ID CVE-2015-0921
Summary XML external entity (XXE) vulnerability in the Server Task Log in McAfee ePolicy Orchestrator (ePO) before 4.6.9 and 5.x before 5.1.2 allows remote authenticated users to read arbitrary files via the conditionXML parameter to the taskLogTable to orionUpdateTableFilter.do.
References
Vulnerable Configurations
  • McAfee ePolicy Orchestrator 4.6.8
    cpe:2.3:a:mcafee:epolicy_orchestrator:4.6.8
  • McAfee ePolicy Orchestrator 5.0.0
    cpe:2.3:a:mcafee:epolicy_orchestrator:5.0.0
  • McAfee ePolicy Orchestrator 5.0.1
    cpe:2.3:a:mcafee:epolicy_orchestrator:5.0.1
  • McAfee ePolicy Orchestrator 5.1.0
    cpe:2.3:a:mcafee:epolicy_orchestrator:5.1.0
  • McAfee ePolicy Orchestrator 5.1.1
    cpe:2.3:a:mcafee:epolicy_orchestrator:5.1.1
CVSS
Base: 4.0 (as of 06-09-2016 - 08:41)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW SINGLE_INSTANCE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
metasploit via4
description This module will exploit an authenticated XXE vulnerability to read the keystore.properties off of the filesystem. This properties file contains an encrypted password that is set during installation. What is interesting about this password is that it is set as the same password as the database 'sa' user and of the admin user created during installation. This password is encrypted with a static key, and is encrypted using a weak cipher (ECB). By default, if installed with a local SQL Server instance, the SQL Server is listening on all interfaces. Recovering this password allows an attacker to potentially authenticate as the 'sa' SQL Server user in order to achieve remote command execution with permissions of the database process. If the administrator has not changed the password for the initially created account since installation, the attacker will have the password for this account. By default, 'admin' is recommended. Any user account can be used to exploit this, all that is needed is a valid credential. The most data that can be successfully retrieved is 255 characters due to length restrictions on the field used to perform the XXE attack.
id MSF:AUXILIARY/GATHER/MCAFEE_EPO_XXE
last seen 2019-03-24
modified 2018-09-15
published 2015-01-14
reliability Normal
reporter Rapid7
source https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/mcafee_epo_xxe.rb
title McAfee ePolicy Orchestrator Authenticated XXE Credentials Exposure
nessus via4
NASL family Windows
NASL id MCAFEE_EPO_SB10095.NASL
description The version of McAfee ePolicy Orchestrator (ePO) installed on the remote Windows host is 4.x prior to 4.6.9 or 5.x prior to 5.1.2. It is, therefore, affected by multiple vulnerabilities : - An XXE (XML External Entity) injection vulnerability exists in the Server Task Log due to an incorrectly configured XML parser accepting XML external entities from an untrusted source. A remote, authenticated attacker, by sending specially crafted XML data via the 'conditionXML' parameter, can gain access to arbitrary files. (CVE-2015-0921) - An information disclosure vulnerability exists due to the use of a shared secret key to encrypt password information. A remote attacker with knowledge of the key can decrypt the administrator password. (CVE-2015-0922)
last seen 2019-02-21
modified 2018-11-15
plugin id 81106
published 2015-01-30
reporter Tenable
source https://www.tenable.com/plugins/index.php?view=single&id=81106
title McAfee ePolicy Orchestrator 4.x < 4.6.9 / 5.x < 5.1.2 Multiple Vulnerabilities (SB10095)
refmap via4
confirm https://kc.mcafee.com/corporate/index?page=content&id=SB10095
fulldisc
  • 20150106 McAfee ePolicy Orchestrator Authenticated XXE and Credential Exposure
  • 20150112 Re: McAfee ePolicy Orchestrator Authenticated XXE and Credential Exposure
misc
sectrack 1031519
secunia 61922
xf macafee-cve20150921-info-disc(99950)
Last major update 02-01-2017 - 21:59
Published 09-01-2015 - 13:59
Last modified 07-09-2017 - 21:29
Back to Top