ISS X-Force Database: epolicy-execute-commands(14166): McAfee ePolicy Orchestrator command execution

McAfee ePolicy Orchestrator command execution

epolicy-execute-commands (14166)

High Risk

Description:

McAfee ePolicy Orchestrator (ePo) could allow an attacker to gain unauthorized access. By sending a specially-crafted HTTP request, a remote attacker could install arbitrary files, including executables, on the system and possibly gain Administrator access to the vulnerable ePo server. In certain configurations this vulnerability could lead to enterprise-wide exploitation.

Platforms Affected:

McAfee, ePolicy Orchestrator 2.5 SP1
McAfee, ePolicy Orchestrator 2.5
McAfee, ePolicy Orchestrator 2.5.1
McAfee, ePolicy Orchestrator 3.0 SP2a
McAfee, ePolicy Orchestrator 3.0

Remedy:

Apply Patch 4 for ePolicy Orchestrator version 3.0 Service Pack 2a, available from the McAfee Security Hotfix Web page. See References.

Consequences:

Gain Access

References:

Internet Security Systems Security Advisory, May 10, 2004, McAfee ePolicy Orchestrator Remote Compromise Vulnerability at http://xforce.iss.net/xforce/alerts/id/173.
McAfee Security Hotfix Web page, Patch 4 for ePolicy Orchestrator version 3.0 Service Pack 2a at http://www.networkassociates.com/us/downloads/updates/hotfixes.asp.
Network Associates Technology, Inc. Web site, Release Notes for McAfee ePolicy Orchestrator Version 2.5.1 Patch 14 at http://download.nai.com/products/patches/ePO/v2.x/Patch14.txt.
Network Associates Technology, Inc. Web site, Release Notes for McAfee ePolicy Orchestrator Version 3.0.2a Patch 4 at http://download.nai.com/products/patches/ePO/v3.0/EPO3024.txt.
BID-10200: McAfee ePolicy Orchestrator Server Remote Code Execution Vulnerability
CVE-2004-0038: McAfee ePolicy Orchestrator (ePO) 2.5.1 Patch 13 and 3.0 SP2a Patch 3 allows remote attackers to execute arbitrary commands via certain HTTP POST requests to the spipe/file handler on ePO TCP port 81.

Reported:

Apr 23, 2004

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page