July 14, 2006 1:42 PM PDT
McAfee fixes flaw--without realizing it
The flaw affects McAfee's ePolicy Orchestrator (ePO) Common Management Agent prior to the current 3.5.5 version, technology used to manage security software installed on about 40 million PCs in large organizations, McAfee said. A successful attack that exploits the flaw could result in the full compromise of a targeted computer, the company said.
"It is certainly one of the most serious issues that we have come across," John Viega, vice president and chief security architect at Santa Clara, Calif.-based McAfee said in an interview.
McAfee was notified of the flaw by eEye Digital Security on July 5, but at the time had already fixed the flaw in an update to its software that was released in January, Viega said. That update, the current 3.5.5 version, was meant to fine-tune the system, not fix security flaws, he said.
"We did not realize that we had fixed a security vulnerability until eEye alerted us to the problem last week," Viega said. "We were optimizing the system, not looking for security vulnerabilities." The optimization included changing from storing data in files to storing it in memory, which removed the flaw, he said.
The McAfee issue does not affect consumer systems as those will not have the management software installed. McAfee could not immediately say how many of its business customers might still be using a vulnerable version of the management tool. McAfee ePO is one of the more popular management applications for security software in larger organizations.
The flaw exists in the Framework Service component of the vulnerable McAfee product, eEye said in an advisory published on Thursday. That service is enabled and running by default on all servers and agents, eEye said.
"Due to a directory traversal attack, it is possible to write any file with any contents to anywhere on the remote system," according to the eEye advisory. The Aliso Viejo, Calif.-based maker of intrusion prevention software deems the problem "critical." Some of eEye's products compete with McAfee products.
Symantec, another McAfee rival, said in an alert to customers that an anonymous attacker could exploit the McAfee flaw to overwrite existing files or place arbitrary files on a vulnerable computer. "If successfully exploited, this issue can lead to a complete compromise," Symantec said.
In order to accomplish this exploit, an attacker would need network access to the client machine and then would need to send a message in a specific format, McAfee's Viega said. "Now that eEye has published that format it becomes a lot easier (to launch an attack)," he said. "It is generally reasonably easy to exploit if you know about the problem."
McAfee urges customers who have not yet updated their ePO software to do so. "We always encourage our customers to be using the most current version of the software and that certainly applies here," Viega said.