14 DAY TRIAL // Organizations relying on certain versions of McAfee ePolicy Orchestrator (ePO) security management software are susceptible to man-in-the-middle (MitM) attacks that could allow viewing in plain text the secure communication sent to external registered servers.
McAfee ePO is part of the McAfee Security Management Platform, used in enterprise environments for centralized management of endpoint, network and data security.
The software offers a single control point for deploying security products, patches and updates to systems in the network, as well as handle policies for the protection solutions.
It can also be integrated with external servers and configured to send data to them in a secure manner, using the SSL/TLS cryptographic protocol. As per the web of trust scheme, such connections are validated based on a certificate issued by a trusted entity called the Certificate Authority (CA).
Exploitation possible via MitM
A security researcher who chose to remain anonymous found that McAfee ePO does not check the certificate authority, common name or domain name present in the certificate, which means that any SSL/TLS certificate is accepted.
A security advisory published on Thursday by the CERT (Cyber Emergency Response Team) division at Carnegie Mellon University warns that improper validation of the certificates can be exploited by an attacker in a position to intercept traffic between ePO and the registered server.
Apart from being able to read the communication in decrypted form, the threat actor could also alter it, CERT’s advisory notes.
To mitigate the risk, McAfee released two updates, to version 4.6.9 and 5.1.2, which address other problems as well.
Hacker needs to be in the network
The vulnerability was reported on December 22, 2014, and it is currently tracked as CVE-2015-2859. A severity score was calculated to 6.4 out of 10.0, as per the standard of the Common Vulnerability Scoring System (CVSS).
Although no authentication is required and the confidentiality impact is complete, exploiting the security flaw would be a task of medium complexity and the attacker would need to have compromised the infrastructure and have access to an adjacent network.