cbcvebase.
CVE-2016-8027
published 2017-03-14

CVE-2016-8027: SQL injection vulnerability in core services in Intel Security McAfee ePolicy Orchestrator (ePO) 5.3.2 and earlier and 5.1.3 and earlier allows attackers to…

PriorityP258critical10CVSS 3.0
AVNACLPRNUINSCCHIHAH
EPSS
5.75%
92.1th percentile
SQL injection vulnerability in core services in Intel Security McAfee ePolicy Orchestrator (ePO) 5.3.2 and earlier and 5.1.3 and earlier allows attackers to alter a SQL query, which can result in disclosure of information within the database or impersonation of an agent without authentication via a specially crafted HTTP post.

Affected

2 ranges
VendorProductVersion rangeFixed in
mcafeeepolicy_orchestrator5.1.0 – 5.1.3
mcafeeepolicy_orchestrator5.3.0 – 5.3.2

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://<host>/dcRedirect/dataChannelMsg.dc
urlhttps://<host>/receiveDataChannelMsg.dcp
port8443
path/dcRedirect/dataChannelMsg.dc
path/receiveDataChannelMsg.dcp
  • Monitor for unauthenticated HTTP POST requests to /dcRedirect/dataChannelMsg.dc, which is the unauthenticated entry point that forwards to the vulnerable DataChannel servlet without requiring authentication.
  • Inspect the POST body of requests to /dcRedirect/dataChannelMsg.dc for SQL metacharacters or injection payloads within the AgentGUID field, as this field is unsanitized and directly interpolated into a SQL query.
  • Apply Snort rules from Talos/FireSIGHT Management Center or Snort.org targeting exploitation of this vulnerability; Talos published dedicated rules for TALOS-2016-0229 / CVE-2016-8027.
  • The vulnerability is a blind SQL injection, so detection should also look for time-delay or boolean-based anomalies in database query timing correlated with POST requests to the DataChannel redirect endpoint on port 8443.
  • ·The unauthenticated attack surface is only exposed because the redirect servlet (/dcRedirect/dataChannelMsg.dc) forwards to the protected servlet (/receiveDataChannelMsg.dcp) without enforcing authentication; both endpoints must be considered in scope for detection.
  • ·Port 8443 is the DEFAULT Tomcat port for ePO; non-default deployments may use a different port, requiring detection rules to be adjusted accordingly.
  • ·The vulnerability is reachable both via the SPIPE agent communication protocol (through the Apache load-balancer) and directly via the Tomcat Console, meaning network-layer filtering of SPIPE alone is insufficient to block exploitation.

CVSS provenance

nvdv3.010.0CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.