COMMAND

    McAfee ASaP Virusscan - myCIO HTTP Server

SYSTEMS AFFECTED

    Any machine running the McAfee Agent ASaP VirusScan Software

PROBLEM

    'ade245' found following.   McAfee ASap Virusscan is  a Web-based,
    managed   and   updated   Anti-Virus   Service   for  the  Desktop
    Environment.  On setup agent  software is installed on the  client
    machine.   This  software  incorporates  what  is known as "Rumour
    Technology" that facilitates in the transfer of virus  definitions
    between  neigbouring  machines.   This  agent  software  runs as a
    service ("McAfee Agent") under  the local system account  and uses
    a light weight HTTP server that listens on port 6515.

    This web  server is  restricted to  serve files  that are  located
    under \winnt\mycio\agent\rmrcache, however it is possible to break
    out of  this by  using a  specially formatted  directory traversal
    URL.  This means that an attacker can connect to the webserver and
    view and/or download any file that resides on the target box.  Due
    to  the  fact  that  the  service  is running as local system NTFS
    permissions are redundant.

    To view the contents of WinNT/Repair enter the following URL  into
    a web browser:

        HTTP://<Target IP Address>:6515/.../.../.../.../winnt/repair

SOLUTION

    Disable the McAfee Agent service  or alternatively run it under  a
    local  user  account  and  set  the  NTFS permissions accordingly.

    McAfee has taken action to address the vulnerability discovered in
    the VirusScan ASaP agent  technology, which affected all  users of
    VirusScan ASaP. McAfee has distributed the fix to all McAfee  ASaP
    update sites  for automatic  distribution to  end users.   The fix
    will be downloaded and applied  to end user systems in  the normal
    course of  updating that  VirusScan ASaP  performs each  day.  Any
    VirusScan ASaP agents  that have performed  an update since  03:30
    Greenwich Mean Time on July 14, 2001 will have applied the fix.

    Users who wish to manually initiate an update can do so by  double
    clicking on the  VirusScan ASaP system  tray icon. Users  who have
    questions about this procedure  or experience other issues  should
    contact McAfee technical support through standard channels.