CVE-2016-8027
published 2017-03-14CVE-2016-8027: SQL injection vulnerability in core services in Intel Security McAfee ePolicy Orchestrator (ePO) 5.3.2 and earlier and 5.1.3 and earlier allows attackers to…
PriorityP258critical10CVSS 3.0
AVNACLPRNUINSCCHIHAH
EPSS
5.75%
92.1th percentile
SQL injection vulnerability in core services in Intel Security McAfee ePolicy Orchestrator (ePO) 5.3.2 and earlier and 5.1.3 and earlier allows attackers to alter a SQL query, which can result in disclosure of information within the database or impersonation of an agent without authentication via a specially crafted HTTP post.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mcafee | epolicy_orchestrator | 5.1.0 – 5.1.3 | — |
| mcafee | epolicy_orchestrator | 5.3.0 – 5.3.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated HTTP POST requests to /dcRedirect/dataChannelMsg.dc, which is the unauthenticated entry point that forwards to the vulnerable DataChannel servlet without requiring authentication. ↗
- →Inspect the POST body of requests to /dcRedirect/dataChannelMsg.dc for SQL metacharacters or injection payloads within the AgentGUID field, as this field is unsanitized and directly interpolated into a SQL query. ↗
- →Apply Snort rules from Talos/FireSIGHT Management Center or Snort.org targeting exploitation of this vulnerability; Talos published dedicated rules for TALOS-2016-0229 / CVE-2016-8027. ↗
- →The vulnerability is a blind SQL injection, so detection should also look for time-delay or boolean-based anomalies in database query timing correlated with POST requests to the DataChannel redirect endpoint on port 8443. ↗
- ·The unauthenticated attack surface is only exposed because the redirect servlet (/dcRedirect/dataChannelMsg.dc) forwards to the protected servlet (/receiveDataChannelMsg.dcp) without enforcing authentication; both endpoints must be considered in scope for detection. ↗
- ·Port 8443 is the DEFAULT Tomcat port for ePO; non-default deployments may use a different port, requiring detection rules to be adjusted accordingly. ↗
- ·The vulnerability is reachable both via the SPIPE agent communication protocol (through the Apache load-balancer) and directly via the Tomcat Console, meaning network-layer filtering of SPIPE alone is insufficient to block exploitation. ↗
CVSS provenance
nvdv3.010.0CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Talos
Vulnerability Spotlight - McAfee ePolicy Orchestrator DataChannel Blind SQL Injection Vulnerability
blogs_talos·2017-02-02·CVSS 10.0
CVE-2016-8027 [CRITICAL] Vulnerability Spotlight - McAfee ePolicy Orchestrator DataChannel Blind SQL Injection Vulnerability
Talos is today disclosing TALOS-2016-0229 / CVE-2016-8027. This is an exploitable blind SQL injection vulnerability exists within McAfee's ePolicy Orchestrator 5.3.0 that is accessible without user authentication. A specially crafted HTTP POST can allow an attacker to alter a SQL query which can result in information disclosure from within the database, or can allow the impersonation of a McAfee agent, which could reveal specific information related to that McAfee agent. An attacker can use any HTTP client to trigger this vulnerability.
McAfee have published their advisory for this vulnerability here.
McAfee's ePolicy Orchestrator is a centralized security management suite that is used to manage McAfee Antivirus security policies throughout an organisation. This type of software can some
Talos
Vulnerability Spotlight - McAfee ePolicy Orchestrator DataChannel Blind SQL Injection Vulnerability
blogs_talos·2017-02-02·CVSS 10.0
CVE-2016-8027 [CRITICAL] Vulnerability Spotlight - McAfee ePolicy Orchestrator DataChannel Blind SQL Injection Vulnerability
## Vulnerability Spotlight - McAfee ePolicy Orchestrator DataChannel Blind SQL Injection Vulnerability
Talos is today disclosing TALOS-2016-0229 / CVE-2016-8027. This is an exploitable blind SQL injection vulnerability exists within McAfee's ePolicy Orchestrator 5.3.0 that is accessible without user authentication. A specially crafted HTTP POST can allow an attacker to alter a SQL query which can result in information disclosure from within the database, or can allow the impersonation of a McAfee agent, which could reveal specific information related to that McAfee agent. An attacker can use any HTTP client to trigger this vulnerability.
McAfee have published their advisory for this vulnerability here .
McAfee's ePolicy Orchestrator is a centralized security management suite that is use
2017-03-14
Published