​Dangerous hole found in McAfee ePO antivirus central management suit

  • Liam Tung (CSO Online)
  • 03 February, 2017 09:06

Intel Security’s McAfee has released a patch for a critical SQL injection flaw in ePolicy Orchestrator or ePO, its admin console used to centrally manage software and antivirus on tens of millions of enterprise devices worldwide.

Cisco’s Talos security team disclosed details of the issue today, warning that anyone on the web can send a specially crafted HTTP POST in an SQL query that causes an ePO database to spill enough information to profile users or monitor IT infrastructure.

“An attacker can use any HTTP client to trigger this vulnerability,” Talos researchers said.

ePO is used by 30,000 enterprise customers worldwide, and is responsible for keeping 60 million devices secure, according to McAfee.

McAfee has given the bug the highest CVSS v3 Base score of 10.0, noting that the bug is not complex to exploit and doesn’t require user privileges or interaction.

Affected products include ePO 5.1.3 and earlier and ePO 5.3.2 and earlier. The company has released hotfix files to address the issue.

Security admins use the ePO console to centrally manage antivirus and software polices via software agents that are installed on endpoint devices. Talos researchers discovered that the bug can also be used to impersonate these agents and cause information disclosure.

Given ePO's role in managing endpoint antivirus, the software is likely to be an attractive target to attackers. It serves as yet another reminder that flaws in security software can widen a user's attack surface, as a former Mozilla engineer highlighted recently.

“Vulnerabilities like this can allow deep insight into the organization without an attacker requiring any privileged access to centralized platforms such as Active Directory, with this access an attacker can profile users and the infrastructure passively,” said Talos.

Talos says the vulnerability lies within the application server for ePO’s Apache Tomcat-based administrator management console. The server is reachable via the console directly, or by way of a custom protocol, known as SPIPE, that hands off communication between agents and the console.

Talos’ detailed writeup is available here, where it explains that to mitigate this attack ePO customers can shut off direct access to the console and limit it to SPIPE.

“To ensure that an attacker does not have direct access to the vulnerability and instead has to use just SPIPE as an agent, verify that port 8443 that the McAfee ePolicy Orchestrator Console is bound to is inaccessible by ePolicy Orchestrator’s agents and can only by accessed by Administrators,” wrote Talos.