RealSecure Server Sensor, RealSecure Network, BlackICE Server Protection, BlackICE PC Protection, IBM Security Server Protection for Windows, Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Network IDS, Proventia Desktop, Proventia Network IPS, Proventia Server IPS for Linux technology, RealSecure Desktop, Virtual Server Protection for Vmware:
McAfee Common Management Agent (CMA), which is used in multiple McAfee products, is vulnerable to a heap-based buffer overflow, caused by improper bounds checking of packets. By sending a specially-crafted packet to an affected system, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the CMA node to crash. The application may receive this data via TCP or UDP communications.
This signature detects specially-crafted data which may permit the execution of arbitrary code in a specific security management application. The application may receive this data through either TCP or UDP communications.
High
RealSecure Server Sensor: XPU 24.56, RealSecure Network: XPU 24.56, BlackICE Server Protection: 3.6.cqb, BlackICE PC Protection: 3.6cqb, IBM Security Server Protection for Windows: 2.1.14.2400, IBM Security Server Protection for Windows: 1.0.914.1960, Proventia Network MFS: XPU 1.95, Proventia-G 1.1 and earlier: XPU 24.56, Proventia Network IDS: XPU 24.56, Proventia Desktop: 1960, Proventia Network IPS: XPU 1.95, Proventia Server IPS for Linux technology: 1.95, RealSecure Desktop: eqb, Virtual Server Protection for Vmware: 1.0
McAfee ePolicy Orchestrator: 3.6.1, McAfee ProtectionPilot: 1.1.1, McAfee ProtectionPilot: 1.5, McAfee Common Management Agent: 3.6.0.438, McAfee Common Management Agent: 3.6.0.453, McAfee ePolicy Orchestrator: 3.5.0, McAfee ePolicy Orchestrator: 3.6.0
Unauthorized Access Attempt
McAfee Common Management Agent (CMA), which is used in multiple McAfee products, is vulnerable to a heap-based buffer overflow, caused by improper bounds checking of packets. By sending a specially-crafted packet to an affected system, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the CMA node to crash.
Upgrade to the latest version of McAfee Common Management Agent (3.6.0 Patch 1 (CMA3.6.0.546) or later), as listed in McAfee Support Document ID: 613366. See References.
IBM Internet Security Systems Protection Advisory July 10, 2007
McAfee ePolicy Orchestrator Agent Remote Code Execution
http://www.iss.net/threats/269.html
McAfee Support Document ID: 613366
Document ID: 613366
McAfee Security Bulletin - Heap based buffer overflow of Common Management Agent (CMA)
https://knowledge.mcafee.com/SupportSite/search.do?cmd=displayKC&docType=kc&sliceId=SAL_Public&externalId=613366
ISS X-Force
McAfee Common Management Agent (CMA) packet buffer overflow
http://www.iss.net/security_center/static/31164.php
CVE
CVE-2006-5273
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5273