Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2015.0002 Vulnerabilities have been identified in McAfee ePolicy Orchestrator (ePO) 12 January 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: McAfee ePolicy Orchestrator Operating System: Windows VMware ESX Server Citrix XenServer Impact/Access: Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2015-0922 CVE-2015-0921 Member content until: Wednesday, February 11 2015 OVERVIEW Multiple vulnerabilities have been identified in McAfee ePolicy Orchestrator (ePO) prior to ePO 4.6.8 and ePO 5.1.1. [1] IMPACT The vendor has provided the following details regarding these vulnerabilities: "CVE-2015-0921 - XML Entity Injection: Users with authenticated access to the ePO-web application and who are assigned permissions with the ability to add/update a custom filter to the areas that use custom filters, such as Audit Log and Server Task Log, are able to inject malicious XML definitions." [1] "CVE-2015-0922 - Metasploit Credential Disclosure: After this XML attack is successful, the authenticated user can then leverage Metasploit to read a large number of ePO server side system files, including the database configuration properties, to further other attacks. This portion of the exploit is not possible unless the XML attack is successful." [1] MITIGATION The vendor recommends applying the appropriate patch or upgrading to the latest release to correct these issues. [1] REFERENCES [1] McAfee Security Bulletin - ePO workaround prevents an XML Entity Injection and Metasploit Credential vulnerability https://kc.mcafee.com/corporate/index?page=content&id=SB10095 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVLNQ5hLndAQH1ShLAQJx9xAApvzRT0fuT222JC5G8GSUKbCJIcS+pxY0 stppJlvs4KsmcyKIoPtGZdcwuh1vBvYujUs7keR8Tigimri4x3E0Zea6WUS1Vb76 WGwptKQYZ+u2OzVeQSvofAjG87baJDPmYzWUMbMqLK3g+GwJnGmPtjx96g4QY4LD F+DjdO2J5Z+l/YnFTnRyZyC7m5yWhnTelM8aoxl022TRSk+iaRpggoXtiQa96GJ7 kbizc73rSReIcMz5VnqsUGl6sOZAodAXpb+LjjYeLDLcIrs6ZmXN0NtMCjkc58Jn PLtpZB6iYEpyXW1y8Ez6NQHb6Ykwl/a/QbmvoDt8Z+lVrNr9csoB49zSnZ89tZdP bDBTdySXSf0ivac5l1cCNEbgBHPU1XyOsXl0PSSK4uBYbQkl1vd5TIhxv63tsM9G 2jgIw3A6S05jt+KNFu4TKIdu9VPRW7L+KfZ/VBZ+uPlyDm2A6V1Et6PNlrYdNRJs zlOH7MRhTIW9FNRxoF6Ttxsd1j3KMu4RzJ3m7vRdV+Fa+ipPWCR8OmqVEiSNa36Q BTtiIh6gwDDFdKz9VeEQm+w36dWXhdLDRUBXLC8N/Cr/GLKjlEjQFul2YRttm6ii QZzWoxR0Py4xHVivEpoWUuZKJVryqxEo7tnliHeADc4id0z0tYQQ3YWs1KcolqEc 4YaSv8otPO8= =Mr2+ -----END PGP SIGNATURE-----