First Published: July 30, 2021
 

Product:	Impacted Versions:	CVE ID:	Severity Ratings:	CVSS v3.1 Base Scores:
Policy Auditor (PA)	Prior to 6.5.1	CVE-2016-0718	Critical	9.8
PA	Prior to 6.5.1	CVE-2016-4472	High	8.1
PA	Prior to 6.5.1	CVE-2016-5300	High	7.5
PA	Prior to 6.5.1	CVE-2017-17740	High	7.5
PA	Prior to 6.5.1	CVE-2017-9287	Medium	6.5
PA	Prior to 6.5.1	CVE-2019-13057	Medium	4.9
PA	Prior to 6.5.1	CVE-2020-15719	Medium	4.2
PA	Prior to 6.5.1	CVE-2019-1543	High	7.4
PA	Prior to 6.5.1	CVE-2019-1547	Medium	4.7
PA	Prior to 6.5.1	CVE-2019-1552	Low	3.3
PA	Prior to 6.5.1	CVE-2019-1563	Low	3.7
PA	Prior to 6.5.1	CVE-2019-8457	Critical	9.8
PA	Prior to 6.5.1	CVE-2018-20506	High	8.1
PA	Prior to 6.5.1	CVE-2018-20346	High	8.1
PA	Prior to 6.5.1	CVE-2019-16168	Medium	6.5
PA	Prior to 6.5.1	CVE-2017-12627	Critical	9.8
Recommendations:	Update to Policy Auditor 6.5.1
Security Bulletin Replacement:	None
Location of updated software:	Product Downloads site

Article contents:

• Vulnerability Description
• Remediation
• Frequently Asked Questions (FAQs)
• Resources
• Disclaimer

Vulnerability Description
PA 6.5.1 contains updates for five third-party libraries. These updates are grouped by library and ordered by CVSS rating.

Expat XML Parser:

1. CVE-2016-0718
   Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a malformed input document, which triggers a buffer overflow.
   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0718
    
2. CVE-2016-4472
   The overflow protection in Expat is removed by compilers with certain optimization settings, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via crafted XML data. NOTE: This vulnerability exists because of an incomplete fix for CVE-2015-1283 and CVE-2015-2716.
   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4472
    
3. CVE-2016-5300
   The XML parser in Expat does not use sufficient entropy for hash initialization, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted identifiers in an XML document. NOTE: This vulnerability exists because of an incomplete fix for CVE-2012-0876.
   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5300

OpenLDAP:

4. CVE-2017-17740
   contrib/slapd-modules/nops/nops.c in OpenLDAP through 2.4.45, when both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation.
   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17740
    
5. CVE-2017-9287
   servers/slapd/back-mdb/search.c in OpenLDAP through 2.4.44 is prone to a double free vulnerability. A user with access to search the directory can crash slapd by issuing a search including the Paged Results control with a page size of 0.
   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9287
    
6. CVE-2019-13057
   An issue was discovered in the server in OpenLDAP before 2.4.48. When the server administrator delegates rootDN (database admin) privileges for certain databases but wants to maintain isolation (e.g., for multi-tenant deployments), slapd does not properly stop a rootDN from requesting authorization as an identity from another database during a SASL bind or with a proxyAuthz (RFC 4370) control. (It is not a common configuration to deploy a system where the server administrator and a DB administrator enjoy different levels of trust.)
   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13057
    
7. CVE-2020-15719
   libldap in certain third-party OpenLDAP packages has a certificate-validation flaw when the third-party package is asserting RFC6125 support. It considers CN even when there is a non-matching subjectAltName (SAN). This is fixed in, for example, openldap-2.4.46-10.el8 in Red Hat Enterprise Linux.
   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15719

OpenSSL:

8. CVE-2019-1543
   ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for every encryption operation. RFC 7539 specifies that the nonce value (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length and front pads the nonce with 0 bytes if it is less than 12 bytes. However it also incorrectly allows a nonce to be set of up to 16 bytes. In this case only the last 12 bytes are significant and any additional leading bytes are ignored. It is a requirement of using this cipher that nonce values are unique. Messages encrypted using a reused nonce value are susceptible to serious confidentiality and integrity attacks. If an application changes the default nonce length to be longer than 12 bytes and then makes a change to the leading bytes of the nonce expecting the new value to be a new unique nonce then such an application could inadvertently encrypt messages with a reused nonce. Additionally the ignored bytes in a long nonce are not covered by the integrity guarantee of this cipher. Any application that relies on the integrity of these ignored leading bytes of a long nonce may be further affected. Any OpenSSL internal use of this cipher, including in SSL/TLS, is safe because no such use sets such a long nonce value. However user applications that use this cipher directly and set a non-default nonce length to be longer than 12 bytes may be vulnerable. OpenSSL versions 1.1.1 and 1.1.0 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1c (Affected 1.1.1-1.1.1b). Fixed in OpenSSL 1.1.0k (Affected 1.1.0-1.1.0j).
   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1543
    
9. CVE-2019-1547
   Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).
   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547
    
10. CVE-2019-1563
    In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563
     
11. CVE-2019-1552
    OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be '/usr/local'. However, mingw programs are Windows programs, and as such, find themselves looking at sub-directories of 'C:/usr/local', which may be world writable, which enables untrusted users to modify OpenSSL's default configuration, insert CA certificates, modify (or even replace) existing engine modules, etc. For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR on all Unix and Windows targets, including Visual C builds. However, some build instructions for the diverse Windows targets on 1.0.2 encourage you to specify your own --prefix. OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1552

SQLite:

12. CVE-2019-8457
    SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-of-bound read in the rtreenode() function when handling invalid rtree tables.
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8457
     
13. CVE-2018-20346
    SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow (and resultant buffer overflow) for FTS3 queries that occur after crafted changes to FTS3 shadow tables, allowing remote attackers to execute arbitrary code by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases), aka Magellan.
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20346
     
14. CVE-2018-20506
    SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow (and resultant buffer overflow) for FTS3 queries in a "merge" operation that occurs after crafted changes to FTS3 shadow tables, allowing remote attackers to execute arbitrary code by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases). This is a different vulnerability than CVE-2018-20346.
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20506
     
15. CVE-2019-16168
    In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can crash a browser or other application because of missing validation of a sqlite_stat1 sz field, aka a "severe division by zero in the query planner."
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16168

Xerces:

16. CVE-2017-12627
    In Apache Xerces-C XML Parser library before 3.2.1, processing of external DTD paths can result in a null pointer dereference under certain conditions.
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12627

Remediation
To remediate this issue, go to the Product Downloads site, and download the applicable product update/hotfix file:
 

Product	Version	Type	Release Date
Policy Auditor	6.5.1	Update	July 29, 2021

 
Download and Installation Instructions
For instructions to download product updates and hotfixes, see: KB56057 - How to download Enterprise product updates and documentation. Review the Release Notes and the Installation Guide for instructions on how to install these updates. All documentation is available on the Product Documentation site.
Frequently Asked Questions (FAQs)
How do I know if my product is vulnerable or not?
For Endpoint Security on Windows:
Use the following instructions for endpoint or client-based products:

1. Right-click the McAfee tray shield icon on the Windows taskbar.
2. Select McAfee Endpoint Security.
3. In the console, select Action Menu.
4. In the Action Menu, select About. The product version displays.

For endpoint products and ENS on other platforms:
Use the following instructions for endpoint or client-based products:

1. Right-click the McAfee tray shield icon on the Windows taskbar.
2. Select Open Console.
3. In the console, select Action Menu.
4. In the Action Menu, select Product Details. The product version displays.

For Appliances:
Use the following instructions for Appliance-based products:

1. Open the Administrator's User Interface (UI).
2. Click the About link. The product version displays.

What is CVSS?
Common Vulnerability Scoring System (CVSS) is the result of the National Infrastructure Advisory Council's effort to standardize a system of assessing the criticality of a vulnerability. This system offers an unbiased criticality score between 0 and 10 that customers can use to judge how critical a vulnerability is and plan accordingly. For more information, visit the CVSS website.
 
When calculating CVSS scores, we've adopted a philosophy that fosters consistency and repeatability. Our guiding principle for CVSS scoring is to score the exploit under consideration by itself. We consider only the immediate and direct impact of the exploit under consideration. We do not factor into a score any potential follow-on exploits that might be made possible by the successful exploitation of the issue being scored.

Where can I find a list of all Security Bulletins?
All Security Bulletins are published on our Knowledge Center. Security Bulletins are retired (removed) once a product is both End of Sale and End of Support (End of Life).
 
How do I report a product vulnerability to you?
If you have information about a security issue or vulnerability with a product, follow the instructions provided in KB95563 - Report a vulnerability.
 
How do you respond to this and any other reported security flaws?
Our key priority is the security of our customers. If a vulnerability is found within any of our software or services, we work closely with the relevant security software development team to ensure the rapid and effective development of a fix and communication plan.
 
We only publish Security Bulletins if they include something actionable such as a workaround, mitigation, version update, or hotfix. Otherwise, we would simply be informing the hacker community that our products are a target, putting our customers at greater risk. For products that are updated automatically, a non-actionable Security Bulletin might be published to acknowledge the discoverer.
 
To view our PSIRT policy, see KB95564 - About PSIRT.
 
Resources

• If you are a registered user, type your User ID and Password, and then click Log In.
• If you are not a registered user, click Register and complete the fields to have your password and instructions emailed to you.

Disclaimer
The information provided in this Security Bulletin is provided as is without warranty of any kind. We disclaim all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall we or our suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits, or special damages, even if we or our suppliers have been advised of the possibility of such damages. Some states don't allow the exclusion or limitation of liability for consequential or incidental damages, so the preceding limitation may not apply.

Any future product release dates mentioned in this Security Bulletin are intended to outline our general product direction, and they shouldn't be relied on in making a purchasing decision. The product release dates are for information purposes only, and may not be incorporated into any contract. The product release dates aren't a commitment, promise, or legal obligation to deliver any material, code, or functionality. The development, release, and timing of any features or functionality described for our products remain at our sole discretion and may be changed or canceled at any time.