Epic Failure from McAfee
When you outsource all your PCI scanning to another company, you'd expect that company to be careful with your data. First off, there's the fact that security is what they do- if that data were to get leaked, you'd expect the damage to reputation alone to be crippling.
Second, (and probably the least important, really), the PCI ASV validation requirements (section 4.5.1, if you're interested) make it pretty clear that client data should be kept very confidential.
Finally, the data contained on those servers- lists of vulnerabilities on all their clients' systems, along with security administrators' passwords and more, is pretty high on the list of Things You Don't Want Getting Out.
You know what's coming.
We've found problems with McAfee time and time again. I was saving this for a post later this week, but given recent events, I think the time is right.
Until last week, McAfee Secure was vulnerable to critical CSRF holes. Not little ones, or ones that were difficult to exploit- basic, zero-kowledge, classic GET-based total-account-compromise holes. I think the pictures tell the story:
I sent a vulnerability report to a contact at McAfee and they responded quickly, communicated with me, and fixed the issue. They also began reviewing their entire codebase for similar holes. I commend them for that, but I cannot overlook the fact that this vulnerability never should have existed in the first place.
It's not going to be a surprise to anybody, but this is solid proof that McAfee Secure is mis-named. Their failure here is on an epic scale:
I have a lot more information coming on this and related issues. Try the veal, tip your waitress, I'll be here all week.
Second, (and probably the least important, really), the PCI ASV validation requirements (section 4.5.1, if you're interested) make it pretty clear that client data should be kept very confidential.
Finally, the data contained on those servers- lists of vulnerabilities on all their clients' systems, along with security administrators' passwords and more, is pretty high on the list of Things You Don't Want Getting Out.
You know what's coming.
We've found problems with McAfee time and time again. I was saving this for a post later this week, but given recent events, I think the time is right.
Until last week, McAfee Secure was vulnerable to critical CSRF holes. Not little ones, or ones that were difficult to exploit- basic, zero-kowledge, classic GET-based total-account-compromise holes. I think the pictures tell the story:
I sent a vulnerability report to a contact at McAfee and they responded quickly, communicated with me, and fixed the issue. They also began reviewing their entire codebase for similar holes. I commend them for that, but I cannot overlook the fact that this vulnerability never should have existed in the first place.
It's not going to be a surprise to anybody, but this is solid proof that McAfee Secure is mis-named. Their failure here is on an epic scale:
- They did not comply with PCI requirements for ASVs
- They did not use a secure software development lifecycle in building this application
- An in-depth penetration test should catch an issue like this, so I presume that no such audit has taken place
- Until I reported it, they had never performed a full code review for web vulnerabilities
- As you can see in the 1st and 3rd screenshots, the application was itself certified as McAfee Secure when I performed this demonstration.
- At no point in five weeks from me finding the vulnerability and it being fixed was that McAfee Secure logo removed from their own website.
I have a lot more information coming on this and related issues. Try the veal, tip your waitress, I'll be here all week.
Labels: Audits, CSRF, Exploits, Full Disclosure, McAfee, PCI-DSS, Web Applications
posted by mckt at
10:06 AM
2 Comments:
Mike, You know what's funny...You would expect that with all the talk about how much "testing" ASVs have to go through, that you'd be right about how this should have been caught via that method.
The sad reality is that ASV testing is laughable. The way it works is... the MC lab / infoguard give ASVs the test criteria and say "send us results that show you pass." The lab actually measures nothing.
They also don't measure the product's inherent security state, or search for vulns as you've done above.
An interesting study would be to pentest all 100+ish ASV scanning portals and see how many of them are hosed.
Cheers...
By
Matt Harrigan, At
May 5, 2009 8:54 AM
here, here!
By
Jason Remillard - 54f3.com, At
September 22, 2009 9:27 AM
Post a Comment
Subscribe to Post Comments [Atom]
<< Home