search menu icon-carat-right cmu-wordmark

CERT Coordination Center


McAfee ASaP VirusScan service does not adequately validate input

Vulnerability Note VU#190267

Original Release Date: 2001-08-09 | Last Revised: 2003-04-14

Overview

A vulnerability exists in McAfee ASaP VirusScan that permits intruders to access files outside of the web root.

Description

Quoting from the McAfee ASaP VirusScan FAQ, McAfee ASaP VirusScan is "a web-based, managed and updated anti-virus service for the entire desktop environment." McAfee ASaP VirusScan allows hosts to share virus definitions, eliminating the need for all of the hosts to update their virus signature software from one central location. In order to make this possible, each host running this software also runs a lightweight http server that listens on 6515/TCP. Because of a vulnerability that exists in this HTTP server, a malicious user can connect to 6515/TCP and traverse the host file system to access any file on the system. For example:

HTTP://<Target IP Address>:6515/.../.../.../.../winnt/repair

Impact

A malicious user can connect to 6515/TCP and traverse the host file system, thus viewing any file on the target host with the privileges of the HTTP server, typically SYSTEM.

Solution

NAI has patched this vulnerability. The patch will be automatically disseminated to all affected hosts. Quoting from an NAI announcement regarding this vulnerability:
McAfee has taken action to address the vulnerability discovered in the VirusScan ASaP agent technology, which affected all users of VirusScan ASaP. McAfee has distributed the fix to all McAfee ASaP update sites for automatic distribution to end users. The fix will be downloaded and applied to end user systems in the normal course of updating that VirusScan ASaP performs each day. Any VirusScan ASaP agents that have performed an update since 03:30 Greenwich Mean Time on July 14, 2001 will have applied the fix.

Vendor Information

190267
Expand all

Network Associates

Notified:  June 28, 2001 Updated:  August 09, 2001

Status

  Vulnerable

Vendor Statement

Please see http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0107&L=ntbugtraq&F=P&S=&P=1558

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

-----BEGIN PGP SIGNED MESSAGE-----

McAfee would like to advise NT Bugraq readers of the release of a fix for the vulnerability:

McAfee has taken action to address the vulnerability discovered in the VirusScan ASaP agent technology, which affected all users of VirusScan ASaP. McAfee has distributed the fix to all McAfee ASaP update sites for automatic distribution to end users. The fix will be downloaded and applied to end user systems in the normal course of updating that VirusScan ASaP performs each day. Any VirusScan ASaP agents that have performed an update since 03:30 Greenwich Mean Time on July 14, 2001 will have applied the fix.

Users who wish to manually initiate an update can do so by double clicking on the VirusScan ASaP system tray icon. Users who have questions about this procedure or experience other issues should contact McAfee technical support through standard channels.

McAfee has received no reports of security breaches at customer sites as a result of this vulnerability.

Stephanie Sparck Manager of Channel Marketing Network Associates __________________________________________

-----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4

iQCVAwUBO1NIik+RBmuavn3GAQEYLgQAsINJ7edmzIbXD8X+DJvaSwbybuXZ5QJg BKH+g/F6E1nFJSknzeAyScpP5HjKR6zDswdiwD/6O9HT1skaFZoDT5vG2md//tiM Ln2zZPBTWrA7jThhLNQ8wNZG8+O3eygIPnKA3wTBB+GX28QCuTzRWJGAV0wtRyuV H/96Jm/PM7w= =+8iL -----END PGP SIGNATURE-----

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

This vulnerability was discovered by Aiden ORawe < ade245@hushmail.com > and reported to the CERT Coordination Center.

This document was written by Ian A. Finlay

Other Information

CVE IDs: CVE-2001-1144
Severity Metric: 30.60
Date Public: 2001-07-11
Date First Published: 2001-08-09
Date Last Updated: 2003-04-14 17:51 UTC
Document Revision: 44

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.