[funsec] EPO vulnerability

Blanchard_Michael at emc.com Blanchard_Michael at emc.com
Wed Mar 14 13:42:09 CDT 2007

 Just a heads up for those running McAfee's EPO, in case you haven't seen this yet:

A vulnerability has been discovered in McAfee ePolicy Orchestrator (ePO) 3.61.  A successful exploit of these security flaws would allow an attacker to remotely execute arbitrary code on the machine running McAfee ePolicy Orchestrator (ePO) server or the ePO management console.  In order for this attack to work, an attacker has to be assisted by a user either on the ePO server or a user on a machine with the ePO remote management console installed on it.  One such way that a user on one of these machines could assist the attacker is by rendering a malicious web page through Microsoft's Internet Explorer (IE).  The command execution by the attacker will be limited to the privileges of the user on the machine.  The attack requires reverse engineering of ePO, establishing a malicious web page and the cooperation from an ePO user. This attack will not result in a privilege escalation above that of the user assisting the attack.  The ePO 3.6.1 Patch 1 will not allow these attacks to be successful.
McAfee ePO 3.61 Patch 1 has been available via McAfee ServicePortal <https://mysupport.mcafee.com/eservice_enu/start.swe> since of February 21 of 2007.  This update removes the risk associated with this security flaw.

*Frequently Asked Questions (FAQ) related to this security bulletin*
 - Who is affected by this security vulnerability? 
 -- McAfee ePolicy Orchestrator 3.6.1 and earlier customers could be affected by this vulnerability. McAfee urges all customers to verify that they have received the latest updates.
 - Does this vulnerability affect McAfee enterprise products? 
 -- Yes, only ePolicy Orchestrator Server 3.6.1 and earlier.
 - How do I know if my ePO server is patched or not?
 -- Log into the ePolicy Orchestrator console and verify if the server version is less than Server version less than are un-patched.
 - What has McAfee done to resolve the issue? 
 -- McAfee believes in providing the most secure software to customers and has provided an update to this security flaw.
 - Where do I download the fix from?
 -- The fix can be downloaded from: https://mysupport.mcafee.com/eservice_enu/start.swe
 -- User may need to provide the grant number to initiate the download.
 - How does McAfee respond to this and any other security flaws? 
 -- McAfee's key priority is the security of its customers. In an event if a vulnerability is found within any of McAfee's software, a strong process is in place to work closely with the relevant security research group to ensure the rapid and effective development of a fix and communication plan. McAfee is an active member of the Organization for Internet Safety (OIS) which is dedicated to developing guidelines and best practices for the reporting and fixing of software vulnerabilities.

Michael P. Blanchard 
Antivirus / Security Engineer, CISSP, GCIH, CCSA-NGX, MCSE
Office of Information Security & Risk Management 
EMC ² Corporation 
4400 Computer Dr. 
Westboro, MA 01580 
Office: (508)898-7102      
Cell:     (508)958-2780 
Pager:  (877)552-3945 
email:  Blanchard_Michael at EMC.COM 

More information about the funsec mailing list