Overview
McAfee ePolicy Orchestrator versions 4.6.8 and earlier and 5.1.1 and earlier fail to properly validate SSL/TLS certificates.
Description
CWE-295: Improper Certificate Validation - CVE-2015-2859 McAfee ePolicy Orchestrator (ePO) supports integration with external registered servers for a variety of purposes, such as data collection and aggregation. Optionally, ePO can be configured to use SSL/TLS to encrypt communications with registered servers. McAfee ePO fails to verify the signing certificate authority (CA) as well as the common name (CN) or domain name (DN) listed in a certificate. Consequently, these communication links are susceptible to man-in-the-middle interception and spoofing attacks. |
Impact
An attacker can intercept and manipulate HTTPS traffic between the ePO application and registered servers. |
Solution
Apply an update |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 6.4 | AV:A/AC:M/Au:N/C:C/I:P/A:N |
| Temporal | 5 | E:POC/RL:OF/RC:C |
| Environmental | 5.0 | CDP:N/TD:H/CR:ND/IR:ND/AR:ND |
References
- https://cwe.mitre.org/data/definitions/295.html
- https://kc.mcafee.com/corporate/index?page=content&id=SB10120
- https://kc.mcafee.com/corporate/index?page=content&id=KB84628
- https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/25000/PD25856/en_US/EPO_4_6_9_release_notes.pdf
- https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/25000/PD25902/en_US/ePO512ReleaseNotes.pdf
Acknowledgements
Thanks to the reporter who wishes to remain anonymous.
This document was written by Joel Land.
Other Information
| CVE IDs: | CVE-2015-2859 |
| Date Public: | 2015-06-04 |
| Date First Published: | 2015-06-04 |
| Date Last Updated: | 2015-06-05 20:08 UTC |
| Document Revision: | 23 |