McAfee ePolicy Orchestrator (ePO) before 4.6.9 and 5.x before 5.1.2 uses the same secret key across different customers’ installations


McAfee ePolicy Orchestrator (ePO) before 4.6.9 and 5.x before 5.1.2 uses the same secret key across different customers’ installations, which allows attackers to obtain the administrator password by leveraging knowledge of the encrypted password.

Description

XML Entity Injection:

Users with authenticated access to the ePO-web application and who are assigned permissions with the ability to add/update a custom filter to the areas that use custom filters, such as Audit Log and Server Task Log, are able to inject malicious XML definitions.

Metasploit Credential Disclosure:

After this XML attack is successful, the authenticated user can then leverage Metasploit to read a large number of ePO server side system files, including the database configuration properties, to further other attacks. This portion of the exploit is not possible unless the XML attack is successful.

Affected Component:

  • Adding/updating the custom filter feature, as used in the Audit Log and Server Task Log for example

Remediation

This issue is remediated with ePO 4.6.9 and ePO 5.1.2 when available. The remediation plan is to upgrade the currently supported versions of ePO 4.6 and 5.1. These fixes will be included in ePO patch versions 4.6.9 and 5.1.2 and are identified as mandatory patch updates.

  • Users of ePO 4.5.x and 4.6.x should upgrade to ePO 4.6.9.
  • Users of ePO 5.0.x and 5.1.x should upgrade to ePO 5.1.2.

When available, refer to the upgrade instructions in the ePO 4.6.9 or 5.1.2 Release Notes for further details.

When available, go to the McAfee Downloads site and download the applicable product patch/hotfix file:

Product Type Patch Version File Name Release Date
ePO 4.6.9 Patch 4.6.9 EPO469L.zip Feb 2015
ePO 5.1.2 Patch 5.1.2 EPO512L.zip Q2 2015
Roy Miehe | MspPortal.net | Ceo/President
MspPortal Partner Network
Where Service and Technical Skills Count
MspPortal.net Software Family
mspencryptmail.net | mspsecuremail.net |
mspmailfilter.net | mspsecureweb.net |
mspmanagednetwork.net | mspsecurebackup.net

Comments are closed.

%d bloggers like this: