An authenticated, remote
    attacker can exploit this, via a specially crafted HTTP
    request, to execute arbitrary code as the root user.
    (CVE-2016-8020)

  - A remote code execution vulnerability exists in the web
    interface when downloading update files from a specified
    update server due to a race condition. An authenticated,
    remote attacker can exploit this to place and execute a
    downloaded file before integrity checks are completed.
    (CVE-2016-8021)

  - A security bypass vulnerability exists in the web
    interface due to improper handling of authentication
    cookies. The authentication cookie stores the IP address 
    of the client and is checked to ensure it matches the
    IP address of the client sending it; however, an 
    unauthenticated, remote attacker can cause the cookie to
    be incorrectly parsed by adding a number of spaces to
    the IP address stored within the cookie, resulting in a
    bypass of the security mechanism. (CVE-2016-8022)

  - A security bypass vulnerability exists in the web
    interface due to improper handling of the nailsSessionId
    authentication cookie. An unauthenticated, remote
    attacker can exploit this, by brute-force guessing the
    server start authentication token within the cookie, to
    bypass authentication mechanisms. (CVE-2016-8023)

  - An HTTP response splitting vulnerability exists due to
    improper sanitization of carriage return and line feed
    (CRLF) character sequences passed to the 'info:0'
    parameter before being included in HTTP responses. An
    authenticated, remote attacker can exploit this to
    inject additional headers in responses and disclose
    sensitive information. (CVE-2016-8024)

  - A SQL injection (SQLi) vulnerability exists in the web
    interface due to improper sanitization of user-supplied
    input to the 'mon:0' parameter. An authenticated, remote
    attacker can exploit this to inject or manipulate SQL
    queries in the back-end database, resulting in the
    manipulation or disclosure of arbitrary data.
    (CVE-2016-8025)");
  script_set_attribute(attribute:"see_also", value:"https://kc.mcafee.com/corporate/index?page=content&id=SB10181");
  script_set_attribute(attribute:"see_also", value:"https://nation.state.actor/mcafee.html");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Endpoint Security for Linux (ENSL) version 10.2.0 or later.
Alternatively, as a workaround, open the following line in a text editor:
'/var/opt/NAI/LinuxShield/etc/nailsd.cfg' and change 'nailsd.disableCltWEbUI: false' 
to the value of true and restart the nails service.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-8024");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"in_the_news", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/12/12");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/12/12");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/12/14");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:mcafee:virusscan_enterprise");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("mcafee_vsel_detect.nbin");
  script_require_keys("installed_sw/McAfee VirusScan Enterprise for Linux");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("install_func.inc");
include("ssh_func.inc");
include("telnet_func.inc");
include("hostlevel_funcs.inc");

if ( islocalhost() )
{
  port = 0;
  if ( ! defined_func("pread") ) exit(1, "'pread()' is not defined.");
    info_t = INFO_LOCAL;
}
else
{
  port = kb_ssh_transport();
  if (!get_port_state(port)) audit(AUDIT_PORT_CLOSED, port);

  ret = ssh_open_connection();
  if (!ret) audit(AUDIT_FN_FAIL, "ssh_open_connection()");

    info_t = INFO_SSH;
}

app_name = "McAfee VirusScan Enterprise for Linux";
get_install_count(app_name:app_name, exit_if_zero:TRUE);

install = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE);
version = install['version'];
vuln = FALSE;

if (ver_compare(ver:version, fix:"2.0.3", strict:FALSE) <= 0 || version =~ "^2\.0\.3") 
{
  cmd = 'grep nailsd.disableCltWebUI /var/opt/NAI/LinuxShield/etc/nailsd.cfg | tr -d "\n"';
  buf = info_send_cmd(cmd:cmd);
  # match = is temporary workaround in place?
  match = pregmatch(pattern:'nailsd.disableCltWebUI: true', string:buf);
  if (!isnull(match)) audit(AUDIT_HOST_NOT, "affected because 'nailsd.disableCltWebUI' is set to true");
  # set to false & vulnerable
  notSet = pregmatch(pattern:'nailsd.disableCltWebUI: false', string:buf);
  # no config setting & vuln
  dne = pregmatch(pattern:'nailsd.disableCltWebUI:', string:buf);
  # if false or if the config does not exist and we are v2.0.3 then flag as vuln
  if (!isnull(notSet) || isnull(dne)) vuln = TRUE;
}


if (vuln)
{
  port = 0;
  report ='\nInstalled version : ' + version +
          '\nSolution          : Upgrade to McAfee Endpoint Security for Linux (ENSL) 10.2.0 or later.\n';
  security_report_v4(severity:SECURITY_WARNING, extra:report, port:port, xss:TRUE, sqli:TRUE, xsrf:TRUE);
}
else audit(AUDIT_INST_VER_NOT_VULN, version);

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/140147/mvsel-exec.txt
idPACKETSTORM:140147
last seen2016-12-14
published2016-12-14
reporterAndrew Fasano
sourcehttps://packetstormsecurity.com/files/140147/McAfee-Virus-Scan-Enterprise-For-Linux-Remote-Code-Execution.html
titleMcAfee Virus Scan Enterprise For Linux Remote Code Execution

Saint

bid94823
descriptionMcAfee VirusScan Enterprise for Linux authentication token brute force
titlemcafee_virus_scan_linux_brute
typeremote