Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2014.0022
A vulnerability has been identified in McAfee ePolicy Orchestrator
27 February 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: McAfee ePolicy Orchestrator
Operating System: Windows Server 2003
Windows Server 2008
Windows Server 2008 R2
Windows Server 2008 with Hyper-V
VMware ESX Server
Citrix XenServer
Impact/Access: Read-only Data Access -- Existing Account
Resolution: Patch/Upgrade
Member content until: Saturday, March 29 2014
OVERVIEW
A vulnerability has been identified in McAfee ePolicy Orchestrator
prior to version 4.6.7. [1]
IMPACT
The vendor has provided the following details regarding this
vulnerability:
"Users with authenticated access to the ePO-web application and
assigned permissions with the ability to edit their own dashboards,
queries and reports are able to import malicious XML definitions to
read a large number of server side system files, including the
database configuration properties to further other attacks. " [1]
MITIGATION
The vendor recommends applying the appropriate patch or upgrading to
the latest release to correct these issues. [1]
REFERENCES
[1] McAfee Security Bulletin - ePO update fixes an XML Entity Injection
vulnerability
https://kc.mcafee.com/corporate/index?page=content&id=SB10065
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUw7glxLndAQH1ShLAQIemhAApNI94wHHQ8jSg4ojVf2SQoVKm0HAsGNJ
WQNr1IwHwEf99g2pjGkAInATk9MWj3/xmQAWxrdq7q1QoJZFy/8d1nQshraSWfWM
hbLu9G+bGkoBb2XGsUK9/wT/K0K4uPedNQUFRQaCe3hyd28en2+rwN3NYWvZ2Wp8
EVFd72z/3Dhm+1lWFwVySRrhUeDst15esLty4fDlSja+aptilhh93ghvfmcZnd9M
PockeWzv0FVsb/CcSSGXwG4ypov4aGcThPf4qqLovgU7Kr0BjwkuOW0ZUxtL0uPy
LjbBI483hH3NKdKd+RwBPoIqemGKdr5jNUz2Xppu4cqL10oSjn4YPeEtv36t8g/G
Mc3XuOsmQ/TJJTxFL4kCfQuDgXMpJtsW3mAHhq86NY2MjjUruzdfkEdqrgLGDIZQ
9gKA00HfORBwYLqhH0D1V9Vt9i5HtqTALoD/vgf01Z7PqRIidIcxAroQkRps1MXp
A8Vsp16trsVPUtxdxtkP9aEHEl7KUKnIQzY9hK/n58BF2364TdSu4ibyO+yf59gn
pQR7moev7/2dN6QWUOneDwvFaJuQuIQp7dO+2+SxorTzPO2ssCD1+nKjnpb9Td4N
rEEeEHwt+lDzeEkJnNmoY3zr9EqyKcCDwsT7w6KuFYhK/+gue94oaNHf/XnOupr7
Y28jtM55KA0=
=e3fk
-----END PGP SIGNATURE-----