Threat Center Security News Format String Vulnerability in McAfee
Format String Vulnerability in McAfee Print E-mail
Written by Rebecca Mints   
Thursday, 13 March 2008 16:21

A vulnerability has been discovered in McAfee ePolicy Orchestrator that causes a DoS.  It was discovered by Luigi Auriemma.

A format string error is the method of deployment for this vulnerability, due to an error within the McAfee Framework Service (FrameworkService.exe).  It can be exploited through carefully crafted packets containing format string specifiers sent to default port 8082/UDP.

Arbitrary code may be executed and exploitation crashes the McAfee Framework.  The vulnerability has been confirmed in McAfee ePolicy Orchestrator version 4.0.0 (build 1015) and includes FrameworkService.exe version  Others may also be susceptible.  A suggested solution to the problem is to restrict network access to the service.


McAfee ePolicy Orchestrator Framework Service Format String Vulnerability

WTW Threat Level