Loading...

Knowledge Center


Multiple vulnerabilities in ePO 4.6.6 and earlier
Technical Articles ID:  KB78824
Last Modified:  10/24/2013

Environment

McAfee ePolicy Orchestrator (ePO) 4.6.6 (and earlier)
ePO Extension for the McAfee Agent (MA) 4.5 - 4.6 (including patches)

Summary

The NATO Information Assurance Technical Centre conducted a series of penetration tests on ePO 4.6.6 and reported several vulnerabilities to McAfee on June 12, 2013. The timeline of events is as follows:
  • June 12, 2013: McAfee responded to NATO and opened a service ticket.
  • July 10, 2013: McAfee replied with a Sustaining Statement within the 30-day window. 
  • July 12, 2013: These issues were posted publicly on Bugtraq.
  • July 15, 2013: Determined that both high severity SQL Injection issues were already fixed. See SB10043 for details. The systems tested by NATO appear not to have had the latest patches. Determined the Reflected XSS issues are low severity (CVSS score of 2.0).
  • July 15, 2013: A KnowledgeBase article was released to the public.

Problem 1

Bugtraq 527228 - NCIRC-2013127-01 - Multiple vulnerabilities in McAfee ePO 4.6.6
http://www.securityfocus.com/archive/1/527228
http://seclists.org/bugtraq/2013/Jul/80

NOTE: Only authenticated ePO administrators / users can attempt to exploit these vulnerabilities.

Issue 1.  Timing Based SQL Injections
The following .do files are subject to Timing Based SQL injection:

  1.  /core/showRegisteredTypeDetails.do [uid parameter]

    Overall CVSS Score:  6.6
    NOTE: The following CVSS version 2.0 vector was used to generate this score:
    http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:A/AC:L/Au:M/C:C/I:P/A:C/E:F/RL:U/RC:C)
     
  2. /EPOAGENTMETA/DisplayMSAPropsDetail.do [uid parameter]

    Overall CVSS Score: 7.0
    NOTE: The following CVSS version 2.0 vector was used to generate this score:
    http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:C/I:C/A:C/E:P/RL:O/RC:C)


Both SQL Injection vulnerabilities were identified on May 10, 2013 and patched as specified in SB10043. McAfee's internal testing leads us to believe that the ePO systems that NATO penetration tested were not running with the most recent and available patches at the time of the test. Namely, the patched agent extension installed for ePO 4.6.6, as described in SB10043.

Problem 2

Issue 2.  Reflected Cross-Site Scripting (XSS)
The following .do files are subject to XSS:
  • /core/loadDisplayType.do [instanceId parameter]
  • /console/createDashboardContainer.do [monitorUrl parameter]
  • /console/createDashboardContainer.do [monitorUrl parameter]
  • /ComputerMgmt/sysDetPanelBoolPie.do [uid parameter]
  • /ComputerMgmt/sysDetPanelQry.do [uid parameter]
  • /ComputerMgmt/sysDetPanelQry.do [sysDetPanelQry parameter] 
  • /ComputerMgmt/sysDetPanelSummary.do [sysDetPanelSummary parameter]
  • /ComputerMgmt/sysDetPanelSummary.do [uid parameter]

    Overall CVSS Score: 2.0
    NOTE: The following CVSS version 2.0 vector was used to generate this score:
    http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:A/AC:L/Au:M/C:P/I:N/A:N/E:P/RL:U/RC:C)

Solution

Both SQL Injection vulnerabilities listed in Issue 1 were patched in SB10043

The remaining items in Issue 2 will be resolved in ePO 4.6.7.

This issue is resolved in ePO 4.6.7, which is available from the ePO Software Manager. For instructions on how to download patches, see KB56057.

Patches are cumulative; therefore, McAfee recommends that you install the latest one.

 

NOTE: ePO 5.1 (tentatively scheduled for release in late October 2013) will also contain fixes for the XSS issues. ePO 4.5.x is not affected by these XSS vulnerabilities.
 

Rate this document

Did this article resolve your issue?

Please provide any comments below

Glossary of Technical Terms


Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.
United States - English
© 2003-2013 McAfee, Inc.