McAfee has discovered and resolved a vulnerability in the following versions of the ePolicy Orchestrator (ePO) Extension for McAfee Agent (MA):
Affected Product Extension Versions
• MA 4.5.0 (RTW) to MA 4.5.0 Patch 3 Extension
• MA 4.6.0 (RTW) to MA 4.6.0 Patch 3 Extension
NOTE: The MA 4.8.0 Extension and later are not affected.
CVE-2013-0140 - VESVM-2013-001 (CVSS: 6.2 Severity: High) is a server-side pre-authenticated SQL Injection vulnerability within the Agent-Handler component (Agent-Server communication channel). A successful exploit can allow remote code execution (RCE).
McAfee recommends that all customers verify that they have applied the latest updates. Affected users should install the relevant patches or hotfixes.
Patch the currently supported versions of the ePO Extension for MA before version 4.8.
NOTE: The 4.8 Extension is backwards-compatible with MA 4.5 and 4.6. There is no 4.7 version. A separate 4.6 hotfix is being developed for customers who are unable to upgrade to the MA 4.8 Extension.