CVE-2015-0922
McAfee ePolicy Orchestrator (ePO) before 4.6.9 and 5.x before 5.1.2 uses the same secret key across different customers' installations, which allows attackers to obtain the administrator password by leveraging knowledge of the encrypted password.
| Software | From | Fixed in |
|---|---|---|
| mcafee / epolicy_orchestrator | 5.0.0 | 5.0.0.x |
| mcafee / epolicy_orchestrator | 5.1.0 | 5.1.0.x |
| mcafee / epolicy_orchestrator | 5.1.1 | 5.1.1.x |
| mcafee / epolicy_orchestrator | 5.0.1 | 5.0.1.x |
| mcafee / epolicy_orchestrator | - | 4.6.8.x |
- http://packetstormsecurity.com/files/129827/McAfee-ePolicy-Orchestrator-Authenticated-XXE-Credential-Exposure.html
- http://seclists.org/fulldisclosure/2015/Jan/37
- http://seclists.org/fulldisclosure/2015/Jan/8
- http://www.securityfocus.com/bid/72298
- http://www.securitytracker.com/id/1031519
- https://exchange.xforce.ibmcloud.com/vulnerabilities/99949
- https://gist.github.com/brandonprry/692e553975bf29aeaf2c
- https://kc.mcafee.com/corporate/index?page=content&id=SB10095
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime