Severity.io | CVE-2021-23890

Description

Information leak vulnerability in the Agent Handler of McAfee ePolicy Orchestrator (ePO) prior to 5.10 Update 10 allows an unauthenticated user to download McAfee product packages (specifically McAfee Agent) available in ePO repository and install them on their own machines to have it managed and then in turn get policy details from the ePO server. This can only happen when the ePO Agent Handler is installed in a Demilitarized Zone (DMZ) to service machines not connected to the network through a VPN.

Related CPE's

a mcafee epolicy_orchestrator ********

a mcafee epolicy_orchestrator 5.10.0 -******

a mcafee epolicy_orchestrator 5.10.0 update_1 ******

a mcafee epolicy_orchestrator 5.10.0 update_2 ******

a mcafee epolicy_orchestrator 5.10.0 update_3 ******

a mcafee epolicy_orchestrator 5.10.0 update_4 ******

a mcafee epolicy_orchestrator 5.10.0 update_5 ******

a mcafee epolicy_orchestrator 5.10.0 update_6 ******

a mcafee epolicy_orchestrator 5.10.0 update_7 ******

a mcafee epolicy_orchestrator 5.10.0 update_8 ******

References

https://kc.mcafee.com/corporate/index?page=content&id=SB10352

Vendor Advisory

CvssV3 impact

BaseSeverity	MEDIUM
ConfidentialityImpact	LOW
AttackComplexity	LOW
Scope	UNCHANGED
AttackVector	NETWORK
AvailabilityImpact	NONE
IntegrityImpact	LOW
PrivilegesRequired	NONE
BaseScore	6.5
VectorString	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Version	3.1
UserInteraction	NONE

CvssV2 impact

AccessComplexity	MEDIUM
ConfidentialityImpact	PARTIAL
AvailabilityImpact	NONE
IntegrityImpact	PARTIAL
BaseScore	5.8
VectorString	AV:N/AC:M/Au:N/C:P/I:P/A:N
Version	2.0
AccessVector	NETWORK
Authentication	NONE