|
COMMAND McAfee ePolicy Orchestrator Format String Vulnerability SYSTEMS AFFECTED McAfee ePolicy Orchestrator 2.5.1 PROBLEM In : @stake, Inc. www.atstake.com Security Advisory Advisory Name: ePolicy Orchestrator Format String Vulnerability Release Date: 03/17/2003 Application: McAfee ePolicy Orchestrator 2.5.1 Platform: Windows 2000 Server SP1 Windows 2000 Pro SP1 Severity: There is a a format string vulnerability that leads to the remote execution of code as SYSTEM. Authors: Ollie Whitehouse [ollie@atstake.com] Andreas Junestam [andreas@atstake.com] Vendor Status: Vendor has patch available CVE Candidate: CAN-2002-0690 Reference: www.atstake.com/research/advisories/2003/a031703-1.txt --snip-- The ePolicy Orchestrator Agent is a service that to allows the retrieval of log data. It should be noted that the Agent does not require password authentication to gain access and allows the retrieval of sensitive information (i.e. the source AV server, local paths etc.). By default the agent runs as SYSTEM on the host and thus can be used to either elevate local privileges or remotely compromise the host. The ePO agent uses the HTTP protocol to communicate on port 8081. Sending a GET request with a request string containing a few format string characters will cause the service to terminate. An event will be written to the event log detailing the crash. A properly constucted malicious string containing format string characters will allow the execution or arbitrary code. --snap-- SOLUTION The vendor has made a patch available. It is not directly downloadable. Call to request the patch. It is delivered via email. Contact information: http://www.nai.com/naicommon/aboutnai/contact/intro.asp#software-support @stake Recommendation: If you have a support contract and are eligible for the patch you should request it and install it. If you cannot patch, you should consider host based filtering so that only the network management systems that need to communicate with the hosts running ePO can connect on TCP port 8081. This requires a host based firewall.