CVE-2015-0921
published 2015-01-09CVE-2015-0921: XML external entity (XXE) vulnerability in the Server Task Log in McAfee ePolicy Orchestrator (ePO) before 4.6.9 and 5.x before 5.1.2 allows remote…
PriorityP340medium4CVSS 2.0
AVNACLAuSCPINAN
EXPLOIT
EPSS
17.36%
96.7th percentile
XML external entity (XXE) vulnerability in the Server Task Log in McAfee ePolicy Orchestrator (ePO) before 4.6.9 and 5.x before 5.1.2 allows remote authenticated users to read arbitrary files via the conditionXML parameter to the taskLogTable to orionUpdateTableFilter.do.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mcafee | epolicy_orchestrator | <= 4.6.8 | — |
| mcafee | epolicy_orchestrator | — | — |
| mcafee | epolicy_orchestrator | — | — |
| mcafee | epolicy_orchestrator | — | — |
| mcafee | epolicy_orchestrator | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP requests targeting the 'orionUpdateTableFilter.do' endpoint, specifically for the 'conditionXML' parameter containing XML external entity declarations (e.g., DOCTYPE or ENTITY keywords). ↗
- →Alert on authenticated requests to ePO that attempt to read 'keystore.properties' from the filesystem via XXE, as this file contains an encrypted password reused for the database 'sa' user and the admin account. ↗
- →Detect outbound or internal file-read responses from the ePO server that include content consistent with keystore.properties (encrypted credential material), which may indicate successful XXE exploitation. ↗
- →Flag any subsequent SQL Server authentication attempts from the ePO host or external IPs using the 'sa' account, which may indicate post-exploitation following credential recovery via this XXE. ↗
- ·Exploitation requires valid authenticated credentials — any low-privileged ePO user account is sufficient to trigger the XXE. ↗
- ·The XXE data exfiltration is capped at 255 characters due to field length restrictions, which may truncate recovered credential material. ↗
- ·The recovered password is encrypted with a static key using weak ECB cipher mode, making offline decryption feasible for an attacker. ↗
- ·Post-exploitation SQL Server RCE risk is elevated if ePO was installed with a local SQL Server instance, as it listens on all interfaces by default. ↗
- ·The admin account password is also at risk if the administrator has not changed it since initial installation (default recommendation is 'admin'). ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Bugzilla
CVE-2015-1250 chromium-browser: various unspecified flaws
bugzilla·2015-04-29·CVSS 7.5
CVE-2015-1250 [HIGH] CVE-2015-1250 chromium-browser: various unspecified flaws
CVE-2015-1250 chromium-browser: various unspecified flaws
Various unspecified flaws were found in the Chromium browser.
External References:
http://googlechromereleases.blogspot.com/2015/04/stable-channel-update_28.html
Discussion:
This issue has been addressed in the following products:
Supplementary for Red Hat Enterprise Linux 6
Via RHSA-2015:0921 https://rhn.redhat.com/errata/RHSA-2015-0921.html
Bugzilla
CVE-2015-1243 chromium-browser: use-after-free in DOM
bugzilla·2015-04-29·CVSS 7.5
CVE-2015-1243 [HIGH] CVE-2015-1243 chromium-browser: use-after-free in DOM
CVE-2015-1243 chromium-browser: use-after-free in DOM
An unspecified use-after-free flaw was found in the DOM component of the Chromium browser.
External References:
http://googlechromereleases.blogspot.com/2015/04/stable-channel-update_28.html
Discussion:
This issue has been addressed in the following products:
Supplementary for Red Hat Enterprise Linux 6
Via RHSA-2015:0921 https://rhn.redhat.com/errata/RHSA-2015-0921.html
http://packetstormsecurity.com/files/129827/McAfee-ePolicy-Orchestrator-Authenticated-XXE-Credential-Exposure.htmlhttp://seclists.org/fulldisclosure/2015/Jan/37http://seclists.org/fulldisclosure/2015/Jan/8http://secunia.com/advisories/61922http://www.securitytracker.com/id/1031519https://exchange.xforce.ibmcloud.com/vulnerabilities/99950https://gist.github.com/brandonprry/692e553975bf29aeaf2chttps://kc.mcafee.com/corporate/index?page=content&id=SB10095http://packetstormsecurity.com/files/129827/McAfee-ePolicy-Orchestrator-Authenticated-XXE-Credential-Exposure.htmlhttp://seclists.org/fulldisclosure/2015/Jan/37http://seclists.org/fulldisclosure/2015/Jan/8http://secunia.com/advisories/61922http://www.securitytracker.com/id/1031519https://exchange.xforce.ibmcloud.com/vulnerabilities/99950https://gist.github.com/brandonprry/692e553975bf29aeaf2chttps://kc.mcafee.com/corporate/index?page=content&id=SB10095
2015-01-09
Published