McAfee Common Management Agent (CMA) ping buffer overflow (Security_Management_Post_Overflow)

About this signature or vulnerability

RealSecure Desktop, Proventia Server IPS for Linux technology, Proventia Network IPS, Proventia Desktop, Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Network MFS, IBM Security Server Protection for Windows, BlackICE PC Protection, BlackICE Server Protection, RealSecure Network, RealSecure Server Sensor, Virtual Server Protection for Vmware:

This signature detects an overflow from a HTTP POST request sent to a specific security management application which may result in arbitrary code execution.

McAfee Common Management Agent (CMA), which is used in multiple McAfee products, is vulnerable to a stack-based buffer overflow, caused by improper bounds checking of pings. By sending a specially-crafted packet to an affected system, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the CMA node to crash.

Default risk level

 High

Sensors that have this signature

RealSecure Desktop: eqb, Proventia Server IPS for Linux technology: 1.95, Proventia Network IPS: XPU 1.95, Proventia Desktop: 1960, Proventia Network IDS: XPU 24.56, Proventia-G 1.1 and earlier: XPU 24.56, Proventia Network MFS: XPU 1.95, IBM Security Server Protection for Windows: 1.0.914.1960, IBM Security Server Protection for Windows: 2.1.14.2400, BlackICE PC Protection: 3.6cqb, BlackICE Server Protection: 3.6.cqb, RealSecure Network: XPU 24.56, RealSecure Server Sensor: XPU 24.56, Virtual Server Protection for Vmware: 1.0

Systems affected

McAfee ePolicy Orchestrator: 3.6.1, McAfee ProtectionPilot: 1.1.1, McAfee ProtectionPilot: 1.5, McAfee Common Management Agent: 3.6.0.453, McAfee ePolicy Orchestrator: 3.5.0, McAfee ePolicy Orchestrator: 3.6.0

Type

Unauthorized Access Attempt

Vulnerability description

How to remove this vulnerability

References