McAfee EPolicy Orchestrator Multiple Vulnerabilities - Jan15 Network Vulnerability

Summary

This host is installed with McAfee ePolicy Orchestrator and is prone to multiple vulnerabilities.

Impact

Successful exploitation will allow attackers to obtain the administrator password and gain access to arbitrary files. Impact Level: Application

Solution

Upgrade to McAfee ePolicy Orchestrator version 4.6.9 or 5.1.2 or later. For updates refer www.mcafee.com/uk/products/epolicy-orchestrator.aspx

Insight

Multiple flaws exists as, - an incorrectly configured XML parser accepting XML external entities from an untrusted source. - application uses the same secret key across different customers installation.

Affected

McAfee ePolicy Orchestrator version before 4.6.9 and 5.x before 5.1.2

Detection

Get the installed version with the help of detect NVT and check the version is vulnerable or not.

References

http://osvdb.org/116855
http://packetstormsecurity.com/files/129827
http://seclists.org/fulldisclosure/2015/Jan/8
https://kc.mcafee.com/corporate/index?page=content&id=SB10095

Updated on 2015-03-25

Severity

Classification

CVE CVE-2015-0921, CVE-2015-0922

CVSS	Base Score: 5.0 AV:N/AC:L/Au:N/C:P/I:N/A:N

Related Vulnerabilities

Apache Web Server Linefeed Memory Allocation Denial Of Service Vulnerability
Apache Struts Directory Traversal Vulnerability
Alt-N WebAdmin Remote Source Code Information Disclosure Vulnerability
AjaXplorer Remote Command Injection and Local File Disclosure Vulnerabilities
Advantech WebAccess Multiple Stack Based Buffer Overflow Vulnerabilities

McAfee ePolicy Orchestrator Multiple Vulnerabilities - Jan15

Take action and discover your vulnerabilities