CVE-2023-5444
📋 TL;DR
A Cross-Site Request Forgery (CSRF) vulnerability in ePolicy Orchestrator (ePO) allows low-privileged remote users to add new administrator accounts by manipulating HTTP POST requests before they reach the server. This affects ePO servers running versions prior to 5.10.0 CP1 Update 2, specifically impacting the dashboard interface.
💻 Affected Systems
- McAfee ePolicy Orchestrator
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full administrative control over the ePO server, enabling them to deploy malware, exfiltrate sensitive data, disable security controls, and compromise the entire managed endpoint environment.
Likely Case
Unauthorized administrative accounts are created, allowing attackers to escalate privileges, modify security policies, and potentially deploy malicious agents to managed endpoints.
If Mitigated
With proper CSRF protections and network segmentation, exploitation attempts are blocked or detected before successful privilege escalation occurs.
🎯 Exploit Status
Exploitation requires low-privilege user access and ability to manipulate HTTP POST payloads before server processing. The vulnerability is in the dashboard interface.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.10.0 CP1 Update 2
Vendor Advisory: https://kcm.trellix.com/agent/index?page=content&id=SB10410
Restart Required: Yes
Instructions:
1. Download ePO 5.10.0 CP1 Update 2 from the Trellix support portal. 2. Backup ePO database and configuration. 3. Run the update installer on the ePO server. 4. Restart the ePO server services. 5. Verify successful update in ePO console.
🔧 Temporary Workarounds
Implement CSRF Tokens
windowsAdd anti-CSRF tokens to all ePO dashboard forms to validate legitimate requests
Requires custom development - no standard commands
Network Segmentation
allIsolate ePO server from untrusted networks and implement strict access controls
firewall rules to restrict ePO access to authorized IPs only
🧯 If You Can't Patch
- Implement strict network segmentation to limit ePO server access to trusted administrative networks only
- Enable detailed logging and monitoring for user creation events, especially administrative account additions
🔍 How to Verify
Check if Vulnerable:
Check ePO version in the console: Help → About ePolicy Orchestrator. If version is earlier than 5.10.0 CP1 Update 2, the system is vulnerable.Check Version:
In ePO console: Navigate to Help → About ePolicy OrchestratorVerify Fix Applied:
After patching, verify version shows 5.10.0 CP1 Update 2 or later in Help → About. Test user creation functionality with CSRF validation.📡 Detection & Monitoring
Log Indicators:
- Unexpected user creation events, especially administrative accounts
- Multiple failed login attempts followed by successful administrative account creation
- User creation requests from unusual IP addresses or user contexts
Network Indicators:
- HTTP POST requests to user creation endpoints with modified parameters
- Traffic patterns showing request manipulation before reaching ePO server
SIEM Query:
source="ePO_logs" AND (event_type="user_creation" AND user_role="administrator") OR (http_method="POST" AND uri="/core/userAdmin.do" AND parameter_tampering=true)