McAfee Common Management Agent (CMA) ping buffer overflow (Security_Management_Post_Overflow)

About this signature or vulnerability

RealSecure Desktop, Proventia Network IPS, Proventia Desktop, Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Network MFS, IBM Security Server Protection for Windows, BlackICE Server Protection, BlackICE PC Protection, RealSecure Network, RealSecure Server Sensor, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware:

This signature detects an overflow from a HTTP POST request sent to a specific security management application which may result in arbitrary code execution.

McAfee Common Management Agent (CMA), which is used in multiple McAfee products, is vulnerable to a stack-based buffer overflow, caused by improper bounds checking of pings. By sending a specially-crafted packet to an affected system, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the CMA node to crash.

Default risk level

 High

Sensors that have this signature

RealSecure Desktop: eqb, Proventia Network IPS: XPU 1.95, Proventia Desktop: 1960, Proventia Network IDS: XPU 24.56, Proventia-G 1.1 and earlier: XPU 24.56, Proventia Network MFS: XPU 1.95, IBM Security Server Protection for Windows: 1.0.914.1960, IBM Security Server Protection for Windows: 2.1.14.2400, BlackICE Server Protection: 3.6.cqb, BlackICE PC Protection: 3.6cqb, RealSecure Network: XPU 24.56, RealSecure Server Sensor: XPU 24.56, Proventia Server IPS for Linux technology: 1.95, Virtual Server Protection for Vmware: 1.0

Systems affected

McAfee ePolicy Orchestrator: 3.6.1, McAfee ProtectionPilot: 1.1.1, McAfee ProtectionPilot: 1.5, McAfee Common Management Agent: 3.6.0.453, McAfee ePolicy Orchestrator: 3.5.0, McAfee ePolicy Orchestrator: 3.6.0

Type

Unauthorized Access Attempt

Vulnerability description

How to remove this vulnerability

References