Executive Summary

Summary
Title McAfee ePolicy Orchestrator fails to properly validate SSL/TLS certificates
Informations
Name VU#264092 First vendor Publication 2015-06-04
Vendor VU-CERT Last vendor Modification 2015-06-05
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:N)
Cvss Base Score 5.8 Attack Range Network
Cvss Impact Score 4.9 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#264092

McAfee ePolicy Orchestrator fails to properly validate SSL/TLS certificates

Original Release date: 04 Jun 2015 | Last revised: 05 Jun 2015

Overview

McAfee ePolicy Orchestrator versions 4.6.8 and earlier and 5.1.1 and earlier fail to properly validate SSL/TLS certificates.

Description

CWE-295: Improper Certificate Validation -CVE-2015-2859

McAfee ePolicy Orchestrator (ePO) supports integration with external registered servers for a variety of purposes, such as data collection and aggregation. Optionally, ePO can be configured to use SSL/TLS to encrypt communications with registered servers. McAfee ePO fails to verify the signing certificate authority (CA) as well as the common name (CN) or domain name (DN) listed in a certificate. Consequently, these communication links are susceptible to man-in-the-middle interception and spoofing attacks.

For more information, refer to McAfee's security bulletin SB10120.

Impact

An attacker can intercept and manipulate HTTPS traffic between the ePO application and registered servers.

Solution

Apply an update

McAfee has released versions 4.6.9 and 5.1.2 to address this and other issues. Users are encouraged to upgrade to the latest version available and should refer to the vendor's Knowledge Base KB84628 article specifying additional steps that are required to enforce certificate validation.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
McAfeeAffected22 Dec 201405 Jun 2015
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base6.4AV:A/AC:M/Au:N/C:C/I:P/A:N
Temporal5.0E:POC/RL:OF/RC:C
Environmental5.0CDP:N/TD:H/CR:ND/IR:ND/AR:ND

References

  • https://cwe.mitre.org/data/definitions/295.html
  • https://kc.mcafee.com/corporate/index?page=content&id=SB10120
  • https://kc.mcafee.com/corporate/index?page=content&id=KB84628
  • https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/25000/PD25856/en_US/EPO_4_6_9_release_notes.pdf
  • https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/25000/PD25902/en_US/ePO512ReleaseNotes.pdf

Credit

Thanks to the reporter who wishes to remain anonymous.

This document was written by Joel Land.

Other Information

  • CVE IDs:CVE-2015-2859
  • Date Public:04 Jun 2015
  • Date First Published:04 Jun 2015
  • Date Last Updated:05 Jun 2015
  • Document Revision:22

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/264092

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-310 Cryptographic Issues

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 22

Information Assurance Vulnerability Management (IAVM)

Date Description
2015-07-30 IAVM : 2015-A-0180 - Multiple Vulnerabilities in McAfee ePO
Severity : Category I - VMSKEY : V0061149

Nessus® Vulnerability Scanner

Date Description
2015-07-31 Name : A security management application running on the remote host is affected by a...
File : mcafee_epo_sb10120.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
Date Informations
2015-08-12 13:33:40
  • Multiple Updates
2015-06-24 21:29:28
  • Multiple Updates
2015-06-24 05:30:06
  • Multiple Updates
2015-06-06 00:25:17
  • Multiple Updates
2015-06-04 21:23:04
  • First insertion