Knowledge Center

Multiple vulnerabilities in ePO 4.6.6 and earlier
Technical Articles ID:   KB78824
Last Modified:  4/1/2016


McAfee ePolicy Orchestrator (ePO) 4.6.6 (and earlier)
ePO Extension for the McAfee Agent (MA) 4.5 - 4.6 (including patches)


The NATO Information Assurance Technical Centre conducted a series of penetration tests on ePO 4.6.6 and reported several vulnerabilities to McAfee on June 12, 2013. The timeline of events is as follows:
  • June 12, 2013: McAfee responded to NATO and opened a service ticket.
  • July 10, 2013: McAfee replied with a Sustaining Statement within the 30-day window. 
  • July 12, 2013: These issues were posted publicly on Bugtraq.
  • July 15, 2013: Determined that both high severity SQL Injection issues were already fixed. The systems tested by NATO appear not to have had the latest patches. Determined the Reflected XSS issues are low severity (CVSS score of 2.0).
  • July 15, 2013: A KnowledgeBase article was released to the public.


Bugtraq 527228 - NCIRC-2013127-01 - Multiple vulnerabilities in McAfee ePO 4.6.6

Only authenticated ePO administrators / users can attempt to exploit these vulnerabilities.

Issue 1.  Timing Based SQL Injections
The following .do files are subject to Timing Based SQL injection:

  1.  /core/showRegisteredTypeDetails.do [uid parameter]

    Overall CVSS Score:  6.6
    NOTE: The following CVSS version 2.0 vector was used to generate this score:
  2. /EPOAGENTMETA/DisplayMSAPropsDetail.do [uid parameter]

    Overall CVSS Score: 7.0
    NOTE: The following CVSS version 2.0 vector was used to generate this score:

Both SQL Injection vulnerabilities were identified on May 10, 2013 and patched. McAfee's internal testing leads us to believe that the ePO systems that NATO penetration tested were not running with the most recent and available patches at the time of the test, namely, the patched agent extension installed for ePO 4.6.6.


Issue 2.  Reflected Cross-Site Scripting (XSS)
The following .do files are subject to XSS:
  • /core/loadDisplayType.do [instanceId parameter]
  • /console/createDashboardContainer.do [monitorUrl parameter]
  • /console/createDashboardContainer.do [monitorUrl parameter]
  • /ComputerMgmt/sysDetPanelBoolPie.do [uid parameter]
  • /ComputerMgmt/sysDetPanelQry.do [uid parameter]
  • /ComputerMgmt/sysDetPanelQry.do [sysDetPanelQry parameter] 
  • /ComputerMgmt/sysDetPanelSummary.do [sysDetPanelSummary parameter]
  • /ComputerMgmt/sysDetPanelSummary.do [uid parameter]

    Overall CVSS Score: 2.0
    NOTE: The following CVSS version 2.0 vector was used to generate this score:


Both SQL Injection vulnerabilities listed in Issue 1 were patched. 

The remaining items in Issue 2 are resolved in ePO 4.6.8.

McAfee product software, upgrades, maintenance releases, and documentation are available from the Product Downloads site at: http://www.mcafee.com/us/downloads/downloads.aspx.

 You will need a valid Grant Number for access. KB56057 provides additional information about the Product Downloads site, as well as alternate locations for some products.

NOTE: ePO 5.1 also contains fixes for the XSS issues. ePO 4.5.x is not affected by these XSS vulnerabilities.

Rate this document

Did this article resolve your issue?

Please provide any comments below

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms

Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.