-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2015.0002
 Vulnerabilities have been identified in McAfee ePolicy Orchestrator (ePO)
                              12 January 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              McAfee ePolicy Orchestrator
Operating System:     Windows
                      VMware ESX Server
                      Citrix XenServer
Impact/Access:        Access Confidential Data -- Existing Account
Resolution:           Patch/Upgrade
CVE Names:            CVE-2015-0922 CVE-2015-0921 
Member content until: Wednesday, February 11 2015

OVERVIEW

        Multiple vulnerabilities have been identified in McAfee ePolicy 
        Orchestrator (ePO) prior to ePO 4.6.8 and ePO 5.1.1. [1]


IMPACT

        The vendor has provided the following details regarding these 
        vulnerabilities:
        
        "CVE-2015-0921 - XML Entity Injection: Users with authenticated 
        access to the ePO-web application and who are assigned permissions 
        with the ability to add/update a custom filter to the areas that use
        custom filters, such as Audit Log and Server Task Log, are able to 
        inject malicious XML definitions." [1]
        
        "CVE-2015-0922 - Metasploit Credential Disclosure:
        
        After this XML attack is successful, the authenticated user can then
        leverage Metasploit to read a large number of ePO server side system
        files, including the database configuration properties, to further 
        other attacks. This portion of the exploit is not possible unless 
        the XML attack is successful." [1]


MITIGATION

        The vendor recommends applying the appropriate patch or upgrading to
        the latest release to correct these issues. [1]


REFERENCES

        [1] McAfee Security Bulletin - ePO workaround prevents an XML Entity
            Injection and Metasploit Credential vulnerability
            https://kc.mcafee.com/corporate/index?page=content&id=SB10095

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVLNQ5hLndAQH1ShLAQJx9xAApvzRT0fuT222JC5G8GSUKbCJIcS+pxY0
stppJlvs4KsmcyKIoPtGZdcwuh1vBvYujUs7keR8Tigimri4x3E0Zea6WUS1Vb76
WGwptKQYZ+u2OzVeQSvofAjG87baJDPmYzWUMbMqLK3g+GwJnGmPtjx96g4QY4LD
F+DjdO2J5Z+l/YnFTnRyZyC7m5yWhnTelM8aoxl022TRSk+iaRpggoXtiQa96GJ7
kbizc73rSReIcMz5VnqsUGl6sOZAodAXpb+LjjYeLDLcIrs6ZmXN0NtMCjkc58Jn
PLtpZB6iYEpyXW1y8Ez6NQHb6Ykwl/a/QbmvoDt8Z+lVrNr9csoB49zSnZ89tZdP
bDBTdySXSf0ivac5l1cCNEbgBHPU1XyOsXl0PSSK4uBYbQkl1vd5TIhxv63tsM9G
2jgIw3A6S05jt+KNFu4TKIdu9VPRW7L+KfZ/VBZ+uPlyDm2A6V1Et6PNlrYdNRJs
zlOH7MRhTIW9FNRxoF6Ttxsd1j3KMu4RzJ3m7vRdV+Fa+ipPWCR8OmqVEiSNa36Q
BTtiIh6gwDDFdKz9VeEQm+w36dWXhdLDRUBXLC8N/Cr/GLKjlEjQFul2YRttm6ii
QZzWoxR0Py4xHVivEpoWUuZKJVryqxEo7tnliHeADc4id0z0tYQQ3YWs1KcolqEc
4YaSv8otPO8=
=Mr2+
-----END PGP SIGNATURE-----