Intel Security has fixed a critical vulnerability in its McAfee ePolicy Orchestrator (ePO) centralized security management product. Researchers warn that the flaw is ideal for profiling the users and infrastructure of an organization.
The flaw, tracked as CVE-2016-8027 and assigned a CVSS score of 10.0, is a blind SQL injection discovered by a member of the Cisco Talos Vulnerability Development Team. The security hole can be triggered using specially crafted HTTP POST requests and it allows an unauthenticated attacker to obtain information from the application database.
McAfee ePO allows organizations to manage their security policies from a central console. The solution requires the deployment of agents on each endpoint, and these agents communicate over a proprietary protocol known as SPIPE.
The vulnerable component is in the application server and it can be reached directly via the administration console or over SPIPE. Researchers warned that exploitation of the flaw can also allow attackers to impersonate an agent, which can reveal information related to that agent.
“Vulnerabilities like this can allow deep insight into the organisation without an attacker requiring any privileged access to centralised platforms such as Active Directory, with this access an attacker can profile users and the infrastructure passively,” Talos researchers said in a blog post.
The security hole affects McAfee ePO version 5.1.3 and earlier, and 5.3.2 and earlier. Intel Security has released hotfixes to address the vulnerability. While the vendor says there are no mitigations or workarounds, Talos believes attacks can be prevented by limiting access to port 8443.
Cisco has published technical details on the vulnerability and Intel Security has released an advisory with information on affected versions and patches.
It’s not uncommon for researchers to find vulnerabilities in enterprise security products. Serious flaws have also been identified in solutions from Symantec, FireEye, Kaspersky, Sophos and several other vendors.