McAfee ePO Vulnerability Disclosure

This week, we have another delightful exploit from our dear friend Brandon Perry, which targets McAfee's ePolicy Orchestrator. This bug was disclosed on the Full Disclosure mailing list on January 8, hit the Metasploit pull request queue on January 14, and was committed to the master branch of Metasploit Framework on January 18th, whereupon it got picked up by the Rapid7 Vulnerability and Exploit Database.

Knocking over security software is a special kind of win for any vulnerability researcher like Brandon, or us here at Rapid7, or really anyone. Why? Writing software of any complexity is hard. Writing software for a profit is also hard. Writing software that handles unknown user data is especially hard to pull off without introducing security vulnerabilities. Writing software that intentionally handles malicious and attacker-sourced data is insanely hard.

The fact that McAfee (or Rapid7, or Symantec, or anyone) is able to produce and sell enterprise-level security software at all is kind of a miracle, and I don't mean that negatively at all. People have been attacking McAfee branded software for twenty years, and yet they only have 163 CVEs against their entire suite of past and current software. This is pretty amazing, and at the same time, a testament to Brandon and his ability to pick out a new (to the public) exploit path from a software company that's been training against the best security engineers in the world for so long. In addition, they reacted to Brandon's initial disclosure appropriately with a quick turnaround on updating their knowledge base article on workaround solution. So, a win all around, if you ask me.

Just to be clear, we stick to a pretty reasonable disclosure policy here at Rapid7 -- we give vendors and CERT/CC tens of days of heads up before public disclosure. Of course, if there's already an exploit out in the world, it's not like we're going to hold it back; defenders, penetration testers, and researchers are best served by having reliable exploits at their disposal in order to ensure their customers, constituencies, and the Internet at large a safer place. The existence of publicly disclosed and discussed vulnerabilities are pretty crucial for the continued health of the Internet.

So, thanks Brandon, and McAfee, for providing a great example of things working out the right way.

Deprecations, Deprecations Everywhere

Just as a reminder, we're on track for a pile of deprecations in and around Metasploit in 2015. The most significant would be dropping support for Ruby 1.9.x, in favor of 2.1.x , starting the first week of February. Ruby 1.9.x itself goes end of life near the end of February, so if you haven't cut over yet, you might want to prioritize that to shake out any forward compatibility issues.

The command line utilities msfcli, msfpayload, and msfencode will also be dropped out in June, so if you rely on those for any automated processes, you're going to want to get more familiar with their replacements, msfconsole -X (or -r), and msfvenom.

New Modules

Since we last published, Metasploit has picked up four new exploits and five new auxiliary and post modules, including the above-discussed McAfee ePO XXE exploit.

The Arris command exec module by HeadlessZeke is pretty worrisome from a SOHO router perspective -- these Arris chipsets are all over the place under a lot of different brand names, and they are a) never patched and b) often ship with backdoors and c) are pretty soft targets for bug hunters. If you're a penetration tester and somehow managed to get some SOHO routers in scope on a real assessment, please tell me how you did it!

Exploit modules

Auxiliary and post modules