Vigil@nce - McAfee Web Gateway: password hash disclosure
July 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker, who is allowed to see the Accounts tab, can obtain
the hash of administrators’ passwords of McAfee Web Gateway, in
order to perform a brute force.
Impacted products: McAfee Web Gateway
Severity: 1/4
Creation date: 18/07/2014
DESCRIPTION OF THE VULNERABILITY
The McAfee Web Gateway product provides an administration
interface.
However, the Accounts tab of this interface contains SHA1 hashes
of administrator passwords.
An attacker, who is allowed to see the Accounts tab, can therefore
obtain the hash of administrators’ passwords of McAfee Web
Gateway, in order to perform a brute force.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/McAfee-Web-Gateway-password-hash-disclosure-15072