17th Mar 2003 [SBWID-6071]
COMMAND
	McAfee ePolicy Orchestrator Format String Vulnerability
SYSTEMS AFFECTED
	McAfee ePolicy Orchestrator 2.5.1
PROBLEM
	In :
	 
	                            @stake, Inc.
	                           www.atstake.com
	                          Security Advisory
	Advisory Name: ePolicy Orchestrator Format String Vulnerability
	 Release Date: 03/17/2003
	  Application: McAfee ePolicy Orchestrator 2.5.1
	     Platform: Windows 2000 Server SP1
	               Windows 2000 Pro SP1
	     Severity: There is a a format string vulnerability
	               that leads to the remote execution of code as
	               SYSTEM.
	      Authors: Ollie Whitehouse [[email protected]]
	               Andreas Junestam [[email protected]]
	Vendor Status: Vendor has patch available
	CVE Candidate: CAN-2002-0690
	    Reference: www.atstake.com/research/advisories/2003/a031703-1.txt
	
	--snip--
	The  ePolicy  Orchestrator  Agent  is  a  service  that  to  allows  the
	retrieval of log data. It should  be  noted  that  the  Agent  does  not
	require password authentication to gain access and allows the  retrieval
	of sensitive information (i.e. the source AV server, local paths  etc.).
	By default the agent runs as SYSTEM on the host and thus can be used  to
	either elevate local privileges or remotely compromise the host.
	The ePO agent uses the  HTTP  protocol  to  communicate  on  port  8081.
	Sending a GET request with a request  string  containing  a  few  format
	string characters will cause the service to terminate. An event will  be
	written to the event log detailing  the  crash.  A  properly  constucted
	malicious string containing format  string  characters  will  allow  the
	execution or arbitrary code.
	--snap--
SOLUTION
	The vendor has made a patch available. It is not directly  downloadable.
	Call  to  request  the  patch.  It  is  delivered  via  email.   Contact
	information:
	
	http://www.nai.com/naicommon/aboutnai/contact/intro.asp#software-support
	
	@stake Recommendation:
	If you have a support contract  and  are  eligible  for  the  patch  you
	should request it and install it.
	If you cannot patch, you should consider host based  filtering  so  that
	only the network management systems that need to  communicate  with  the
	hosts running ePO can connect on TCP port 8081.  This  requires  a  host
	based firewall.