The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of McAfee NSM: stealing authentication cookie

Synthesis of the vulnerability 

An attacker, who can use a Cross Site Scripting, can steal the authentication cookie of McAfee Network Security Manager.
Impacted systems: McAfee ISM, McAfee NSM.
Severity of this alert: 1/4.
Creation date: 12/11/2009.
Références of this alert: BID-37004, CVE-2009-3566, SB10005, SWRX-2009-002, VIGILANCE-VUL-9197.

Description of the vulnerability 

The HTTP Set-Cookie header defines a cookie. This header can also contain the HTTPOnly attribute:
  Set-Cookie: v=abc; HTTPOnly
This attribute indicates that this cookie cannot be accessed from JavaScript. This feature is supported since IE 6 SP1, Mozilla Firefox 3.0.0.6 and Opera 9.23, in order to protect a website against a Cross Site Scripting.

However, McAfee NSM does not use HTTPOnly. When NSM is impacted by a Cross Site Scripting (such as VIGILANCE-VUL-9196), an attacker can therefore steal the authentication cookie. The attacker can then spoof the identity of the administrator.

An attacker, who can use a Cross Site Scripting, can therefore steal the authentication cookie of McAfee Network Security Manager.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer vulnerability bulletin impacts software or systems such as McAfee ISM, McAfee NSM.

Our Vigil@nce team determined that the severity of this vulnerability bulletin is low.

The trust level is of type confirmed by the editor, with an origin of intranet client.

An attacker with a expert ability can exploit this threat note.

Solutions for this threat 

McAfee NSM: version 5.1.11.8.1.
Version 5.1.11.8.1 is corrected:
  https://secure.nai.com/apps/downloads/my_products/login.asp
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides computer vulnerability announces. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications.