-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2014.0022
    A vulnerability has been identified in McAfee ePolicy Orchestrator
                             27 February 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              McAfee ePolicy Orchestrator
Operating System:     Windows Server 2003
                      Windows Server 2008
                      Windows Server 2008 R2
                      Windows Server 2008 with Hyper-V
                      VMware ESX Server
                      Citrix XenServer
Impact/Access:        Read-only Data Access -- Existing Account
Resolution:           Patch/Upgrade
Member content until: Saturday, March 29 2014

OVERVIEW

        A vulnerability has been identified in McAfee ePolicy Orchestrator 
        prior to version 4.6.7. [1]


IMPACT

        The vendor has provided the following details regarding this 
        vulnerability:
        
        "Users with authenticated access to the ePO-web application and 
        assigned permissions with the ability to edit their own dashboards, 
        queries and reports are able to import malicious XML definitions to 
        read a large number of server side system files, including the 
        database configuration properties to further other attacks. " [1]


MITIGATION

        The vendor recommends applying the appropriate patch or upgrading to
        the latest release to correct these issues. [1]


REFERENCES

        [1] McAfee Security Bulletin - ePO update fixes an XML Entity Injection
            vulnerability
            https://kc.mcafee.com/corporate/index?page=content&id=SB10065

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUw7glxLndAQH1ShLAQIemhAApNI94wHHQ8jSg4ojVf2SQoVKm0HAsGNJ
WQNr1IwHwEf99g2pjGkAInATk9MWj3/xmQAWxrdq7q1QoJZFy/8d1nQshraSWfWM
hbLu9G+bGkoBb2XGsUK9/wT/K0K4uPedNQUFRQaCe3hyd28en2+rwN3NYWvZ2Wp8
EVFd72z/3Dhm+1lWFwVySRrhUeDst15esLty4fDlSja+aptilhh93ghvfmcZnd9M
PockeWzv0FVsb/CcSSGXwG4ypov4aGcThPf4qqLovgU7Kr0BjwkuOW0ZUxtL0uPy
LjbBI483hH3NKdKd+RwBPoIqemGKdr5jNUz2Xppu4cqL10oSjn4YPeEtv36t8g/G
Mc3XuOsmQ/TJJTxFL4kCfQuDgXMpJtsW3mAHhq86NY2MjjUruzdfkEdqrgLGDIZQ
9gKA00HfORBwYLqhH0D1V9Vt9i5HtqTALoD/vgf01Z7PqRIidIcxAroQkRps1MXp
A8Vsp16trsVPUtxdxtkP9aEHEl7KUKnIQzY9hK/n58BF2364TdSu4ibyO+yf59gn
pQR7moev7/2dN6QWUOneDwvFaJuQuIQp7dO+2+SxorTzPO2ssCD1+nKjnpb9Td4N
rEEeEHwt+lDzeEkJnNmoY3zr9EqyKcCDwsT7w6KuFYhK/+gue94oaNHf/XnOupr7
Y28jtM55KA0=
=e3fk
-----END PGP SIGNATURE-----