McAfee Common Management Agent (CMA) packet buffer overflow (Security_Management_Heap_BO)

About this signature or vulnerability

Proventia Network IPS, RealSecure Desktop, Proventia Network IDS, Proventia Desktop, Proventia-G 1.1 and earlier, IBM Security Server Protection for Windows, Proventia Network MFS, RealSecure Server Sensor, RealSecure Network, BlackICE PC Protection, BlackICE Server Protection, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology:

McAfee Common Management Agent (CMA), which is used in multiple McAfee products, is vulnerable to a heap-based buffer overflow, caused by improper bounds checking of packets. By sending a specially-crafted packet to an affected system, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the CMA node to crash. The application may receive this data via TCP or UDP communications.

This signature detects specially-crafted data which may permit the execution of arbitrary code in a specific security management application. The application may receive this data through either TCP or UDP communications.


Default risk level

High risk vulnerability  High

Sensors that have this signature

Proventia Network IPS: XPU 1.95, RealSecure Desktop: eqb, Proventia Network IDS: XPU 24.56, Proventia Desktop: 1960, Proventia-G 1.1 and earlier: XPU 24.56, IBM Security Server Protection for Windows: 2.1.14.2400, IBM Security Server Protection for Windows: 1.0.914.1960, Proventia Network MFS: XPU 1.95, RealSecure Server Sensor: XPU 24.56, RealSecure Network: XPU 24.56, BlackICE PC Protection: 3.6cqb, BlackICE Server Protection: 3.6.cqb, Virtual Server Protection for Vmware: 1.0, Proventia Server IPS for Linux technology: 1.95

Systems affected

McAfee ePolicy Orchestrator: 3.6.1, McAfee ProtectionPilot: 1.1.1, McAfee ProtectionPilot: 1.5, McAfee Common Management Agent: 3.6.0.438, McAfee Common Management Agent: 3.6.0.453, McAfee ePolicy Orchestrator: 3.5.0, McAfee ePolicy Orchestrator: 3.6.0

Type

Unauthorized Access Attempt

Vulnerability description

McAfee Common Management Agent (CMA), which is used in multiple McAfee products, is vulnerable to a heap-based buffer overflow, caused by improper bounds checking of packets. By sending a specially-crafted packet to an affected system, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the CMA node to crash.

How to remove this vulnerability

Upgrade to the latest version of McAfee Common Management Agent (3.6.0 Patch 1 (CMA3.6.0.546) or later), as listed in McAfee Support Document ID: 613366. See References.

References

IBM Internet Security Systems Protection Advisory July 10, 2007
McAfee ePolicy Orchestrator Agent Remote Code Execution
http://www.iss.net/threats/269.html

McAfee Support Document ID: 613366 Document ID: 613366
McAfee Security Bulletin - Heap based buffer overflow of Common Management Agent (CMA)
https://knowledge.mcafee.com/SupportSite/search.do?cmd=displayKC&docType=kc&sliceId=SAL_Public&externalId=613366

ISS X-Force
McAfee Common Management Agent (CMA) packet buffer overflow
http://www.iss.net/security_center/static/31164.php

CVE
CVE-2006-5273
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5273