McAfee ePolicy Orchestrator HTTP GET Request Remote Format String
Remote / Network Access,
Local / Remote,
Loss of Integrity
Network Associates ePolicy Orchestrator contains a flaw that may allow a remote attacker to execute arbitrary code. The issue is due to a flaw in the way the software handles network requests. If an attacker supplies a specially crafted GET request format string they may be able to execute arbitrary code with SYSTEM privileges or crash the service.
Currently, there are no known workarounds or upgrades to correct this issue. However, Network Associates has released a patch to address this vulnerability.
The discovery of this vulnerability has been credited to @stake.
McAfee ePolicy Orchestrator 2.5.1
A format string vulnerability has been discovered in the McAfee ePolicy Orchestrator Agent. The issue occurs when processing HTTP GET requests that contain format specifiers. The successful exploitation of this vulnerability may allow an attacker to execute arbitrary commands with SYSTEM privileges.
Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: firstname.lastname@example.org <mailto:email@example.com>.
It has been reported that a patch for this issue has been developed. Information on how to obtain this fix is available in the attached @stake advisory.