SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   McAfee ePolicy Orchestrator Vendors:   McAfee
McAfee ePolicy Orchestrator SSL/TLS Certificate Validation Flaw Lets Remote Users Conduct Man-in-the-Middle Attacks
SecurityTracker Alert ID:  1032571
SecurityTracker URL:  http://securitytracker.com/id/1032571
CVE Reference:   CVE-2015-2859   (Links to External Site)
Date:  Jun 12 2015
Impact:   Disclosure of user information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.6.8 and prior, 5.1.1 and prior, 5.3.0
Description:   A vulnerability was reported in McAfee ePolicy Orchestrator. A remote user can conduct man-in-the-middle attacks to obtain or modify data.

The system does not verify the certificate authority (CA), common name (CN), or domain name (DN) for SSL/TLS certificates. A remote user with the ability to conduct a man-in-the-middle attack can spoof servers and obtain or modify data being communicated.

Communications between the web server and SQL server and between the Agent Handler and SQL server are affected.

The original advisory is available at:

https://kc.mcafee.com/corporate/index?page=content&id=SB10120

An anonymous researcher reported this vulnerability via US-CERT.

Impact:   A remote user with the ability to conduct a man-in-the-middle attack can spoof servers and obtain or modify data being communicated.
Solution:   The vendor has issued a fix (5.3.0). Patches are also available for versions 4.6.9 and 5.1.2.

The vendor's advisory is available at:

https://kc.mcafee.com/corporate/index?page=content&id=SB10120

Vendor URL:  kc.mcafee.com/corporate/index?page=content&id=SB10120 (Links to External Site)
Cause:   Authentication error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC