CVE-2024-4844
📋 TL;DR
This vulnerability allows attackers with administrative privileges on the Trellix ePolicy Orchestrator server to access the database encryption key by reading the orion.keystore file using hardcoded credentials. Only ePO on-premise installations prior to version 5.10 Service Pack 1 Update 2 are affected. Exploitation requires local admin access to the ePO server.
💻 Affected Systems
- Trellix ePolicy Orchestrator (ePO) on Premise
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker with admin access could decrypt the ePO database, potentially accessing sensitive security data, configuration details, and managed endpoint information, leading to complete compromise of the security management system.
Likely Case
A malicious insider or compromised admin account could access the encryption key, potentially enabling further attacks against the ePO infrastructure or exfiltration of sensitive security management data.
If Mitigated
With proper access controls and admin account security, the vulnerability remains dormant as it requires admin privileges to exploit.
🎯 Exploit Status
Exploitation requires existing administrative access to the ePO server. The hardcoded password allows reading the keystore file to extract the database encryption key.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.10 Service Pack 1 Update 2 or later
Vendor Advisory: https://thrive.trellix.com/s/article/000013505
Restart Required: Yes
Instructions:
1. Download ePO 5.10 Service Pack 1 Update 2 or later from Trellix support portal. 2. Backup ePO database and configuration. 3. Run the installer with administrative privileges. 4. Follow the upgrade wizard. 5. Restart the ePO server after installation completes.
🔧 Temporary Workarounds
Restrict keystore file permissions
windowsApply strict file system permissions to the orion.keystore file to prevent unauthorized reading.
icacls "C:\Program Files\McAfee\ePolicy Orchestrator\DB\orion.keystore" /inheritance:r /grant:r "NT AUTHORITY\SYSTEM":F "BUILTIN\Administrators":R
🧯 If You Can't Patch
- Implement strict access controls on ePO admin accounts and monitor for suspicious activity.
- Apply file system permissions to restrict access to the orion.keystore file to only necessary system accounts.
🔍 How to Verify
Check if Vulnerable:
Check ePO version via ePO console: Help → About ePolicy Orchestrator. If version is earlier than 5.10.0.2819, you are vulnerable.Check Version:
Check ePO console or registry: HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\ePolicy Orchestrator\CurrentVersionVerify Fix Applied:
Verify version is 5.10.0.2819 or later in Help → About ePolicy Orchestrator. Confirm the orion.keystore file has updated permissions if workaround was applied.📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns to orion.keystore
- Suspicious admin account activity on ePO server
- Failed attempts to access keystore file
Network Indicators:
- Unusual database connection patterns from ePO server
- Suspicious outbound connections after potential key extraction
SIEM Query:
EventID=4663 AND ObjectName="*orion.keystore*" AND AccessMask=0x1