McAfee ePolicy Orchestrator POST Format String

2003-07-31T00:00:00
ID OSVDB:5637
Type osvdb
Reporter Andreas Junestam(andreas@atstake.com)
Modified 2003-07-31T00:00:00

Description

Vulnerability Description

A format string bug exists in McAfee ePolicy Orchestrator. The McAfee ePolicy Orchestrator fails to handle format strings when logging failed name resolutions. With a specially crafted POST request, an attacker can execute arbitrary code on the system resulting in a loss of confidentiality.

Solution Description

Currently, there are no known workarounds or upgrades to correct this issue. However, McAfee has released a patch to address this vulnerability.

Short Description

A format string bug exists in McAfee ePolicy Orchestrator. The McAfee ePolicy Orchestrator fails to handle format strings when logging failed name resolutions. With a specially crafted POST request, an attacker can execute arbitrary code on the system resulting in a loss of confidentiality.

References:

Vendor Specific Solution URL: http://www.networkassociates.com/us/downloads/updates/hotfixes.asp Vendor Specific Advisory URL Security Tracker: 1006298 Secunia Advisory ID:9413 Related OSVDB ID: 5636 Related OSVDB ID: 5635 Related OSVDB ID: 2351 Other Advisory URL: http://www.atstake.com/research/advisories/2003/a073103-1.txt Keyword: ePO ISS X-Force ID: 12789 CVE-2003-0616 Bugtraq ID: 8318