Loading...

Knowledge Center


McAfee Security Bulletin - ePO update fixes two vulnerabilities reported by Verizon
Security Bulletins ID:  SB10042
Last Modified:  01/09/2014
Rated:


Summary

 
Who should read this document Technical and security personnel
Impact of vulnerability Remote code execution as Root user
Directory traversal
CVE number CVE-2013-0140
CVE-2013-0141
US CERT number VU #209131
Severity rating High
Low
 Overall CVSS Score 6.2
3.4
Recommendations Install the patches and hotfix that address these issues.
Security Bulletin replacement None
Caveats None
Affected software
  • ePO 4.5 (RTW) to ePO 4.5.6
  • ePO 4.6 (RTW) to ePO 4.6.5
Location of updated software http://www.mcafee.com/us/downloads


 

Description

Two separate ePolicy Orchestrator (ePO) vulnerabilities were reported by the same discoverer:

  • VESVM-2013-001 - RCE McAfee ePO and RCE on Managed Stations
  • VESVM-2013-002 - McAfee ePO Pre-Auth File Path Traversal

Collectively, these vulnerabilities could allow unauthorized disclosure of information, unauthorized modification, or disruption of service.

  • VESVM-2013-001 - RCE McAfee ePO and RCE on Managed Stations
    This vulnerability is a server-side pre-authenticated SQL Injection within the Agent-Handler component (Agent-Server communication channel). If exploited, it can lead to remote code execution (RCE).

    The attack is performed by registering a rogue Agent to the ePO server, and sending a crafted request to the ePO server. The attacker can gain remote code execution with SYSTEM privilege.

    CVE-2013-0140
    VESVM-2013-001 - RCE McAfee ePO and RCE on Managed Stations
    http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0140

     
  • VESVM-2013-002 - McAfee ePO Pre-Auth File Path Traversal
    This vulnerability is a server-side pre-authenticated directory path traversal within a file upload process. If exploited, it can lead to an arbitrary file upload under the ePO installation folder.

    The attack is performed by registering a rogue Agent to the ePO server, and sending a crafted request to the ePO server. A typical scenario would be to store malicious files under the /Software/ folder, to make them available for download from the ePO server.

    CVE-2013-0141
    VESVM-2013-002 - McAfee ePO Pre-Auth File Path Traversal
    http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0141

     
  • US-CERT Vulnerability Note VU#209131
    http://www.kb.cert.org/vuls/id/209131


All of these issues are resolved in ePO 5.0, 4.6.6, and 4.5.7.

  • ePO 4.5.7 was released on May 23, 2013.
  • ePO 4.6.6 was released on March 26, 2013
  • ePO 5.0 was released on March 25, 2013
     

Remediation

The remediation plan is to patch the currently supported versions of ePO 4.5 and 4.6 beginning with patch 4.6.6 and 4.5.7. 

NOTE: ePO FIPS customers will need ePOHF130514.zip for ePO 4.6.4 (the latest FIPS certified build of ePO). This can be obtained by contacting McAfee Technical Support and having a case escalated to Tier III support.

Product Type File Name / Information Release Date
ePO 4.5.7 Patch EPO457L.zip May 23, 2013
ePO 4.6.6 Patch EPO466L.zip March 26, 2013
ePO 5.0 Major Release EPO500L.zip March 25, 2013

McAfee ePO download Instructions.

  1. Launch Internet Explorer.
  2. Navigate to: http://www.mcafee.com/us/downloads.
  3. Provide your valid McAfee Grant Number.
  4. Select the product and click View Available Downloads.
  5. Click McAfee ePolicy Orchestrator.
  6. Click the Patches tab or click the link to download the product .ZIP file under Download on the Software Downloads screen.

For instructions on how to download McAfee products, documentation, security updates, patches, or hotfixes, see article KB56057.

For instructions on how to install/upgrade this patch, review the Release Notes and the Installation Guide (available from the Documentation tab) following the previous steps.

Workaround

There is no workaround for both of these issues without blocking all Agent communication to the ePO server port. Applying the hotfix or patch for this issue is the recommended workaround.

McAfee also recommends DBA privileges on the ePO server be downgraded after the installation. During normal use of the product, the permissions required are consistent with the role of a database owner, which allows the user to utilize the product with limited permissions. See KB58791 for details on elevating SQL rights during product installation.

Acknowledgements

McAfee credits both Jerome Nokin (Discovery) and Thierry Zoller (Analysis and Coordination) from Verizon Enterprise Solutions (GCIS Vulnerability Management) for reporting these flaws. The US-CERT Vulnerability Analysis Team also worked closely with McAfee and assigned CVE and US-CERT vulnerability IDs.

This security bulletin was written by Harold Toomey, Principal Product Security Architect, Product Security Group, McAfee, Inc.

Support

Corporate Technical Support:

Frequently Asked Questions (FAQs)

What is affected by this security vulnerability?
The following are affected:

Affected versions

  • ePO 4.5 RTW to ePO 4.5.6
  • ePO 4.6 RTW to ePO 4.6.5 

Protected versions

  • ePO 4.5.7 (or later)
  • ePO 4.6.6 (or later)
  • ePO 5.0 (or later)

McAfee recommends you verify that you have applied the latest updates.


What issues does this hotfix/patch address?

  • CVE-2013-0140 - VESVM-2013-001 - RCE McAfee ePO and RCE on Managed Stations
  • CVE-2013-0141 - VESVM-2013-002 - McAfee ePO Pre-Auth File Path Traversal 


Does this vulnerability affect McAfee enterprise products?

Yes, ePO is an enterprise product.


How do I know if my McAfee products are vulnerable or not?
For Windows-based products:

  1. Right-click on the McAfee tray shield icon on the Windows task bar.
  2. Click Open Console.
  3. In the console, click Action Menu.
  4. In the Action Menu, click Product Details.
  5. The product version displays.

Check the version and build of ePO that is installed. For more information on how to check the version, see: KB52634.


What is CVSS?
CVSS, or Common Vulnerability Scoring System, is the result of the National Infrastructure Advisory Council’s effort to standardize a system of assessing the criticality of a vulnerability. This system offers an unbiased criticality score that customers can use to judge how critical a vulnerability is and plan accordingly. For more information, visit the CVSS website at: http://www.first.org/cvss/.


What are the CVSS scoring metrics that have been used?

VESVM-2013-001 - RCE McAfee ePO and RCE on managed Stations

 Base Score 7.9
 Related exploit range (AccessVector) Adjacent Network
 Attack complexity (AccessComplexity) Medium
 Level of authentication needed (Authentication) None
 Confidentiality impact Complete
 Integrity impact Complete
 Availability impact Complete
 Temporal Score 6.2
 Availability of exploit (Exploitability) Proof of concept code
 Type of fix available (RemediationLevel) Official fix
 Level of verification that vulnerability exists (ReportConfidence) Confirmed

NOTE: CVSS version 2.0 vector was used to generate this score.
http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:A/AC:M/Au:N/C:C/I:C/A:C/E:P/RL:O/RC:C   


VESVM-2013-002 - McAfee ePO Pre-Auth File Path Traversal

 Base Score 4.3
 Related exploit range (AccessVector) Adjacent Network
 Attack complexity (AccessComplexity) Medium
 Level of authentication needed (Authentication) None
 Confidentiality impact Partial
 Integrity impact Partial
 Availability impact None
 Temporal Score 3.4
 Availability of exploit (Exploitability) Proof of concept code
 Type of fix available (RemediationLevel) Official fix
 Level of verification that vulnerability exists (ReportConfidence) Confirmed

NOTE: CVSS version 2.0 vector was used to generate this score.
http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:A/AC:M/Au:N/C:P/I:P/A:N/E:P/RL:O/RC:C)       


What has McAfee done to resolve the issue?
All of these issues are resolved in ePO versions 5.0, 4.6.6 and 4.5.7, which have all been released and available via the McAfee Downloads site.


Where do I download the fix?
You can download the fix from http://www.mcafee.com/us/downloads. You have to provide your McAfee Grant Number to download.


How does McAfee respond to this and any other security flaws?
The McAfee key priority is the security of its customers. In the event that a vulnerability is found within any McAfee software, we work closely with the relevant security research group to ensure rapid and effective development of a fix and communication plan. McAfee is an active member of the Organization for Internet Safety (OIS), which is dedicated to developing guidelines and best practices for the reporting and fixing of software vulnerabilities.

McAfee only publishes product vulnerability bulletins together with an actionable workaround, patch, or hotfix; otherwise we would simply be informing the hacker community that our products are a target, putting our customers at greater risk.

Resources

To download new Beta software or to read about the latest Beta information, go to: http://www.mcafee.com/us/downloads/beta-programs/index.aspx
 
To submit Beta feedback on any McAfee product, email: mcafee_beta@mcafee.com
 
For contact information, go to: http://www.mcafee.com/uk/about/contact-us.aspx
 
For copyright, trademark attributions, and license information, go to: http://us.mcafee.com/root/aboutUs.asp?id=copyright
 
For patents protecting this product, see your product documentation.

Disclaimer

The information provided in this security bulletin is provided as is without warranty of any kind. McAfee disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall McAfee or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if McAfee or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Rate this document

Did this article resolve your issue?

Please provide any comments below

Languages:

This article is available in the following languages:

English United States
Japanese

Glossary of Technical Terms


Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.
United States - English
© 2003-2013 McAfee, Inc.