Dangerous hole found in McAfee ePO antivirus central management suit
Intel Security’s McAfee has released a patch for a very critical SQL injection flaw in e Policy Orchestrator or ePO, its admin console used to manage software and antivirus on tens of millions of enterprise devices worldwide web.
Cisco’s Talos security team has been disclosed details of the issues in today life, warning that anyone has on the web can send a specific crafted HTTP POST in an SQL query that causes an ePO database to spill enough information to profile users or monitor IT infrastructure.
“An attacker can use any HTTP client to trigger this vulnerability,” Talos researchers said.
ePO is used by 30,000 enterprise customers worldwide, and is responsible for keeping 60 million devices secure, according to McAfee.
McAfee has given the bug the highest CVSS v3 Base score of 10.0, noting that the bug is not complex to exploit and doesn’t require user privileges or interaction.
Affected products include ePO 5.1.3 and earlier and ePO 5.3.2 and earlier. The company has released hotfix files to address the issue.
Security admins use the ePO console to centrally manage antivirus and software polices via software agents that are installed on endpoint devices. Talos researchers discovered that the bug can also be used to impersonate these agents and cause information disclosure.
Given ePO’s role in managing endpoint antivirus, the software is likely to be an attractive target to attackers. It serves as yet another reminder that flaws in security software can widen a user’s attack surface, as a former .
“Vulnerabilities can permit deep insight into the organization without an attacking requiring any privileged access to the centralized platforms such as Active Directory, with this access an attacker can profile users and the infrastructure passively,” said Talos.
Talos says the vulnerability lies within the application server for ePO’s Apache Tomcat-based administrator management console. The server is reachable via the console directly, or by way of a custom protocol, known as SPIPE, that hands off communication between agents and the console.
Talos’ detailed writeup is available ,where it explains that to mitigate this attack ePO customers can shut off direct access to the console and limit it to SPIPE.
“To ensure that an attacker does not have direct access to the vulnerability and instead has to use just SPIPE as an agent, verify that port 8443 that the McAfee