McAfee Patches Critical ePolicy Orchestrator Flaw
The flaw targets the HTTP server portion of the applications and can be triggered when an attacker sends an abnormally large source header in an HTTP request, according to a Symantec Deepsight Threat Management system bulletin issued Monday.
If certain ports are open and a firewall is not in place, an unpatched server could allow attackers to execute arbitrary code, David Coffey, principal security architect at McAfee, told CRN.
ePolicy Orchestrator (ePO) is security management software that provides a central console for managing McAfee enterprise security products. ProtectionPilot is software that monitors the network and automatically deploys security updates for desktop PCs, servers and e-mail systems.
Security researcher Mati Aharoni of the BackTrack Development Team discovered the vulnerability and notified McAfee on July 14.
Coffey acknowledged that McAfee was made aware of the flaw on July 14 but said the complexity of the patch and the need to conduct quality assurance prevented the Santa Clara, Calif.-based company from releasing a fix until Monday.
Exploitation of an ePO server could result in the compromise of every client system managed by that particular server, and attackers could leverage the flaw to push a new "update" file that contains a back door, according to HD Moore, director of security research at BreakingPoint Systems and developer of the open-source Metasploit vulnerability testing tool.
A Metasploit exploit module and a Python proof-of-concept have been published for the flaw, which affects McAfee ePO versions 3.5.0 patch 5 and older and ProtectionPilot versions 1.1.1 patch 2 and older.
Security firm Secunia rated the McAfee vulnerability as "moderately critical," or 3 on a 5-point scale. Symantec's Deepsight Threat Management team saw it as far more serious, assigning the flaw its highest rating of 10 on a 10 point scale.
In July, McAfee apologized for inadvertently patching a vulnerability in the agent software of ePO in an earlier update without informing customers.