-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2019.0177
ePolicy Orchestrator update fixes a TLS issue between ePolicy Orchestrator
          Agent Handler and SQL Server (CVE-2019-3619) (SB10286)
                                5 July 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              McAfee ePolicy Orchestrator
Operating System:     Windows
                      Virtualisation
Impact/Access:        Access Confidential Data -- Remote/Unauthenticated
Resolution:           Patch/Upgrade
CVE Names:            CVE-2019-3619  
Member content until: Sunday, August  4 2019

OVERVIEW

        McAfee has released updates for ePolicy Orchestrator that fixes a 
        TLS issue between ePolicy Orchestrator Agent Handler and SQL Server 
        (CVE-2019-3619) (SB10286) [1]


IMPACT

        McAfee has provided the following information regarding the vulnerability and impact:
        
        "Vulnerability Description
        ePO offers the ability to configure the communication between the McAfee Agent
        Handler and the SQL Server to be plain text or encrypted over TLS. The Agent
        Handler was only honoring some of the TLS options, and was incorrectly
        reverting to plain text communication for the others.
        
        CVE-2019-3619:
        Information Disclosure vulnerability in the Agent Handler in McAfee ePolicy
        Orchestrator (ePO) 5.9.x and 5.10.0 prior to 5.10.0 Update 4 allows a remote
        unauthenticated attacker to view sensitive information in plain text via
        sniffing the traffic between the Agent Handler and the SQL Server." [1]


MITIGATION

        "McAfee strongly recommends that you install the latest update for your version
        of ePO.
        
        o Users of ePO 5.10.0 - Update to 5.10.0 Update 4.
        o Users of ePO 5.9.1 - Upgrade to ePO 5.10.0 Update 4, or apply the
          workaround and install the 5.9.1 hotfix once released.
        o Users of ePO 5.9.0 - Upgrade to ePO 5.10.0 Update 4, or apply the
          workaround and then upgrade to 5.9.1 and install the 5.9.1 hotfix once
          released." [1]


REFERENCES

        [1] ePolicy Orchestrator update fixes a TLS issue between ePolicy
            Orchestrator Agent Handler and SQL Server (CVE-2019-3619) (SB10286)
            https://kc.mcafee.com/corporate/index?page=content&id=SB10286

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXR6Y+WaOgq3Tt24GAQgOIw/8Cx7bEa4Edv/p5PEXfY0GAPMZ47Yvo6N0
JrKfNbqEB1cQU3z4pnUOnm09897VukB4F+yvvFrZKvO5/9JjSswP0l0RoTK5tNFy
SAt08nBqiOIF0EFaOhcIe0tDYpTfY480FGdbgkha5qaqjRtVOVy8yCjx7mzHV486
mdb9XbavJ9B+17APjr9iEUuiYkaSzCEDDiXZ2ePgctshaOpF06SlfygL1Hj7MuKF
6/rGwbHvqLorFKTg9rZbVjph2zvpEmuu7rUxGDg3ViHVFLAzYCgojrA4HVFYk7ay
LaZvHiTwnXesZ/u2Pqc1UB9x6epvRjjupEXt0yjFIXpiUfUk+jQyMSo2MNjNzobk
HjsTauIOPKfxQIhvYo9FKvkbqzOXViY1BuRmz67z3WoNWNDpVXKsz4zTpELYkwof
9D9RFa6XcdoJ4KVmCwKyRtMpc91GqDgs87ebQjbKUN/MT+6cZdh7IS/u6FnYXlKR
bV6OfPREOxz+65o5xJ0ZQ6sWvO1VN12qVKvYhymmmAqNjegtho4dq4ZQgl+W6+kN
Y+STFBWMlHlNKsYU6U/5wBQRD9R3BrI9X7QbEkH0u9a8hC5W+G0DgwWaA0251TA3
bZuFPcKu9ffJ6axAdgpaVi/72cPACNpM2ZbVhd8dTmT7ftMy5yWErENXxRpQ55tv
1R4wBxDY8VY=
=xYQy
-----END PGP SIGNATURE-----