Network Associates Security Advisory April 22, 2004
Overview
Today, April 22 2004 8.00am PST, Network Associates released a patch which addresses a
vulnerability identified within McAfee ePolicy Orchestrator (ePO). As of the writing of this security
bulletin, no known exploit code exists to take advantage of this vulnerability. However, we
strongly urge all users to implement the recommendations listed below as soon as possible.
Summary of Vulnerability
CAN-2004-0038 McAfee Security ePolicy Orchestrator Remote Command Execution
Vulnerability
Summary: A remote attacker can create arbitrary files, with attacker-specified contents, on a
vulnerable version of the ePO server by sending a specially-crafted HTTP request. In certain
environments it may also be possible to use this vulnerability to push out, and execute, arbitrary
code on systems managed by ePO.
Products affected:
McAfee ePolicy Orchestrator 2.5
McAfee ePolicy Orchestrator 2.5.1
McAfee ePolicy Orchestrator 3.0 up to and including Patch 2
Note: Previous versions may also be affected
Network Associates Security Advisory April 22, 2004
Page 1 of 2
Recommendations
To address the above vulnerability, Network Associates strongly recommends customers
download and apply the following patches, for their respective version of ePolicy Orchestrator, as
soon as possible.
ePolicy Orchestrator 2.5 and 2.5.1
ePolicy Orchestrator 2.5.1 Patch 14 (Please note all ePolicy Orchestrator 2.5 customers
would need to upgrade to 2.5.1 Patch 14)
ePolicy Orchestrator 3.x
ePolicy Orchestrator 3.0.2a Patch 4 (Please note all ePolicy Orchestrator 3.x customers must
upgrade to ePO 3.0.2a before applying Patch 4)
These patches are available at:
Knowledge base article NAI36850 also discusses this issue and is available at
Please note it is no longer necessary to
login to Service Portal to search our KnowledgeBase, just click the 'Knowledge' link on the left
menu.
Disclaimer: The information provided in this bulletin is intended to address a particular security issue or incident and is
provided as a service to our customers. Such information is provided "as is" without warranty of any kind, express or
implied. Readers should consult Network Associates' Technical Support regarding any questions related to the contents
of this document. Although Network Associates believes the information provided in this security bulletin to be accurate at
the time of printing, we reserve the right to modify, update, retract or otherwise change the information contained herein
for any reason, and without notice.
Network Associates Security Advisory April 22, 2004
Acknowledgements
Network Associates wishes to acknowledge Ben Layer of the ISS X-Force for the discovery and
research of this vulnerability and for working with us to protect our customers.
Disclaimer: The information provided in this bulletin is intended to address a particular security issue or incident and is
provided as a service to our customers. Such information is provided "as is" without warranty of any kind, express or
implied. Readers should consult Network Associates' Technical Support regarding any questions related to the contents
of this document. Although Network Associates believes the information provided in this security bulletin to be accurate at
the time of printing, we reserve the right to modify, update, retract or otherwise change the information contained herein
for any reason, and without notice.
Page 2 of 2
Overview
Today, April 22 2004 8.00am PST, Network Associates released a patch which addresses a
vulnerability identified within McAfee ePolicy Orchestrator (ePO). As of the writing of this security
bulletin, no known exploit code exists to take advantage of this vulnerability. However, we
strongly urge all users to implement the recommendations listed below as soon as possible.
Summary of Vulnerability
CAN-2004-0038 McAfee Security ePolicy Orchestrator Remote Command Execution
Vulnerability
Summary: A remote attacker can create arbitrary files, with attacker-specified contents, on a
vulnerable version of the ePO server by sending a specially-crafted HTTP request. In certain
environments it may also be possible to use this vulnerability to push out, and execute, arbitrary
code on systems managed by ePO.
Products affected:
McAfee ePolicy Orchestrator 2.5
McAfee ePolicy Orchestrator 2.5.1
McAfee ePolicy Orchestrator 3.0 up to and including Patch 2
Note: Previous versions may also be affected
Network Associates Security Advisory April 22, 2004
Page 1 of 2
Recommendations
To address the above vulnerability, Network Associates strongly recommends customers
download and apply the following patches, for their respective version of ePolicy Orchestrator, as
soon as possible.
ePolicy Orchestrator 2.5 and 2.5.1
ePolicy Orchestrator 2.5.1 Patch 14 (Please note all ePolicy Orchestrator 2.5 customers
would need to upgrade to 2.5.1 Patch 14)
ePolicy Orchestrator 3.x
ePolicy Orchestrator 3.0.2a Patch 4 (Please note all ePolicy Orchestrator 3.x customers must
upgrade to ePO 3.0.2a before applying Patch 4)
These patches are available at:
Knowledge base article NAI36850 also discusses this issue and is available at
Please note it is no longer necessary to
login to Service Portal to search our KnowledgeBase, just click the 'Knowledge' link on the left
menu.
Disclaimer: The information provided in this bulletin is intended to address a particular security issue or incident and is
provided as a service to our customers. Such information is provided "as is" without warranty of any kind, express or
implied. Readers should consult Network Associates' Technical Support regarding any questions related to the contents
of this document. Although Network Associates believes the information provided in this security bulletin to be accurate at
the time of printing, we reserve the right to modify, update, retract or otherwise change the information contained herein
for any reason, and without notice.
Network Associates Security Advisory April 22, 2004
Acknowledgements
Network Associates wishes to acknowledge Ben Layer of the ISS X-Force for the discovery and
research of this vulnerability and for working with us to protect our customers.
Disclaimer: The information provided in this bulletin is intended to address a particular security issue or incident and is
provided as a service to our customers. Such information is provided "as is" without warranty of any kind, express or
implied. Readers should consult Network Associates' Technical Support regarding any questions related to the contents
of this document. Although Network Associates believes the information provided in this security bulletin to be accurate at
the time of printing, we reserve the right to modify, update, retract or otherwise change the information contained herein
for any reason, and without notice.
Page 2 of 2