How to remediate – McAfee Cloud Single Sign On WebUI Default Credentials

1. Introduction

The McAfee Cloud Single Sign On WebUI Default Credentials vulnerability means the web interface for managing McAfee Cloud SSO is using a standard username and password combination. This allows an attacker to gain control of your SSO system without needing valid user credentials. Businesses are at risk of account takeover, data breaches, and service disruption. Affected systems include any installation of the McAfee Cloud Single Sign On WebUI. A successful exploit could compromise confidentiality, integrity, and availability of the SSO service.

2. Technical Explanation

The vulnerability occurs because the ‘admin’ account is shipped with a default password. An attacker can directly access the web interface using these credentials to manage users, policies, and settings. No prior authentication is required for initial access. There is no known CVE associated with this specific issue but it falls under CWE-798: Use of Hardcoded Credentials.

• Root cause: The ‘admin’ user account has a pre-set password that is not changed during installation or configuration.
• Exploit mechanism: An attacker attempts to log in to the WebUI using the default username (‘admin’) and password. If successful, they gain full administrative control. For example, an attacker could use a web browser to navigate to the login page and enter ‘admin’ as the username and the default password.
• Scope: This affects all installations of McAfee Cloud Single Sign On WebUI where the default credentials have not been changed.

3. Detection and Assessment

You can confirm if a system is vulnerable by checking the current login configuration or attempting to log in with default credentials. A thorough method involves reviewing the application’s security settings.

• Quick checks: Attempting to log in using ‘admin’ as the username and the default password will indicate vulnerability.
• Scanning: Nessus plugin ID 16829 can identify this issue, but results should be manually verified.
• Logs and evidence: Check application logs for successful logins with the ‘admin’ account. Log files are typically located in /opt/mcafee/cloud/sso/.

# No command available to directly check credentials without attempting login. Attempting a login is the primary assessment method.

4. Solution / Remediation Steps

Secure the ‘admin’ user account with a strong, unique password. Follow these steps carefully to avoid service disruption.

4.1 Preparation

• Ensure you have access to the WebUI and know the current administrative credentials (if already changed). A roll back plan involves restoring the backed-up configuration if necessary.
• A standard change window may be appropriate, depending on your organisation’s policies. Approval from a system owner may be required.

4.2 Implementation

1. Step 1: Log in to the McAfee Cloud Single Sign On WebUI as an administrator.
2. Step 2: Navigate to the ‘Users’ or ‘Administration’ section of the interface.
3. Step 3: Locate the ‘admin’ user account.
4. Step 4: Change the password for the ‘admin’ account to a strong, unique value.
5. Step 5: Save the changes and log out.

4.3 Config or Code Example

Before

# Default configuration - password is pre-set. No specific config example available as it's managed via the WebUI.

After

# Password changed to a strong, unique value through the WebUI interface.  No specific config example available as it's managed via the WebUI.

4.4 Security Practices Relevant to This Vulnerability

Several security practices can help prevent this issue and similar vulnerabilities.

• Practice 1: Enforce strong password policies for all user accounts, including default accounts.
• Practice 2: Implement a regular password rotation schedule.
• Practice 3: Follow the principle of least privilege by limiting access rights to only what is necessary.

4.5 Automation (Optional)

No suitable automation script exists for this specific vulnerability due to the WebUI-based configuration.

5. Verification / Validation

• Post-fix check: Attempting to log in using ‘admin’ as the username and the original default password should now fail.
• Re-test: Repeat the initial detection method – attempting login with default credentials should continue to fail.
• Smoke test: Verify that you can still log in with the new administrative credentials and access key SSO features.
• Monitoring: Monitor application logs for failed login attempts using the ‘admin’ account, which could indicate ongoing attacks.

# No command available to directly check credentials without attempting login. Attempting a login is the primary assessment method.

6. Preventive Measures and Monitoring

Update security baselines and incorporate checks into your CI/CD pipelines to prevent similar issues.

• Baselines: Update your security baseline or policy to include requirements for changing default credentials on all new systems.
• Pipelines: Add static code analysis (SAST) tools to your CI pipeline to identify hardcoded credentials in configuration files.

7. Risks, Side Effects, and Roll Back

Changing the password incorrectly could lock you out of the system. Ensure you remember the new password or document it securely.

• Roll back: Restore the backed-up McAfee Cloud SSO configuration file if you lose access due to an incorrect password change.

8. References and Resources

Link only to sources that match this exact vulnerability.

• Vendor advisory or bulletin: https://kc.mcafee.com/corporate/index?page=article&articleId=KB936470
• NVD or CVE entry: No specific CVE is associated with this issue.
• Product or platform documentation relevant to the fix: https://kc.mcafee.com/corporate/index?page=article&articleId=KB936470