McAfee ePolicy Orchestrator Remote Vulnerability

Machines running McAfee ePolicy Orchestrator (EPO) agent 3.5.0.x as well as previous versions shared a vulnerability discovered by McAfee and eEye Digital Security. McAfee has already silently patched the flaw and the two companies have published details of the vulnerability only after the security update was implemented.

All Windows based systems running EPO were exposed to potential exploits prior to the McAfee's patch release. The ePolicy Orchestrator is marketed as part of the McAfee enterprise suite as a remote security management application. The software facilitates the configuration and implementation of protection policies, centralized security monitoring and agents deployment.

The EPO directory transversal vulnerability lies within the Framework Service component of the software's management console. Through a directory transversal attack that causes an input validation error, the Framework Service can allow the submittal of malicious files on the remote system, as it is enabled by default on all machines, listening on port 8081 for SHA-1 hashed and DSA signed encrypted requests of configuration and updates modifications.

"The framework service accepts POST requests over the /spipe/pkg interface. These POST requests contain a header which indicates the type of package request, UUID, and computer hostname. Depending on the request, the block that follows may contain data specific to that request. In the case of this vulnerability, the type of request (PackageType) is "PropsResponse". The data that follows first specifies a directory and xml filename, and is followed by the contents of the xml file. Due to improper sanity checking on the directory and filename, it is possible to use a directory traversal attack to write a user defined filename, with user defined contents, anywhere on the system," has disclosed eEye Digital Security.