ePolicy Orchestrator Multiple Vulnerabilities
#1
ePolicy Orchestrator Multiple Vulnerabilities
http://www.securiteam.com/securitynews/5UP020UAUQ.html
Summary
McAfee Security ePolicy Orchestrator is an enterprise antivirus management tool. ePolicy Orchestrator is a policy driven deployment and reporting tool for enterprise administrators to effectively manage their desktop and server antivirus products.
Three vulnerabilities exist in the ePolicy Server and Agent that allows an attacker to anonymously execute arbitrary code.
To attack a machine running ePO, an attacker would typically need to be located within the corporate firewall and be able to connect over the network to the host they wish to compromise. Once one of the vulnerability is successfully exploited, the attacker can execute arbitrary code under the privileges used by ePO. SYSTEM is the default.
Details
Vulnerable Systems:
* ePolicy Orchestrator version 2.X and 3.0
The ePolicy Orchestrator (ePO) is built upon a client / server solution with Agents running on all client hosts. This allows all installation and administration of antivirus software to be centralized to one host. To achieve this, ePO relies on three parts:
Server, Agents, and MSDE (to store configuration information).
All services are by default installed to run as SYSTEM on the host and thus can be used to either elevate local privileges or remotely compromise the host.
@stake has discovered 3 different vulnerabilities in the ePO solution. 2 vulnerabilities concern the server and 1 concerns the agent.
Server Issue #1:
MSDE SA account compromise - This vulnerability applies to ePO 2.X and 3.0 and is divided up into 3 different parts, that combined allows an attacker to execute code on the host.
Information disclosure - By issuing a properly formatted HTTP request to the ePO Server, it will respond with the server config file. This config file contains username and encrypted password for the database administrator of the MSDE installation.
Weak cryptography implementation - The encrypted password stored in the ePO Server config file is encrypted with a DES variant and a secret key. The secret key is stored in a DLL, making decryption of the password an easy task.
Default MSDE installation - The installation of MSDE is not hardened, so once the attacker has the database administrator username and password, he can execute OS commands as SYSTEM through xp_cmdshell.
Server Issue #2:
ComputerList format string vulnerability - This vulnerability applies to ePO 2.X. Sending a POST request to the Server where the ComputerList parameter contains a few format characters will cause the service to crash when it tries to log a failed name resolution. A properly constructed malicious string containing format string characters will allow the execution of arbitrary code.
Client Issue #1:
ePO Agent Heap Overflow - This vulnerability applies to ePO 2.X. Sending a POST request to the Agent where parameters on the URL are substituted by a large number of A's will cause the service to crash. A properly formatted request will allow an attacker to overwrite arbitrary data and thus execute code.
Vendor Status:
NAI has released a bulletin and a patch that resolves these issues. Bulletin: http://www.nai.com/us/promos/mcafee/epo_vulnerabilities.asp
@stake Recommendation:
When deploying new security products within the enterprise, organizations should understand the risks that new security solutions may introduce. Does the service need to be running as the SYSTEM user? Does the service need to be accessed anonymously from any machine? Usually the answer is no. Products should be configured to use the least privilege required and only send and receive network data to the required machines. @stake recommends installing the vendor patch.
http://www.securiteam.com/securitynews/5UP020UAUQ.html
Summary
McAfee Security ePolicy Orchestrator is an enterprise antivirus management tool. ePolicy Orchestrator is a policy driven deployment and reporting tool for enterprise administrators to effectively manage their desktop and server antivirus products.
Three vulnerabilities exist in the ePolicy Server and Agent that allows an attacker to anonymously execute arbitrary code.
To attack a machine running ePO, an attacker would typically need to be located within the corporate firewall and be able to connect over the network to the host they wish to compromise. Once one of the vulnerability is successfully exploited, the attacker can execute arbitrary code under the privileges used by ePO. SYSTEM is the default.
Details
Vulnerable Systems:
* ePolicy Orchestrator version 2.X and 3.0
The ePolicy Orchestrator (ePO) is built upon a client / server solution with Agents running on all client hosts. This allows all installation and administration of antivirus software to be centralized to one host. To achieve this, ePO relies on three parts:
Server, Agents, and MSDE (to store configuration information).
All services are by default installed to run as SYSTEM on the host and thus can be used to either elevate local privileges or remotely compromise the host.
@stake has discovered 3 different vulnerabilities in the ePO solution. 2 vulnerabilities concern the server and 1 concerns the agent.
Server Issue #1:
MSDE SA account compromise - This vulnerability applies to ePO 2.X and 3.0 and is divided up into 3 different parts, that combined allows an attacker to execute code on the host.
Information disclosure - By issuing a properly formatted HTTP request to the ePO Server, it will respond with the server config file. This config file contains username and encrypted password for the database administrator of the MSDE installation.
Weak cryptography implementation - The encrypted password stored in the ePO Server config file is encrypted with a DES variant and a secret key. The secret key is stored in a DLL, making decryption of the password an easy task.
Default MSDE installation - The installation of MSDE is not hardened, so once the attacker has the database administrator username and password, he can execute OS commands as SYSTEM through xp_cmdshell.
Server Issue #2:
ComputerList format string vulnerability - This vulnerability applies to ePO 2.X. Sending a POST request to the Server where the ComputerList parameter contains a few format characters will cause the service to crash when it tries to log a failed name resolution. A properly constructed malicious string containing format string characters will allow the execution of arbitrary code.
Client Issue #1:
ePO Agent Heap Overflow - This vulnerability applies to ePO 2.X. Sending a POST request to the Agent where parameters on the URL are substituted by a large number of A's will cause the service to crash. A properly formatted request will allow an attacker to overwrite arbitrary data and thus execute code.
Vendor Status:
NAI has released a bulletin and a patch that resolves these issues. Bulletin: http://www.nai.com/us/promos/mcafee/epo_vulnerabilities.asp
@stake Recommendation:
When deploying new security products within the enterprise, organizations should understand the risks that new security solutions may introduce. Does the service need to be running as the SYSTEM user? Does the service need to be accessed anonymously from any machine? Usually the answer is no. Products should be configured to use the least privilege required and only send and receive network data to the required machines. @stake recommends installing the vendor patch.
Thread
Thread Starter
Forum
Replies
Last Post