[NEWS] ePolicy Orchestrator Multiple Vulnerabilities

• Previous message: SecuriTeam: "[NEWS] NetScreen TCP Option DoS (manager-ip)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 4 Aug 2003 14:06:10 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

Get Thawte's New Step-by-Step SSL Guide for MSIIS

In this guide you will find out how to test, purchase, install
and use a Thawte Digital Certificate on your MSIIS web server.
Throughout, best practices for set-up are highlighted to help you
ensure efficient ongoing management of your encryption keys and digital
certificates. Get your copy of this new guide now:
http://ad.doubleclick.net/clk;5903126;8265119;j

- - - - - - - - -

  ePolicy Orchestrator Multiple Vulnerabilities
------------------------------------------------------------------------

SUMMARY

 
<http://www.mcafeeb2b.com/products/epolicy/default-desktop-protection.asp>
McAfee Security ePolicy Orchestrator is an enterprise antivirus management
tool. ePolicy Orchestrator is a policy driven deployment and reporting
tool for enterprise administrators to effectively manage their desktop and
server antivirus products.

Three vulnerabilities exist in the ePolicy Server and Agent that allows an
attacker to anonymously execute arbitrary code.

To attack a machine running ePO, an attacker would typically need to be
located within the corporate firewall and be able to connect over the
network to the host they wish to compromise. Once one of the vulnerability
is successfully exploited, the attacker can execute arbitrary code under
the privileges used by ePO. SYSTEM is the default.

DETAILS

Vulnerable Systems:
 * ePolicy Orchestrator version 2.X and 3.0

The ePolicy Orchestrator (ePO) is built upon a client / server solution
with Agents running on all client hosts. This allows all installation and
administration of antivirus software to be centralized to one host. To
achieve this, ePO relies on three parts:
Server, Agents, and MSDE (to store configuration information).

All services are by default installed to run as SYSTEM on the host and
thus can be used to either elevate local privileges or remotely compromise
the host.

@stake has discovered 3 different vulnerabilities in the ePO solution. 2
vulnerabilities concern the server and 1 concerns the agent.

Server Issue #1:
MSDE SA account compromise - This vulnerability applies to ePO 2.X and 3.0
and is divided up into 3 different parts, that combined allows an attacker
to execute code on the host.

Information disclosure - By issuing a properly formatted HTTP request to
the ePO Server, it will respond with the server config file. This config
file contains username and encrypted password for the database
administrator of the MSDE installation.

Weak cryptography implementation - The encrypted password stored in the
ePO Server config file is encrypted with a DES variant and a secret key.
The secret key is stored in a DLL, making decryption of the password an
easy task.

Default MSDE installation - The installation of MSDE is not hardened, so
once the attacker has the database administrator username and password, he
can execute OS commands as SYSTEM through xp_cmdshell.

Server Issue #2:
ComputerList format string vulnerability - This vulnerability applies to
ePO 2.X. Sending a POST request to the Server where the ComputerList
parameter contains a few format characters will cause the service to crash
when it tries to log a failed name resolution. A properly constructed
malicious string containing format string characters will allow the
execution of arbitrary code.

Client Issue #1:
ePO Agent Heap Overflow - This vulnerability applies to ePO 2.X. Sending a
POST request to the Agent where parameters on the URL are substituted by a
large number of A's will cause the service to crash. A properly formatted
request will allow an attacker to overwrite arbitrary data and thus
execute code.

Vendor Status:
NAI has released a bulletin and a patch that resolves these issues.
Bulletin: <http://www.nai.com/us/promos/mcafee/epo_vulnerabilities.asp>
http://www.nai.com/us/promos/mcafee/epo_vulnerabilities.asp

@stake Recommendation:
When deploying new security products within the enterprise, organizations
should understand the risks that new security solutions may introduce.
Does the service need to be running as the SYSTEM user? Does the service
need to be accessed anonymously from any machine? Usually the answer is
no. Products should be configured to use the least privilege required and
only send and receive network data to the required machines. @stake
recommends installing the vendor patch.

ADDITIONAL INFORMATION

The information has been supplied by <mailto:andreas@atstake.com> Andreas
Junestam

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NEWS] NetScreen TCP Option DoS (manager-ip)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]