McAfee ePolicy Orchestrator versions 4.6.8 and earlier and 5.1.1 and earlier fail to properly validate SSL/TLS certificates.
CWE-295: Improper Certificate Validation - CVE-2015-2859
McAfee ePolicy Orchestrator (ePO) supports integration with external registered servers for a variety of purposes, such as data collection and aggregation. Optionally, ePO can be configured to use SSL/TLS to encrypt communications with registered servers. McAfee ePO fails to verify the signing certificate authority (CA) as well as the common name (CN) or domain name (DN) listed in a certificate. Consequently, these communication links are susceptible to man-in-the-middle interception and spoofing attacks.
An attacker can intercept and manipulate HTTPS traffic between the ePO application and registered servers.
Apply an update
Thanks to the reporter who wishes to remain anonymous.
This document was written by Joel Land.
|Date First Published:||2015-06-04|
|Date Last Updated:||2015-06-05 20:08 UTC|