Security holes in McAfee's ePolicy Orchestrator
A McAfee security advisory details how its ePolicy Orchestrator (ePO) 4.5.6 and earlier and 4.6.5 and earlier are vulnerable to remote code execution and file path traversal. The current version, ePO 5.0 is not affected. ePO is McAfee's security management platform for managing and automating security workflows and compliance.
Two vulnerabilities were discovered in the software and both are exploited by registering a rogue agent on the ePO server and sending a maliciously crafted request. In one, the request makes use of SQL injection in the Agent-Handler component to gain the ability to execute code with system privileges. In the other, the request exploits the file upload process and allows an attacker to upload files into directories on the server, including the /Software/ folder where they can be downloaded by other systems.
McAfee has released ePO 4.6.6 to correct the problem in the 4.6 version and published a hotfix for version 4.5.5. The company says it plans to release version 4.5.7, which will incorporate the fixes for the vulnerabilities, in mid-May. To access the downloadable patches, users should go to the McAfee downloads page and enter their "McAfee grant number"; they should then select "View Available Downloads", then "McAfee ePolicy Orchestrator" and, finally, the "Patches" tab. A McAfee Knowledgebase article has more details of the download process for updates.