Last Modified: 7/29/2015
|Who Should Read This Document:||Technical and Security Personnel|
|Impact of Vulnerability:||XML Entity Injection|
|Base / Overall CVSS Score:||6.3 / 4.9|
|Recommendations:||Upgrade to ePO 4.6.7 Hotfix 940148 (EPO467HF940148.zip)|
|Security Bulletin Replacement:||None|
ePO 4.6.7 (and earlier)
|Location of Updated Software:||http://www.mcafee.com/us/downloads/downloads.aspx|
- Import and Export Framework used for dashboards, queries, reports and server tasks.
All of these issues are resolved by ePO 4.6.7 Hotfix 940148, released on February 24, 2014.
Go to the McAfee Downloads site and download the applicable product hotfix file:
|Product||Type||Patch/Hotfix||File Name||Release Date|
|ePO 4.6.7||Hotfix||4.6.7||EPO467HF940148.zip||February 24, 2014|
ePO 4.6.7 hotfix download instructions:
- Launch Internet Explorer.
- Navigate to: http://www.mcafee.com/us/downloads/downloads.aspx.
- Provide your valid McAfee Grant Number.
- Click your product suite.
- Click the applicable product (see table above) and click I Agree.
- Click the Patches tab and click the link to download the product .ZIP file under the Product column.
For instructions on how to download McAfee products, documentation, security updates, patches, or hotfixes, see KB56057.
For instructions on how to install/upgrade this patch, see the Release Notes and the Installation Guide (which can be downloaded from the Documentation tab) following the previous procedure.
RedTeam Pentesting GmbH
- Tel: 1-800-338-8754
- Web: http://www.mcafee.com/us/about/contact-us.aspx#ht=tab-techsupport
Frequently Asked Questions (FAQs)
The following ePolicy Orchestrator (ePO) versions are affected.
- ePO 4.6.7 (and earlier)
- ePO 4.6.7 plus Hotfix 940148 (EPO467HF940148.zip) or later
- ePO 5.x
What issues does this hotfix / patch address?
- 940148 - Pen testing reveals several flaws in ePO
Yes. ePO 4.6.7 is an Enterprise product.
How do I know if my McAfee product is vulnerable or not?
What is CVSS?
CVSS, or Common Vulnerability Scoring System, is the result of the National Infrastructure Advisory Council’s effort to standardize a system of assessing the criticality of a vulnerability. This system offers an unbiased criticality score that customers can use to judge how critical a vulnerability is and plan accordingly. For more information, please visit the CVSS website at: http://www.first.org/cvss/.
What are the CVSS scoring metrics that have been used?
|Related exploit range (AccessVector)||Adjacent Network|
|Attack complexity (AccessComplexity)||Medium|
|Level of authentication needed (Authentication)||Single Instance|
|Availability of exploit (Exploitability)||Proof of concept code|
|Type of fix available (RemediationLevel)||Official fix|
|Level of verification that vulnerability exists (ReportConfidence)||Confirmed|
NOTE: CVSS version 2.0 vector was used to generate this score: http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:A/AC:M/Au:S/C:C/I:P/A:P/E:POC/RL:OF/RC:C)
What has McAfee done to resolve the issue?
McAfee has released a hotfix to address this security flaw.
Where do I download the fix?
You can download the fix from http://www.mcafee.com/us/downloads. You might have to type your McAfee Grant Number to initiate the download.
How does McAfee respond to this and any other security flaws?
The McAfee key priority is the security of our customers. In the event that a vulnerability is found within any McAfee software, we work closely with the relevant security research group to ensure rapid and effective development of a fix and communication plan. McAfee is an active member of the Organization for Internet Safety (OIS), which is dedicated to developing guidelines and best practices for the reporting and fixing of software vulnerabilities.
McAfee only publishes product vulnerability bulletins together with an actionable workaround, patch, or hotfix; otherwise we would be informing the hacker community that our products are a target, putting our customers at greater risk.
To submit Beta feedback on any McAfee product, email: email@example.com
For contact information, go to: http://www.mcafee.com/uk/about/contact-us.aspx
For copyright, trademark attributions, and license information, go to: http://us.mcafee.com/root/aboutUs.asp?id=copyright
For patents protecting this product, see your product documentation.
The information provided in this security bulletin is provided as is without warranty of any kind. McAfee disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall McAfee or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if McAfee or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Any future product release dates mentioned in this bulletin are intended to outline our general product direction and they should not be relied on in making a purchasing decision. The product release dates are for information purposes only, and may not be incorporated into any contract. The product release dates are not a commitment, promise or legal obligation to deliver any material, code, or functionality. The development, release, and timing of any features or functionality described for our products remains at our sole discretion and may be changed or cancelled at any time.