=====================================================================
                                     CERT-Renater

                          Note d'Information No. 2007/VULN109
_____________________________________________________________________

DATE                      : 14/03/2007

HARDWARE PLATFORM(S)      :

OPERATING SYSTEM(S)       : Systems running McAfee ePolicy Orchestrator,
                                             McAfee ProtectionPilot,
                                          McAfee ePO/PRP management console.

======================================================================

https://knowledge.mcafee.com/SupportSite/search.do?cmd=displayKC&docType=kc&sliceId=SAL_Public&externalId=612496
______________________________________________________________________

McAfee ePolicy Orchestrator (ePO) and ProtectionPilot (PRP) HotFixes fix 
multiple vulnerabilities


	Environment		

McAfee ePolicy Orchestrator 3.5.0 (Patch 7 and earlier)
McAfee ePolicy Orchestrator 3.6.0 (Patch 5 and earlier)
McAfee ProtectionPilot 1.1.1 (Patch 3 and earlier)
McAfee ProtectionPilot 1.5
Microsoft Windows 2000 Server
Microsoft Windows 2003 Server


	Summary		

McAfee Security Bulletin
McAfee ePolicy Orchestrator (ePO) and ProtectionPilot (PRP) HotFixes fix 
multiple vulnerabilities.
Published: March 13, 2007
Version: 1


1. SUMMARY

Who should read this document  Technical and Security Personnel
Impact of Vulnerability        Local Assisted Arbitrary Command Execution
Severity Rating                Medium
Recommendations
	
Update ePO 3.6.0 Patch 5 to ePO 3.6.0 HotFix - EPO360HF323553
Update ePO 3.5.0 Patch 7 to ePO 3.5.0 HotFix - EPO350HF323550
Update PRP 1.5.0 to PRP 1.5.0 HotFix - PRP150HF323558
Update PRP 1.1.1 Patch 3 to  PRP 1.1.1 HotFix - PRP111HF323555

Security Bulletin Replacement None
Caveats                       None
Affected Software
	
McAfee ePolicy Orchestrator 3.6.0 Patch 5 and earlier.
McAfee ePolicy Orchestrator 3.5.0 Patch 7 and earlier.
McAfee ProtectionPilot 1.5.0.
McAfee ProtectionPilot 1.1.1 Patch 3 and earlier.

Location of updated software
https://mysupport.mcafee.com/eservice_enu/start.swe


2. Description

     A successful exploit of these security flaws would allow an attacker to 
remotely execute arbitrary code on the machine running McAfee ePolicy 
Orchestrator (ePO^(TM)) server, McAfee ProtectionPilot (PRP) server or the ePO/PRP 
management console. In order for this attack to work, an attacker has to be 
assisted by a user either on the ePO/PRP server or a user on a machine with the 
ePO/PRP remote management console installed on it. One such way that a user on 
one of these machines could assist the attacker is by rendering a malicious web 
page through Microsoft's Internet Explorer (IE). The command execution by the 
attacker will be limited to the privileges of the user on the machine. The 
attack requires reverse engineering of ePO/PRP, establishing a malicious web 
page and the cooperation from an ePO/PRP user.

     The update has been pushed to Service Portal servers and available for 
download as of March 13 of 2007.  This update removes the risk associated with 
this security flaw.



3. Remediation

     Overview:
     Download appropriate HotFix package for the ePolicy Orchestrator (ePO) or 
ProtectionPilot (PRP) Server you wish to update.

     ePolicy Orchestrator 3.6.0 Patch 5 - EPO360HF323553.zip
     ePolicy Orchestrator 3.5.0 Patch 7 - EPO350HF323550.zip
     ProtectionPilot 1.5.0 - PRP150HF323558.zip
     ProtectionPilot 1.1.1 Patch 3 - PRP111HF323555.zip

     Apply the HotFix to the ePO / PRP server and console(s).

     NOTE:
     ePO and PRP server and console should have been updated with above 
mentioned Patches before applying the HotFix.

     Obtaining the patch Binaries:
     Service Portal https://mysupport.mcafee.com/eservice_enu/start.swe

     Detailed Steps for installing the HotFix:


        1.
           Close all ePolicy Orchestrator / ProtectionPilot consoles.

        2.
           Stop all ePolicy Orchestrator / ProtectionPilot services.

        3.
           Go to the ePolicy Orchestrator / ProtectionPilot installation 
directory and back-up following file(s) and directorie(s):
           NOTE: All file locations are referenced using the default path

           For ePO 3.6.0 -  C:\Program Files\McAfee\ePO\3.6.0\ SiteManager.Dll
           For ePO 3.5.0 - C:\Program Files\Network Associates\ePO\3.5.0\ 
SiteManager.Dll
           For PRP 1.5.0 - C:\Program Files\McAfee\PRP\1.5.0\ SiteManager.Dll
           For PRP 1.1.1 - C:\Program Files\McAfee\PRP\1.1.1\ SiteManager.Dll

        4.
           Replace the backed up file with the version in the package:
           Setup\Console\Product\SiteManager.Dll

        5.
           Restart all ePolicy Orchestrator / ProtectionPilot services.

           For all remote consoles, repeat Steps 3 - 7.

           Detailed Steps for validating HotFix install:
           The binaries that were replaced as part of this HotFix should have 
the following version number:
           For ePO 3.6.0 - SiteManager.dll - 3.6.0.619
           For ePO 3.5.0 - SiteManager.dll - 1.5.0.523
           For PRP 1.5.0 - SiteManager.dll - 1.5.0.529
           For PRP 1.1.1 - SiteManager.dll - 1.5.0.526

           Detailed steps to un-install HotFix:
           To remove this HotFix from your computer, follow the above mentioned 
installation steps to replace the backed up files to the ePO/PRP installation 
folder.

           NOTE:
           We recommend that you do NOT remove the HotFix files once you install 
them. If you reinstall the ePolicy Orchestrator or ProtectionPilot software, we 
recommend that you also reinstall the HotFix.

4. Work Around

     None

5. Acknowledgements

     Cocoruder of Fortinet Security Research

6. Support

     Corporate Technical Support:
      1-800-338-8754
      http://www.mcafee.com/us/support/default.asp

7. Frequently Asked Questions (FAQ) related to this security bulletin

     Who is affected by this security vulnerability?
     McAfee ePolicy Orchestrator 3.6.0 Patch 5 and earlier,
     McAfee ePolicy Orchestrator 3.5.0 Patch 7 and earlier,
     McAfee ProtectionPilot 1.5.0,
     McAfee ProtectionPilot 1.1.1 Patch 3 and earlier.

     McAfee urges all customers to verify that they have received the latest 
updates.

     Does this vulnerability affect McAfee enterprise products?
     Yes, ePolicy Orchestrator Server 3.6.0 Patch 5 and earlier and ePolicy 
Orchestrator Server 3.5.0 Patch 7 and earlier.

     How do I know if my ePO server is patched or not?
     Check the following binaries' version number. Binaries with version lesser 
than mentioned are vulnerable.
     For ePO 3.6.0 - SiteManager.dll - 3.6.0.619
     For ePO 3.5.0 - SiteManager.dll - 1.5.0.523
     For PRP 1.5.0 - SiteManager.dll - 1.5.0.529
     For PRP 1.1.1 - SiteManager.dll - 1.5.0.526

     What has McAfee done to resolve the issue?  McAfee believes in providing 
the most secure software to customers and has provided an update to this 
security flaw.

     Where do I download the fix from?
     The fix can be downloaded from: 
https://mysupport.mcafee.com/eservice_enu/start.swe
     User may need to provide the grant number to initiate the download.

     How does McAfee respond to this and any other security flaws?  McAfee's key 
priority is the security of its customers.  In an event if a vulnerability is 
found within any of McAfee's software, a strong process is in place to work 
closely with the relevant security research group to ensure the rapid and 
effective development of a fix and communication plan. McAfee is an active 
member of the Organization for Internet Safety (OIS) which is dedicated to 
developing guidelines and best practices for the reporting and fixing of 
software vulnerabilities.

8. Resources

     To download new beta software or to read about the latest beta information, 
visit the beta website:
     http://www.mcafeesecurity.com/us/downloads/beta/mcafeebetahome.htm

     To submit beta feedback on any McAfee product, send email to:
     mcafee_beta@mcafee.com

     For contact information, see:
     http://www.mcafee.com/pubs/contacts.html

     For copyright, trademark attributions, and license information, see:
     http://www.mcafee.com/pubs/copyright.html

     For patents protecting this product, see the product documentation.

9. Disclaimer

     The information provided in this security bulletin is provided "as is" 
without warranty of any kind. McAfee disclaims all warranties, either express or 
implied, including the warranties of merchantability and fitness for a 
particular purpose. In no event shall McAfee or its suppliers be liable for any 
damages whatsoever including direct, indirect, incidental, consequential, loss 
of business profits or special damages, even if McAfee or its suppliers have 
been advised of the possibility of such damages. Some states do not allow the 
exclusion or limitation of liability for consequential or incidental damages so 
the foregoing limitation may not apply.


======================================================================

            =========================================================
            Les serveurs de référence du CERT-Renater
            http://www.urec.fr/securite
            http://www.cru.fr/securite
            http://www.renater.fr
            =========================================================
            + CERT-RENATER          | tel : 01-53-94-20-44          +
            + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
            + 75013 Paris           | email: certsvp@renater.fr     +
            =========================================================