DLP Endpoint ePO extension not sanitizing CSV exports
traduzindo…Plataforma
windows
Componente
dlp-endpoint-epo-extension
Corrigido em
11.3.0
CVE-2019-3595 describes a Command Injection vulnerability affecting the McAfee Data Loss Prevention (DLP) Endpoint ePO extension. This flaw allows an authenticated administrator to execute arbitrary code on their local machine. The vulnerability impacts versions 11.0.0 through 11.3.0 of the extension, and a fix is available in version 11.3.0.
Impacto e Cenários de Ataquetraduzindo…
The primary impact of CVE-2019-3595 is the potential for arbitrary code execution on the administrator's machine. An attacker, posing as an authenticated administrator, can craft a malicious DLP policy, export it, and trick the administrator into opening it. Upon execution, the policy will inject and execute commands, granting the attacker control over the system with the administrator's privileges. This could lead to data theft, system compromise, or further lateral movement within the network. The requirement for explicit user approval to execute the code slightly mitigates the risk, but social engineering tactics could still be effective.
Contexto de Exploraçãotraduzindo…
CVE-2019-3595 was publicly disclosed on July 24, 2019. While no active exploitation campaigns have been publicly reported, the Command Injection nature of the vulnerability makes it a potential target for opportunistic attackers. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, but the vulnerability's nature suggests that development is possible.
Quem Está em Riscotraduzindo…
Organizations utilizing McAfee Data Loss Prevention (DLP) Endpoint ePO extension in versions 11.0.0 through 11.3.0 are at risk. This includes environments with a high number of administrators with access to the ePO console, as well as those with less stringent DLP policy review processes. Shared hosting environments utilizing the extension are also potentially vulnerable.
Passos de Detecçãotraduzindo…
• windows / supply-chain:
Get-ScheduledTask | Where-Object {$_.TaskName -like '*DLP*'} | Select-Object TaskName, State, LastRunTime• windows / supply-chain:
Get-Process | Where-Object {$_.ProcessName -like '*epo*'} | Select-Object ProcessName, Id, CPU, WorkingSet• windows / supply-chain:
Check registry for suspicious entries related to DLP policies under HKLM\SOFTWARE\McAfee\DLP\Policies.
Linha do Tempo do Ataque
- Disclosure
disclosure
Inteligência de Ameaças
Status do Exploit
EPSS
0.19% (percentil 41%)
Vetor CVSS
O que significam essas métricas?
- Attack Vector
- Local — o atacante precisa de sessão local ou shell no sistema.
- Attack Complexity
- Baixa — sem condições especiais. O atacante pode explorar de forma confiável.
- Privileges Required
- Alto — conta de administrador ou privilegiada necessária.
- User Interaction
- Necessária — a vítima deve abrir um arquivo, clicar em um link ou visitar uma página.
- Scope
- Inalterado — impacto limitado ao componente vulnerável.
- Confidentiality
- Nenhum — sem impacto na confidencialidade.
- Integrity
- Baixo — o atacante pode modificar alguns dados com alcance limitado.
- Availability
- Nenhum — sem impacto na disponibilidade.
Software Afetado
Classificação de Fraqueza (CWE)
Linha do tempo
- Reservado
- Publicada
- Modificada
- EPSS atualizado
Mitigação e Soluções Alternativastraduzindo…
The primary mitigation for CVE-2019-3595 is to upgrade the McAfee DLP Endpoint ePO extension to version 11.3.0 or later. Prior to upgrading, it is recommended to create a backup of the existing ePO configuration. If an upgrade is not immediately feasible, restrict administrator access to the ePO extension and closely monitor DLP policy exports for any suspicious activity. Consider implementing stricter DLP policy review processes to identify and prevent the deployment of malicious policies. There are no specific WAF or proxy rules that can directly address this vulnerability.
Como corrigirtraduzindo…
Actualizar la extensión DLP Endpoint ePO a la versión 11.3.0 o posterior. Esto corrige la vulnerabilidad de inyección de comandos al exportar políticas DLP en formato CSV. La actualización debe realizarse a través del repositorio de McAfee.
Boletim de Segurança CVE
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
Perguntas frequentestraduzindo…
What is CVE-2019-3595 — Command Injection in McAfee DLP Endpoint ePO?
CVE-2019-3595 is a Command Injection vulnerability in McAfee Data Loss Prevention (DLP) Endpoint ePO extension versions 11.0.0–11.3.0, allowing authenticated administrators to execute arbitrary code.
Am I affected by CVE-2019-3595 in McAfee DLP Endpoint ePO?
You are affected if you are using McAfee DLP Endpoint ePO extension versions 11.0.0 through 11.3.0 and have not upgraded to version 11.3.0 or later.
How do I fix CVE-2019-3595 in McAfee DLP Endpoint ePO?
Upgrade the McAfee DLP Endpoint ePO extension to version 11.3.0 or later. Back up your ePO configuration before upgrading.
Is CVE-2019-3595 being actively exploited?
While no active exploitation campaigns have been publicly reported, the vulnerability's nature makes it a potential target.
Where can I find the official McAfee advisory for CVE-2019-3595?
Refer to the McAfee Security Bulletin: https://kc.mcafee.com/corporate/details/kb/133763
Seu projeto está afetado?
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.