Vulnerability Note VU#264092
McAfee ePolicy Orchestrator fails to properly validate SSL/TLS certificates
McAfee ePolicy Orchestrator versions 4.6.8 and earlier and 5.1.1 and earlier fail to properly validate SSL/TLS certificates.
CWE-295: Improper Certificate Validation - CVE-2015-2859
McAfee ePolicy Orchestrator (ePO) supports integration with external registered servers for a variety of purposes, such as data collection and aggregation. Optionally, ePO can be configured to use SSL/TLS to encrypt communications with registered servers. McAfee ePO fails to verify the signing certificate authority (CA) as well as the common name (CN) or domain name (DN) listed in a certificate. Consequently, these communication links are susceptible to man-in-the-middle interception and spoofing attacks.
An attacker can intercept and manipulate HTTPS traffic between the ePO application and registered servers.
Apply an update
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|McAfee||Affected||22 Dec 2014||05 Jun 2015|
CVSS Metrics (Learn More)
Thanks to the reporter who wishes to remain anonymous.
This document was written by Joel Land.
- CVE IDs: CVE-2015-2859
- Date Public: 04 Jun 2015
- Date First Published: 04 Jun 2015
- Date Last Updated: 05 Jun 2015
- Document Revision: 22
If you have feedback, comments, or additional information about this vulnerability, please send us email.