Loading...

Knowledge Center


McAfee Security Bulletin - ePO workaround prevents an XML Entity Injection and Metasploit Credential vulnerability (CVE-2015-0921 and CVE-2015-0922)
Security Bulletins ID:   SB10095
Last Modified:  5/11/2017
Rated:


Summary

 
 Who Should Read This Document:  Technical and Security Personnel
 Impact of Vulnerability:  XML Entity Injection
 Credential Disclosure
 CVE Numbers:  CVE-2015-0921
 CVE-2015-0922
 CERT/CC and Other Numbers:  None
 Severity Rating:  Medium
 Base / Overall CVSS Scores:  6.3 / 4.9 - XML Entity Injection (XXE)
 7.4 / 5.8 - Metasploit Credential Disclosure
 Recommendations:  Upgrade to ePO 4.6.9 or ePO 5.1.2
 There is a workaround identified below as a short term fix.
 Security Bulletin Replacement:  None
 Caveats:  None
 Affected Software:  ePO 4.6.8 and earlier, ePO 5.1.1 and earlier
 Location of Updated Software:  http://www.mcafee.com/us/downloads/downloads.aspx

{GENSUB.EN_US}
Article contents:

Description

CVE-2015-0922
McAfee ePolicy Orchestrator (ePO) before 4.6.9 and 5.x before 5.1.2 uses the same secret key across different customers' installations, which allows attackers to obtain the administrator password by leveraging knowledge of the encrypted password.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0922

CVE-2015-0921
XML external entity (XXE) vulnerability in the Server Task Log in McAfee ePolicy Orchestrator (ePO) before 4.6.9 and 5.x before 5.1.2 allows remote authenticated users to read arbitrary files via the conditionXML parameter to the taskLogTable to orionUpdateTableFilter.do.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0921

XML Entity Injection:
 
Users with authenticated access to the ePO-web application and who are assigned permissions with the ability to add/update a custom filter to the areas that use custom filters, such as Audit Log and Server Task Log, are able to inject malicious XML definitions.
 
Metasploit Credential Disclosure:
 
After this XML attack is successful, the authenticated user can then leverage Metasploit to read a large number of ePO server side system files, including the database configuration properties, to further other attacks. This portion of the exploit is not possible unless the XML attack is successful.
 
Affected Component:
  • Adding/updating the custom filter feature, as used in the Audit Log and Server Task Log for example

Remediation

This issue is remediated with ePO 4.6.9 and ePO 5.1.2. The remediation plan is to upgrade the currently supported versions of ePO 4.6 and 5.1. These fixes are included in ePO patch versions 4.6.9 and 5.1.2 and are identified as mandatory patch updates.
  • Users of ePO 4.5.x and 4.6.x should upgrade to ePO 4.6.9.
  • Users of ePO 5.0.x and 5.1.x should upgrade to ePO 5.1.2.
Refer to the upgrade instructions in the ePO 4.6.9 or 5.1.2 Release Notes for further details.
 
Go to the McAfee Downloads site and download the applicable product patch/hotfix file:
 
Product Type Patch Version File Name Release Date
ePO 4.6.9                     Patch 4.6.9 EPO469Lic.Zip March 18, 2015
ePO 5.1.2 Patch 5.1.2 EPO512L.zip June 4, 2015

McAfee ePO Download Instructions
  1. Launch Internet Explorer.
  2. Navigate to: http://www.mcafee.com/us/downloads/downloads.aspx.
  3. Provide your valid McAfee Grant Number.
  4. Click your product suite.
  5. Click the applicable product (see table above) and click I Agree.
  6. Click the Patches tab and click the link to download the product .ZIP file under the Product column.
For instructions on how to download McAfee products, documentation, security updates, patches, or hotfixes, see: KB56057.

For instructions on how to install/upgrade this hotfix/patch, please review the Release Notes and the Installation Guide (which you can download from the Documentation tab) following the same steps above.

Workaround

IMPORTANT: If you applied the initial workaround provided on January 9th 2015, you should first revert these changes prior to applying the latest workaround provided in KB83959 on February 18th 2015.
 
Updated workaround (added February 18th 2015)
The latest workaround and fix details are provided within the POC attached to KB83959 (ePO_1031989_POC1.zip) and it is being provided as a temporary fix that is superseded in the ePO 4.6.9 and 5.1.2 patches.
 
Customer experience restored:
This new POC workaround restores the ability to add and modify custom filters previously prevented by the initial workaround. It also prevents the XML Entity attack from being successful, after a user is logged into the ePO console.
 
Initial workaround provided (as of January 9th 2015)
Previous mitigation for ePO 4.6.x and 5.x.x servers:
  1. Stop the ePO services.
  2. Navigate to the <ePO_installation_directory>\Server\webapps\core\WEB-INF directory.
  3. Create a backup of the mvcactions.xml file (for example, mvcactions.xml.bak).
  4. Open the mvcactions.xml file for editing.
  5. Search for the string orionUpdateTableFilter.do. You will find the following line:
     
    <action name="orionUpdateTableFilter.do" execute="updateFilter" checkSecurityToken="true"/>
     
  6. Comment out the above line like the following:
     
    <!-- <action name="orionUpdateTableFilter.do" execute="updateFilter" checkSecurityToken="true"/> -->
     
  7. Save and close the mvcactions.xml file.
  8. Restart the ePO services.
To revert this initial workaround on ePO 4.6.x and 5.x.x servers:
  1. Stop the ePO services.
  2. Navigate to the <ePO_installation_directory>\Server\webapps\core\WEB-INF directory.
  3. Delete the modified mvcactions.xml file containing this initial workaround.
  4. Rename mvcactions.xml.bak back to mvcactions.xml to revert back to the original file.
  5. Proceed with applying the new workaround POC file referenced in KB83959.
  6. Restart the ePO services.

Acknowledgements

None. McAfee’s policy is to not acknowledge zero-day attackers.

Support

Corporate Technical Support:
1-800-338-8754
http://www.mcafee.com/us/about/contact-us.aspx#ht=tab-techsupport 

Frequently Asked Questions (FAQs)

What is affected by this security vulnerability?
McAfee ePO is affected.

Affected Versions:

 

  • ePO 4.6.8 and earlier
  • ePO 5.1.1 and earlier
Protected Versions:
  • ePO 4.6.9 and later
  • ePO 5.1.2 and later
McAfee recommends that all customers verify that they have applied the latest updates.

Does this vulnerability affect McAfee enterprise products?
Yes, ePO 4.6 and 5.1 are enterprise products.

How do I know if my McAfee product is vulnerable or not?
Check the version and build of ePO that is installed. For more information on how to check the version, see: KB52634.

What is CVSS?
CVSS, or Common Vulnerability Scoring System, is the result of the National Infrastructure Advisory Council’s effort to standardize a system of assessing the criticality of a vulnerability. This system offers an unbiased criticality score between 0 and 10 that customers can use to judge how critical a vulnerability is and plan accordingly. For more information, please visit the CVSS website at: http://www.first.org/cvss/.

What are the CVSS scoring metrics that have been used?

ePO and XML Entity Injection Attack

 

 Base Score  6.3
 Related exploit range (AccessVector) Adjacent Network
 Attack complexity (AccessComplexity) Medium
 Level of authentication needed (Authentication) Single Instance
 Confidentiality impact Complete
 Integrity impact Partial
 Availability impact Partial
 Temporal Score (Overall)  4.9
 Availability of exploit (Exploitability) Proof of concept code
 Type of fix available (RemediationLevel) Official fix
 Level of verification that vulnerability exists (ReportConfidence) Confirmed

NOTE: CVSS version 2.0 was used to generate this score.
http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:A/AC:M/Au:S/C:C/I:P/A:P/E:POC/RL:OF/RC:C)

ePO and Metasploit Credential Disclosure

 

 Base Score  7.4
 Related exploit range (AccessVector) Adjacent Network
 Attack complexity (AccessComplexity) Medium
 Level of authentication needed (Authentication) Single Instance
 Confidentiality impact Complete
 Integrity impact Complete
 Availability impact Complete
 Temporal Score (Overall)  5.8
 Availability of exploit (Exploitability) Proof of concept code
 Type of fix available (RemediationLevel) Official fix
 Level of verification that vulnerability exists (ReportConfidence) Confirmed

NOTE: CVSS version 2.0 was used to generate this score.
http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:A/AC:M/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C)

What has McAfee done to resolve the issue?
McAfee has provided a workaround and will release a patch to address this security flaw.

Where do I download the fix?
You can download the fix from: http://www.mcafee.com/us/downloads/downloads.aspx.
Users will need to provide their McAfee Grant Number to initiate the download.

How does McAfee respond to this and any other security flaws?
McAfee’s key priority is the security of our customers. In the event that a vulnerability is found within any of McAfee’s software, we work closely with the relevant security research group to ensure rapid and effective development of a fix and communication plan.

McAfee only publishes product vulnerability bulletins together with an actionable workaround, hotfix, patch, or version update; otherwise we would simply be informing the hacker community that our products are a target, putting our customers at greater risk. 

McAfee may publish lists of known vulnerable and not vulnerable products if the product vulnerability is already generally known publicly, but no actionable workaround is ready yet.

Resources

For contact details: Go to http://www.mcafee.com/us/about/contact/index.html. Non-US customers - select your country from the list of Worldwide Offices.

Alternatively:
Log into the McAfee Technical Support ServicePortal at https://mysupport.mcafee.com:
  • If you are a registered user, type your User ID and Password and click Log In.
  • If you are not a registered user, click Register and complete the required fields. Your password and login instructions will be emailed to you.
To download McAfee products, updates, and documentation, visit the Downloads page at http://www.mcafee.com/us/downloads/downloads.aspx. For instructions on downloading, see KB56057.

To download new Beta software or to read about the latest Beta information, go to http://www.mcafee.com/us/downloads/beta-programs/index.aspx.

To submit Beta feedback on any McAfee product, email: mcafee_beta@mcafee.com.

For copyright, trademark attributions, and license information, go to http://us.mcafee.com/root/aboutUs.asp?id=copyright.

For patents protecting this product, see your product documentation.

Disclaimer

The information provided in this security bulletin is provided as is without warranty of any kind. McAfee disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall McAfee or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits, or special damages, even if McAfee or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Any future product release dates mentioned in this bulletin are intended to outline our general product direction and they should not be relied on in making a purchasing decision. The product release dates are for information purposes only, and may not be incorporated into any contract. The product release dates are not a commitment, promise, or legal obligation to deliver any material, code, or functionality. The development, release, and timing of any features or functionality described for our products remains at our sole discretion and may be changed or cancelled at any time.

Rate this document

Did this article resolve your issue?

Please provide any comments below

Languages:

This article is available in the following languages:

English United States
Japanese

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.