Network DLP 9.3.4 Hotfix Resolves Vulnerabilities

Three vulnerabilities in Network DLP 9.3.4 have been discovered and resolved.

AFFECTED SOFTWARE

• Network DLP 9.3.4.1.5 and earlier

REMEDIATED/PATCHED VERSIONS
The vulnerabilities are remediated in these versions:

• Network DLP 9.3.4.1.5 plus hotfix 1201697_47868

IMPACT

• CVE-2017-3933 (CVSS: 3.4; Severity: Medium) Embedding Script (XSS) in HTTP headers in McAfee Data Loss Prevention 9.3.x now does not allow remote authenticated users to view confidential information through a cross site request forgery attack.
• CVE-2017-3934 (CVSS: 4.7; Severity: Medium) Missing HTTP Strict Transport Security state information in the server in McAfee Data Loss Prevention 9.3.x now does not allow man-in-the-middle attackers to expose confidential data through read files on the webserver.
• CVE-2017-3935 (CVSS: 2.6; Severity: Low) McAfee Data Loss Prevention is no longer vulnerable to MIME type sniffing.  MIME type sniffing allows older versions of Internet Explorer to perform MIME-sniffing on the response body. This potentially caused the response body to be interpreted and displayed as a content type other than the intended content type.

RECOMMENDATION
McAfee recommends that all customers verify that they have applied the latest updates. Impacted users should install the relevant patches or hotfixes. For full instructions and information, see Knowledge Base article SB10198, McAfee Security Bulletin - Network Data Loss Prevention update fixes eleven vulnerabilities (CVE-2017-3933, CVE-2017-3934, CVE-2017-3935, CVE-2017-3968, CVE-2017-4011, CVE-2017-4012, CVE-2017-4013, CVE-2017-4014, CVE-2017-4015, CVE-2017-4016, and CVE-2017-4017) (https://kc.mcafee.com/corporate/index?page=content&id=SB10198)