At jtsec we work to improve the cybersecurity of the products of the most leading companies in the IT sector, therefore, having customers like McAfee and being able to collaborate in the improvement of their cybersecurity, is always a challenge. In addition, we would like to to thank McAfee for its excellent attitude towards cybersecurity by making public the three CVEs (Common Vulnerability Exposure) of its product McAfee Web Gateway found during the evaluation process.
LINCE evaluation for McAfee Web Gateway product
A few months ago, McAfee entrusted jtsec: Beyond IT Security with one of its largest solutions on the market, McAfee Web Gateway, to obtain LINCE certification. McAfee Web Gateway is a product that provides high-performance web security through a local appliance that can be deployed as dedicated hardware or virtual machine.
One of the key points during the LINCE evaluation are the penetration tests. This phase is carried out after testing all the functional requirements and analyzing the possible vulnerabilities. The purpose of the phase is to try to identify and exploit possible mechanisms to bypass the different security functions and protections implemented in the product and there is where our evaluators detected the three CVEs.
*Image taken from https://www.incibe-cert.es/alerta-temprana/vulnerabilidades/cve-2020-7295
CVEs founded and notified
When a company detects a major failure in its products, it usually notifies MITRE, the organization that manages the Common Vulnerabilities and Exposures. This organization is responsible for evaluating the vulnerability and assigning it a unique identifier and a number that indicates the severity of the vulnerability.
This is the way that, users and organizations can easily check for existing vulnerabilities in their systems. In the case of Spain, CERTs such as INCIBE are also responsible for publishing and generating alerts.
Regarding McAfee Web Getaway, three CVEs were discovered:
| CVE | Description | Severity | Links |
|---|---|---|---|
| CVE- 2020- 7295 | Privilege Escalation vulnerability in McAfee Web Gateway (MWG) prior to 9.2.3 allows authenticated user interface user to delete or download protected log data via improper access controls in the user interface. | Low | NIST MITRE |
| CVE- 2020- 7296 | Privilege Escalation vulnerability in McAfee Web Gateway (MWG) prior to 9.2.3 allows authenticated user interface user to access protected configuration files via improper access control in the user interface. | Medium | NIST MITRE |
| CVE- 2020- 7297 | Privilege Escalation vulnerability in McAfee Web Gateway (MWG) prior to 9.2.3 allows authenticated user interface user to access protected dashboard data via improper access control in the user interface. | Medium | NIST MITRE |
Solutions developed by McAfee in the CPSTIC catalogue
CPSTIC is the reference catalogue of IT products in Spain promoted and managed by CCN (The National Cryptology Centre.) All the solutions included in the catalogue have their security certified and the confidence of having been validated by an accredited laboratory.
McAfee has four solutions included in the catalogue: McAfee EndPoint Security, McAfee Network Security Platform, McAfee Data Loss Prevention and McAfee Advanced Threat Defense.
