प्लेटफ़ॉर्म
windows
घटक
dlp-endpoint-epo-extension
में ठीक किया गया
11.3.0
CVE-2019-3595 describes a Command Injection vulnerability affecting the McAfee Data Loss Prevention (DLP) Endpoint ePO extension. This flaw allows an authenticated administrator to execute arbitrary code on their local machine. The vulnerability impacts versions 11.0.0 through 11.3.0 of the extension, and a fix is available in version 11.3.0.
The primary impact of CVE-2019-3595 is the potential for arbitrary code execution on the administrator's machine. An attacker, posing as an authenticated administrator, can craft a malicious DLP policy, export it, and trick the administrator into opening it. Upon execution, the policy will inject and execute commands, granting the attacker control over the system with the administrator's privileges. This could lead to data theft, system compromise, or further lateral movement within the network. The requirement for explicit user approval to execute the code slightly mitigates the risk, but social engineering tactics could still be effective.
CVE-2019-3595 was publicly disclosed on July 24, 2019. While no active exploitation campaigns have been publicly reported, the Command Injection nature of the vulnerability makes it a potential target for opportunistic attackers. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, but the vulnerability's nature suggests that development is possible.
Organizations utilizing McAfee Data Loss Prevention (DLP) Endpoint ePO extension in versions 11.0.0 through 11.3.0 are at risk. This includes environments with a high number of administrators with access to the ePO console, as well as those with less stringent DLP policy review processes. Shared hosting environments utilizing the extension are also potentially vulnerable.
• windows / supply-chain:
Get-ScheduledTask | Where-Object {$_.TaskName -like '*DLP*'} | Select-Object TaskName, State, LastRunTime• windows / supply-chain:
Get-Process | Where-Object {$_.ProcessName -like '*epo*'} | Select-Object ProcessName, Id, CPU, WorkingSet• windows / supply-chain:
Check registry for suspicious entries related to DLP policies under HKLM\SOFTWARE\McAfee\DLP\Policies.
disclosure
एक्सप्लॉइट स्थिति
EPSS
0.19% (41% शतमक)
CVSS वेक्टर
The primary mitigation for CVE-2019-3595 is to upgrade the McAfee DLP Endpoint ePO extension to version 11.3.0 or later. Prior to upgrading, it is recommended to create a backup of the existing ePO configuration. If an upgrade is not immediately feasible, restrict administrator access to the ePO extension and closely monitor DLP policy exports for any suspicious activity. Consider implementing stricter DLP policy review processes to identify and prevent the deployment of malicious policies. There are no specific WAF or proxy rules that can directly address this vulnerability.
Actualizar la extensión DLP Endpoint ePO a la versión 11.3.0 o posterior. Esto corrige la vulnerabilidad de inyección de comandos al exportar políticas DLP en formato CSV. La actualización debe realizarse a través del repositorio de McAfee.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2019-3595 is a Command Injection vulnerability in McAfee Data Loss Prevention (DLP) Endpoint ePO extension versions 11.0.0–11.3.0, allowing authenticated administrators to execute arbitrary code.
You are affected if you are using McAfee DLP Endpoint ePO extension versions 11.0.0 through 11.3.0 and have not upgraded to version 11.3.0 or later.
Upgrade the McAfee DLP Endpoint ePO extension to version 11.3.0 or later. Back up your ePO configuration before upgrading.
While no active exploitation campaigns have been publicly reported, the vulnerability's nature makes it a potential target.
Refer to the McAfee Security Bulletin: https://kc.mcafee.com/corporate/details/kb/133763
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।