Advisory: McAfee ePolicy Orchestrator XML External Entity Expansion in Dashboard RedTeam Pentesting identified an XML external entity expansion vulnerability in McAfee ePolicy Orchestrator's (ePO) dashboard feature. Users with the ability to create new dashboards in the ePO web interface who exploit this vulnerability can read local files on the ePO server, including sensitive data like the ePO database configuration. Details ======= Product: McAfee ePolicy Orchestrator Affected Versions: 4.6.7 and below Fixed Versions: 4.6.7 + hotfix 940148 Vulnerability Type: XML External Entity Expansion Security Risk: high Vendor URL: http://www.mcafee.com/uk/products/epolicy-orchestrator.aspx Vendor Status: hotfix released Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-001 Advisory Status: public CVE: GENERIC-MAP-NOMATCH CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH Introduction ============ McAfee ePO allows to centrally manage other systems, including deploying new software and collecting system information. Dashboards allow privileged users to view statistics and current data about ePO and associated systems. More Details ============ Users with access to McAfee ePO's web interface can have the permission to add new dashboards. Dashboard definitions can be exported as XML data and also be imported again. A basic XML dashboard definition looks like follows: <dashboard id="1"> <name>RedTeam Pentesting</name> <filteringEnabled>false</filteringEnabled> </dashboard> Importing a dashboard consists of uploading the XML data and confirming the import afterwards. On the confirmation page the dashboard's name defined in the XML tag "name" is shown. The ePO system allows to add a user-defined DTD to the XML data and therefore add additional entities, which will be expanded by the system. The following example results in an dashboard with the name "RedTeam Pentesting Entity": <?xml version="1.0"?> <!DOCTYPE dashboard [ <!ENTITY redteam "RedTeam Pentesting Entity"> ]> <dashboard id="1"> <name>&redteam;</name> <filteringEnabled>false</filteringEnabled> </dashboard> It is also possible to specify external entities that for example point to local files on the ePO server. The entity will then be expanded to contain the file's content. This works as long as the file contents do not make the resulting XML data invalid. Data that cannot be read includes for example binary data or files containing XML data themselves. If the entity is used in the dashboard's name, the confirmation page shown when importing a dashboard displays the contents of the file. The following example XML data can be uploaded to read the file C:\boot.ini: <?xml version="1.0"?> <!DOCTYPE dashboard [ <!ENTITY redteam SYSTEM "file:///c:/boot.ini"> ]> <dashboard id="1"> <name>&redteam;</name> <filteringEnabled>false</filteringEnabled> </dashboard> It is also possible to get directory listings by using a file URL that points to a directory, for example the C: drive: <!ENTITY redteam SYSTEM "file:///c:/"> Workaround ========== RedTeam Pentesting is not aware of any workarounds. Fix === McAfee has issued a hotfix[0] for version 4.6.7 that removes the vulnerability. An upgrade to the newer 5.x branch of the product will also resolve this problem. Security Risk ============= The vulnerability is mitigated by the fact that users already need valid login credentials for the ePO system and the permission to create dashboards for a successful exploitation. It is still considered to be of a high risk potential however, as it gives attackers the opportunity to read potentially sensitive file contents on the server. This includes for example ePO's database credentials, which are typically stored in a file available at a path like the following: C:\programs\mcafee\epolicy orchestrator\server\conf\orion\db.properties The credentials in this file are encrypted with a static key that is publicly known and included for example in Metasploit[1]. Depending on the actual network structure, it might be possible to use the decrypted credentials to read and alter the information in the ePO database. This might lead to a compromise of the clients that are managed by ePO. Timeline ======== 2013-11-20 Vulnerability identified 2013-11-22 Customer decided to coordinate disclosure with vendor 2014-02-14 Vendor replied to customer 2014-02-24 Vendor released hotfix for version 4.6.7 and a public Security Bulletin[0] 2014-02-25 Advisory released References ========== [0] https://kc.mcafee.com/corporate/index?page=content&id=SB10065 [1] https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/epo_sql.rb RedTeam Pentesting GmbH ======================= RedTeam Pentesting offers individual penetration tests, short pentests, performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at https://www.redteam-pentesting.de. -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachen https://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Gesch�ftsf�hrer: Patrick Hof, Jens Liebchen