Knowledge Center

McAfee Security Bulletin – ePO update fixes an XML Entity Injection vulnerability
Security Bulletins ID:   SB10065
Last Modified:  7/29/2015


Who Should Read This Document: Technical and Security Personnel
Impact of Vulnerability: XML Entity Injection
CVE Number: None
CERT/CC Number: None
Severity Rating: Medium
Base / Overall CVSS Score: 6.3 / 4.9
Recommendations: Upgrade to ePO 4.6.7 Hotfix 940148 (EPO467HF940148.zip)
Security Bulletin Replacement: None
Caveats: None
Affected Software:

ePO 4.6.7 (and earlier)

Location of Updated Software: http://www.mcafee.com/us/downloads/downloads.aspx


Users with authenticated access to the ePO-web application and assigned permissions with the ability to edit their own dashboards, queries and reports are able to import malicious XML definitions to read a large number of server side system files, including the database configuration properties to further other attacks.

Affected Components:
  • Import and Export Framework used for dashboards, queries, reports and server tasks.

All of these issues are resolved by ePO 4.6.7 Hotfix 940148, released on February 24, 2014.


Customers running ePO 4.6.x should update to ePO 4.6.7, then apply Hotfix 940148 to address this issue. This vulnerability is not present in ePO 5.0.x versions (or later).

Go to the McAfee Downloads site and download the applicable product hotfix file:

Product Type Patch/Hotfix File Name Release Date
ePO 4.6.7 Hotfix 4.6.7 EPO467HF940148.zip February 24, 2014

ePO 4.6.7 hotfix download instructions:
  1. Launch Internet Explorer.
  2. Navigate to: http://www.mcafee.com/us/downloads/downloads.aspx.
  3. Provide your valid McAfee Grant Number.
  4. Click your product suite.
  5. Click the applicable product (see table above) and click I Agree.
  6. Click the Patches tab and click the link to download the product .ZIP file under the Product column.

For instructions on how to download McAfee products, documentation, security updates, patches, or hotfixes, see KB56057.  

For instructions on how to install/upgrade this patch, see the Release Notes and the Installation Guide (which can be downloaded from the Documentation tab) following the previous procedure.


None. Install the provided hotfix version updates.


McAfee credits the following company for reporting this flaw.

RedTeam Pentesting GmbH
Dennewartstraße 25
52068 Aachen


Corporate Technical Support:

Frequently Asked Questions (FAQs)

What is affected by this security vulnerability?
The following ePolicy Orchestrator (ePO) versions are affected.

Affected Versions:
  • ePO 4.6.7 (and earlier)
Protected Versions:
  • ePO 4.6.7 plus Hotfix 940148 (EPO467HF940148.zip) or later
  • ePO 5.x
McAfee recommends that all customers verify that they have applied the latest updates.

What issues does this hotfix / patch address?
  • 940148 - Pen testing reveals several flaws in ePO
Does this vulnerability affect McAfee enterprise products?
Yes. ePO 4.6.7 is an Enterprise product.

How do I know if my McAfee product is vulnerable or not? 
Check the version and build of ePO that is installed. For more information on how to check the version, see: KB52634

What is CVSS?
CVSS, or Common Vulnerability Scoring System, is the result of the National Infrastructure Advisory Council’s effort to standardize a system of assessing the criticality of a vulnerability. This system offers an unbiased criticality score that customers can use to judge how critical a vulnerability is and plan accordingly. For more information, please visit the CVSS website at: http://www.first.org/cvss/.

What are the CVSS scoring metrics that have been used?

 Base Score 6.3
 Related exploit range (AccessVector) Adjacent Network
 Attack complexity (AccessComplexity) Medium
 Level of authentication needed (Authentication) Single Instance
 Confidentiality impact Complete
 Integrity impact Partial
 Availability impact Partial
 Temporal Score 4.9
 Availability of exploit (Exploitability) Proof of concept code
 Type of fix available (RemediationLevel) Official fix
 Level of verification that vulnerability exists (ReportConfidence) Confirmed

NOTE: CVSS version 2.0 vector was used to generate this score: http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:A/AC:M/Au:S/C:C/I:P/A:P/E:POC/RL:OF/RC:C

What has McAfee done to resolve the issue?
McAfee has released a hotfix to address this security flaw.

Where do I download the fix?
You can download the fix from http://www.mcafee.com/us/downloads. You might have to type your McAfee Grant Number to initiate the download.

How does McAfee respond to this and any other security flaws?
The McAfee key priority is the security of our customers. In the event that a vulnerability is found within any McAfee software, we work closely with the relevant security research group to ensure rapid and effective development of a fix and communication plan. McAfee is an active member of the Organization for Internet Safety (OIS), which is dedicated to developing guidelines and best practices for the reporting and fixing of software vulnerabilities.

McAfee only publishes product vulnerability bulletins together with an actionable workaround, patch, or hotfix; otherwise we would be informing the hacker community that our products are a target, putting our customers at greater risk.




The information provided in this security bulletin is provided as is without warranty of any kind. McAfee disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall McAfee or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if McAfee or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Any future product release dates mentioned in this bulletin are intended to outline our general product direction and they should not be relied on in making a purchasing decision. The product release dates are for information purposes only, and may not be incorporated into any contract. The product release dates are not a commitment, promise or legal obligation to deliver any material, code, or functionality. The development, release, and timing of any features or functionality described for our products remains at our sole discretion and may be changed or cancelled at any time.

Rate this document

Did this article resolve your issue?

Please provide any comments below


This article is available in the following languages:

English United States

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms

Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.