McAfee created fixes for its ePolicy Orchestrator (ePO) 4.5.6 and earlier and 4.6.5 and earlier which are vulnerable to remote code execution and file path traversal, a security advisory said.
ePO is McAfee’s security management platform for managing and automating security workflows and compliance. McAfee’s current version, ePO 5.0 does not suffer from the issue.
Two vulnerabilities are in the software and both can suffer exploitation by registering a rogue agent on the ePO server and sending a maliciously crafted request.
In one, the request makes use of SQL injection in the Agent-Handler component to gain the ability to execute code with system privileges. In the other, the request exploits the file upload process and allows an attacker to upload files into directories on the server, including the /Software/ folder where they can end up downloaded by other systems.
McAfee released ePO 4.6.6 to correct the problem in the 4.6 version and published a hotfix for version 4.5.5.
The company said it plans to release version 4.5.7, which will incorporate the fixes for the vulnerabilities, in mid-May.
To access the downloadable patches, users should go to the McAfee downloads page and enter their “McAfee grant number,” they should then select “View Available Downloads,” then “McAfee ePolicy Orchestrator” and, finally, the “Patches” tab.