CVE-2015-0922 Information

Description

McAfee ePolicy Orchestrator (ePO) before 4.6.9 and 5.x before 5.1.2 uses the same secret key across different customers’ installations which allows attackers to obtain the administrator password by leveraging knowledge of the encrypted password.

Reference

http://packetstormsecurity.com/files/129827/McAfee-ePolicy-Orchestrator-Authenticated-XXE-Credential-Exposure.html http://seclists.org/fulldisclosure/2015/Jan/37 http://seclists.org/fulldisclosure/2015/Jan/8 http://www.securityfocus.com/bid/72298 http://www.securitytracker.com/id/1031519 https://exchange.xforce.ibmcloud.com/vulnerabilities/99949 https://gist.github.com/brandonprry/692e553975bf29aeaf2c https://kc.mcafee.com/corporate/index?page=content&id=SB10095