TippingPoint Zero Day Initiative
 

McAfee Firewall Reporter GeneralUtilities.pm isValidClient Authentication Bypass Vulnerability

ZDI-11-117: April 11th, 2011

CVSS Score

Affected Vendors

    McAfee

Affected Products

    Firewall Reporter

TippingPoint™ IPS Customer Protection

TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 10522. For further product information on the TippingPoint IPS:

Vulnerability Details

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of McAfee Firewall Reporter. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the code responsible for authenticating users. The GernalUtilities.pm file contains code to validate sessions by parsing cookie values without sanitization. The faulty logic simply checks for the existence of a particular file, without verifying its contents. By using a directory traversal technique an attacker can point the cgisess cookie value to an arbitrary file that exists on the server and thus bypass authentication.

Vendor Response

McAfee states:

Fixed February 9, 2011
Bulletin modified April 11, 2011:
https://kc.mcafee.com/corporate/index?page=content&id=SB10015


Disclosure Timeline

    2010-09-22 - Vulnerability reported to vendor
    2011-04-11 - Coordinated public release of advisory

Credit

This vulnerability was discovered by:
    Andrea Micalizzi aka rgod