Release Notes for McAfee(R) ePolicy Orchestrator(TM) Version 2.5.1 Patch 14 (C) Copyright 2004 Networks Associates Technology, Inc. All Rights Reserved ===================================================== This release was developed and tested with: ePolicy Orchestrator:2.5.1 Make sure you have installed one of these versions before using this release. ===================================================== Thank you for using the ePolicy Orchestrator(TM) software. This file contains important information regarding this release. We strongly recommend that you read the entire document. The attached files are provided as is, and with no warranty either expressed or implied as to their suitability for any particular use or purpose. Network Associates, Inc. assumes no liability for damages incurred either directly or indirectly as a result of the use of these files, including but not limited to the loss or damage of data or systems, loss of business or revenue, or incidental damages arising from their use. Patch files should be applied only on the advice of McAfee Security Technical Support, and only when you are actually experiencing the issue being addressed by the Patch. Patch files should not be proactively applied in order to prevent potential product issues. You are responsible for reading and following all instructions for preparation, configuration, and installation of Patch files. Patch files are not a substitute or replacement for product Service Packs which may be released by Network Associates, Inc. It is a violation of your software license agreement to distribute or share these files with any other person or entity without written permission from Network Associates, Inc. Further, posting of McAfee Security Patch files to publicly available Internet sites is prohibited. Network Associates, Inc. reserves the right to refuse distribution of Patch files to any company or person guilty of unlawful distribution of McAfee software products. Questions or issues with McAfee Patch files should be directed to McAfee Security Technical Support. _____________________________________________________ WHAT'S IN THIS FILE - About This Release - Purpose - Resolved Issues - Additional Resolved Issues - Language Support - Files Included with This Release - Installation - Installation Requirements - Installation Steps - Installing the Patch - Securing ePolicy Orchestrator SQL Server Logins - Testing Your Installation - Removing This Release - Contacting McAfee Security and Network Associates - Copyright and Trademark Attributions - Trademarks - License Agreement and Attributions _____________________________________________________ ABOUT THIS RELEASE PURPOSE This Patch replaces agent and server files in ePolicy Orchestrator to resolve the issues listed below. RESOLVED ISSUES 1. ISSUE: This release addresses the McAfee ePolicy Orchestrator Remote Command Execution Vulnerability; vulnerability identifier: CVE-2004-0038. RESOLUTION: This vulnerability no longer exists. ADDITIONAL RESOLVED ISSUES 1. This release addresses the McAfee ePolicy Orchestrator HTTP POST Buffer Mismanagement Vulnerability. Vulnerability identifier: CVE-2004-0095. 2. ePolicy Orchestrator MSDE SA Account Compromise -- The default installation of MSDE, via ePolicy Orchestrator, configures a connection between the ePolicy Orchestrator server and MSDE to use an SA account. A knowledgeable user could obtain the SA password to this account. The ePolicy Orchestrator server configuration file, encrypted with 3DES, can be obtained by issuing a carefully targeted HTTP request to the ePolicy Orchestrator server. It is then possible to decrypt this file and obtain the password by reverse engineering the product. Vulnerability identifier: CAN-2003-0148 3. ePolicy Orchestrator 2.X Post Parameters Heap Overflow -- Sending a POST request to the ePolicy Orchestrator agent, where parameters in the URL are substituted for a large number of A's will cause the service to stop responding. A carefully targeted request will allow an attacker to overwrite arbitrary data and thus execute code. Vulnerability identifier: CAN-2003-0149 4. ePolicy Orchestrator 2.X Computerlist Format String -- Sending a POST request to the ePolicy Orchestrator server, where the computerlist parameter contains a few format characters, will cause the ePolicy Orchestrator server service to stop responding when it tries to log a failed name resolution. A maliciously constructed string containing format string characters will allow the execution of arbitrary code. Vulnerability identifier: CAN-2003-0616 5. ISSUE: When trying to create the event file name of NAIFFFF.EVT, the ePolicy Orchestrator agent writes the file over and over, causing VirusScan to use 100% CPU. RESOLUTION: The agent now properly writes the file. 6. ISSUE: During the agent callback when the version number is the same for the property files, there was a ##delete## entered into the incremental property file, causing the properties to be removed from ePolicy Orchestrator. RESOLUTION: The agent no longer enters ##delete## when the properties are the same. 7. ISSUE: When using the following strings in a browser window, the agent displays a Dr. Watson message: http://:8081/%s%x%n http://:8081/%x%s%n http://:8081/%.516x RESOLUTION: The strings no longer cause the message to appear. 8. ISSUE: Even though the randomization setting was enabled, a majority of the agents would still synchronize when performing tasks. RESOLUTION: The agent now has a more varied randomization period. 9. ISSUE: Under certain circumstances, if the agent tried to enforce policies and compile them at the same time, policy corruption might occur. RESOLUTION: The agent no longer enforces policies while it is compiling. 10. ISSUE: Under certain conditions, NAIMSERV.EXE tries to release memory twice, causing an access violation error that can cause the server to crash. RESOLUTION: NAIMSERV.EXE no longer releases memory twice. 11. ISSUE: A single ADO connection was performing multiple database operations at once, causing a variety of issues, including properties from agents to report incorrectly, and the ePolicy Orchestrator server to stop responding. RESOLUTION: Now a single connection performs only one database operation at a time. This eliminates the issues above and improves overall performance. ADDITIONAL INFORMATION: The agent wakeup call now includes a "Get full Props" option, which requests complete properties. 12. ISSUE: If the public key data for the ePolicy Orchestrator server was not entered into the database the first time the agent sent it to the server, the message "Invalid Server Public Key...Package ignored from " was saved in SERVER.LOG at every agent-to-server-communication interval (ASCI). When this situation occurred, the server would no longer accept data from the agent. RESOLUTION: The server now checks the size of the key and, if it is empty, requests that the agent resend it. 13. ISSUE "Failed to enforce policies" and "Failed to get properties" messages were incorrectly reported in the "Server Event Viewer" and the following events (alerts) were incorrectly saved in the ePolicy Orchestrator database even though policy and task enforcement and properties collection completed successfully. 2232 -- ePolicy Orchestrator Agent: Enforce Policy Failed 2264 -- ePolicy Orchestrator Agent: Property Collection Failed 2328 -- ePolicy Orchestrator Agent: Enforce Task Failed RESOLUTION: These incorrect messages are no longer reported in the "Server Event Viewer." Although, the incorrect events are still generated, you can now filter them so that they are no longer collected. ADDITIONAL INFORMATION: To filter these events, do the following: 1. Log on to the desired ePolicy Orchestrator database server using "ePO authentication" and a global administrator account. 2. In the console tree under "ePO Reports," "ePO Databases," , click "Alerts." The "Alerts" dialog box appears in the details pane. 3. On the "Filtering" tab, deselect the checkboxes that correspond to events 2232, 2264, and 2328. 4. Click "Apply." Beginning at the next agent-to-server communication interval (ASCI), these events will no longer be collected. Events that are already in the database are not affected. 14. ISSUE: If an ePolicy Orchestrator server was using two network cards and, thus, two IP addresses (for example, using one network card for a remote SQL Server database and another for the managed network), the first binding IP address was always used for agent-to-server communication. If this IP address wasn't associated with the network card being used for the managed network, agents were unable to communicate with the server. RESOLUTION: Now, if a value is defined for "ServerIPAddress=" in SERVER.INI, agents use it to connect to the server. Otherwise, the first binding IP address is used. ADDITIONAL INFORMATION: To specify an IP address in SERVER.INI, do the following: 1. In a text editor, open SERVER.INI. This file is located in the DB folder in the installation directory. The default installation directory is: C:\PROGRAM FILES\MCAFEE\EPO\2.0 2. Type the following line in SERVER.INI, then save the file: SERVERIPADDRESS= 3. In the "Service" dialog box, select the "McAfee ePolicy Orchestrator 2.5.1 Server" service, click "Stop," then click "Start" to restart the service. 4. Deploy the agent or SITEINFO.INI to affected client computers. 15. ISSUE: If agents sent an empty event file to the ePolicy Orchestrator server, server might stop responding. RESOLUTION: The server now ignores empty event files and logs a message in SERVER.LOG. 16. ISSUE: A SELECT statement was used after events were added to the database. This statement slowed down server performance unnecessarily. RESOLUTION: A SELECT statement is no longer used. 17. ISSUE: The virus definition (DAT) file version number for the Nimda Scanner (5000) was being prefilled in the "Current Protection Standards" dialog box and was causing DAT files to be reported as out-of-date. This dialog box appears when you run the "DAT/Definition Deployment Summary," "DAT Engine Coverage," or "Engine Deployment Summary" reports. RESOLUTION: The DAT version number is no longer prefilled in the "Current Protection Standards" dialog box. LANGUAGE SUPPORT This release supports all language versions of the ePolicy Orchestrator software. FILES INCLUDED WITH THIS RELEASE This release consists of a package called EPO25114.ZIP, which contains the following files: EPO25114.EXE = Setup program EPOSQLSEC.SQL = SQL script PACKING.LST = List of Patch files PATCH14.TXT = This text file _____________________________________________________ INSTALLATION INSTALLATION REQUIREMENTS To use this release, you must have ePolicy Orchestrator 2.5.1 software installed on the ePolicy Orchestrator server that you intend to update with this release. NOTE: This release does not work with earlier versions of the ePolicy Orchestrator software. INSTALLATION STEPS 1. Create a temporary folder on the hard drive of the ePolicy Orchestrator server. 2. Extract the EPO25114.ZIP file to the temporary folder that you created in Step 1. INSTALLING THE PATCH WARNING Close the Windows Services dialog box to avoid installation issues. 1. Back up ePolicy Orchestrator databases. If you are using Microsoft SQL Server as the ePolicy Orchestrator database, see the SQL Server product documentation. If you are using Microsoft Data Engine (MSDE) as the ePolicy Orchestrator database, you can use the Database Backup Utility (DBBAK.EXE) to back up ePolicy Orchestrator MSDE databases on the database server. For instructions, see "Backing up ePolicy Orchestrator MSDE databases" in the ePolicy Orchestrator 3.0 Product Guide. 2. Log on to the desired computer using a user account with local administrator permissions. 3. Close all ePolicy Orchestrator consoles. 4. On the taskbar, click the "Start" button, then point to "Run." The "Run" dialog box appears. 5. In "Open," type the path where the Setup program (EPO25114.EXE) is located, then click "OK." The "ePolicy Orchestrator 2.x Patch 14 Setup" wizard appears. 6. Click "Next" to begin the installation. 7. Click "Finish" to complete the installation. 8. In the "Services" dialog box, select the "NAI ePolicy Orchestrator 2.5.1 Server" service and edit the service to change the account back to the original setting. For example, if you specified a domain administrator account during the initial installation, you need to provide that account information again. The account is not automatically restored. SECURING EPOLICY ORCHESTRATOR SQL SERVER LOGINS If you installed MSDE as part of the ePolicy Orchestrator installation, you need to complete these steps if you are using SQL authentication. 1. In a text editor, open the EPOSQLSEC.SQL file from the temporary folder you created in Step 1 of "Installation Steps." It contains these lines: EXEC sp_addlogin '', '', '' EXEC sp_grantdbaccess '' EXEC sp_addrolemember 'db_owner', '' 2. Replace the variable with a user name for a new SQL Server user account (login). This variable appears three times. 3. Replace the variable with a password for the new user account. This variable appears once. 4. Replace the variable with the name of the ePolicy Orchestrator database. The default database name is EPO_, where is the name of the ePolicy Orchestrator server. This variable appears once. For example, if the user name is EPODBO, the password is T2M0912, and the database name is ePO_MANAGE, the resulting file would be: EXEC sp_addlogin 'EPODBO', 'T2M0912', 'ePO_MANAGE' EXEC sp_grantdbaccess 'EPODBO' EXEC sp_addrolemember 'db_owner', 'EPODBO' 5. Save the file. 6. At the command prompt, run the following command: NOTE This command is case-sensitive. OSQL -d -U -P -iEPOSQLSEC.SQL Where is the name of the ePolicy Orchestrator database. The default database name is EPO_, where is the name of the ePolicy Orchestrator server. And where and are the user name and password of an account with system administrator permissions on the database. And where is the location of the EPOSQLSEC.SQL file. For example, if the ePolicy Orchestrator database name is ePO_MANAGE, the user name is SA, the password is 53cr3t, and the EPOSQLSEC.SQL file is in C:\TEMP, the resulting command would be: OSQL -dePO_MANAGE -USA -P53cr3t -iC:\TEMP\EPOSQLSEC.SQL 7. Start the Server Configuration program (CFGNAIMS.EXE). The default location is: C:\PROGRAM FILES\MCAFEE\EPO\2.0 8. Click the "Administrator" tab. 9. Select "Use SQL authentication." 10. In "User name," type the value you provided for the variable in Step 3. 11. In "Password," type the value you provided for the variable in Step 4. 12. Click "OK." TESTING YOUR INSTALLATION As agents communicate to the ePolicy Orchestrator server, they are automatically upgraded. If you wish to deploy the Patch immediately, you must use an agent wakeup call or deploy the new POAGINST.EXE file with a software distribution tool. The new POAGINST.EXE file created by the installation process can be located in your ePolicy Orchestrator installation directory. The default location is: C:\PROGRAM FILES\MCAFEE\EPO\2.0\DB\SOFTWARE\ EPOAGENT2000\2.5.1.298\0409\INSTALLFILES\POAGINST.EXE REMOVING THIS RELEASE To remove this Patch from your computer, uninstall, then reinstall ePolicy Orchestrator. NOTE: We recommend that you do NOT remove the Patch files once you install them. If you reinstall the ePolicy Orchestrator software, we recommend that you also reinstall the Patch. _____________________________________________________ CONTACTING MCAFEE SECURITY & NETWORK ASSOCIATES Technical Support Home Page http://www.networkassociates.com/us/support/ KnowledgeBase Search https://knowledgemap.nai.com/phpclient/homepage.aspx PrimeSupport Service Portal http://mysupport.nai.com Login credentials required. McAfee Security Beta Program Beta Web Site http://www.networkassociates.com/us/downloads/beta/ E-mail avbeta@nai.com Security Headquarters -- AVERT (Anti-Virus Emergency Response Team) Home Page http://www.networkassociates.com/us/security/home.asp Virus Information Library http://vil.nai.com Submit a Virus Sample – AVERT WebImmune https://www.webimmune.net/default.asp AVERT DAT Notification Service http://www.networkassociates.com/us/downloads/updates/ Download Site Home Page http://www.networkassociates.com/us/downloads/ DAT File and Engine Updates http://www.networkassociates.com/us/downloads/updates/ ftp://ftp.nai.com/pub/antivirus/datfiles/4.x Product Upgrades https://secure.nai.com/us/forms/downloads/upgrades/login.asp Valid grant number required. Contact Network Associates Customer Service Training McAfee Security University http://www.networkassociates.com/us/services/education/mcafee/university.htm Network Associates Customer Service US, Canada, and Latin America toll-free: Phone: +1-888-VIRUS NO or +1-888-847-8766 Monday - Friday, 8 a.m. - 8 p.m., Central Time E-mail: services_corporate_division@nai.com Web: http://www.nai.com/us/index.asp http://www.networkassociates.com/us/products/mcafee_security_home.htm For additional information on contacting Network Associates and McAfee Security – including toll-free numbers for other geographic areas – see the documentation that accompanied your original product release. _____________________________________________________ COPYRIGHT AND TRADEMARK ATTRIBUTIONS © 2004 Networks Associates Technology, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of Networks Associates Technology, Inc., or its suppliers or affiliate companies. To obtain this permission, write to the attention of the Network Associates legal department at: 5000 Headquarters Drive, Plano, Texas 75024, or call +1-972- 963-8000. TRADEMARKS Active Firewall, Active Security, Active Security (in Katakana), ActiveHelp, ActiveShield, AntiVirus Anyware and design, Appera, AVERT, Bomb Shelter, Certified Network Expert, Clean-Up, CleanUp Wizard, ClickNet, CNX, CNX Certification Certified Network Expert and design, Covert, Design (stylized N), Disk Minder, Distributed Sniffer System, Distributed Sniffer System (in Katakana), Dr Solomon’s, Dr Solomon’s label, E and Design, Entercept, Enterprise SecureCast, Enterprise SecureCast (in Katakana), ePolicy Orchestrator, Event Orchestrator (in Katakana), EZ SetUp, First Aid, ForceField, GMT, GroupShield, GroupShield (in Katakana), Guard Dog, HelpDesk, HelpDesk IQ, HomeGuard, Hunter, Impermia, InfiniStream, Intrusion Prevention Through Innovation, IntruShield, IntruVert Networks, LANGuru, LANGuru (in Katakana), M and design, Magic Solutions, Magic Solutions (in Katakana), Magic University, MagicSpy, MagicTree, McAfee, McAfee (in Katakana), McAfee and design, McAfee.com, MultiMedia Cloaking, NA Network Associates, Net Tools, Net Tools (in Katakana), NetAsyst, NetCrypto, NetOctopus, NetScan, NetShield, NetStalker, Network Associates, Network Performance Orchestrator, Network Policy Orchestrator, NetXray, NotesGuard, nPO, Nuts & Bolts, Oil Change, PC Medic, PCNotary, PortalShield, Powered by SpamAssassin, PrimeSupport, Recoverkey, Recoverkey – International, Registry Wizard, Remote Desktop, ReportMagic, RingFence, Router PM, Safe & Sound, SalesMagic, SecureCast, SecureSelect, Service Level Manager, ServiceMagic, SmartDesk, Sniffer, Sniffer (in Hangul), SpamKiller, SpamAssassin, Stalker, SupportMagic, ThreatScan, TIS, TMEG, Total Network Security, Total Network Visibility, Total Network Visibility (in Katakana), Total Service Desk, Total Virus Defense, Trusted Mail, UnInstaller, VIDS, Virex, Virus Forum, ViruScan, VirusScan, WebScan, WebShield, WebShield (in Katakana), WebSniffer, WebStalker, WebWall, What's The State Of Your IDS?, Who’s Watching Your Network, WinGauge, Your E-Business Defender, ZAC 2000, Zip Manager are registered trademarks or trademarks of Network Associates, Inc. and/or its affiliates in the US and/or other countries. Sniffer® brand products are made only by Network Associates, Inc. All other registered and unregistered trademarks in this document are the sole property of their respective owners. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEB SITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO NETWORK ASSOCIATES, INC. OR THE PLACE OF PURCHASE FOR A FULL REFUND. Attributions This product includes or may include: - Software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). - Cryptographic software written by Eric Young and software written by Tim J. Hudson. - Some software programs that are licensed (or sublicensed) to the user under the GNU General Public License (GPL) or other similar Free Software licenses which, among other rights, permit the user to copy, modify and redistribute certain programs, or portions thereof, and have access to the source code. The GPL requires that for any software covered under the GPL which is distributed to someone in an executable binary format, that the source code also be made available to those users. For any such software covered under the GPL, the source code is made available on this CD. If any Free Software licenses require that Network Associates provide rights to use, copy or modify a software program that are broader than the rights granted in this agreement, then such rights shall take precedence over the rights and restrictions herein. - Software originally written by Henry Spencer, Copyright 1992, 1993, 1994, 1997 Henry Spencer. - Software originally written by Robert Nordier, Copyright (C) 1996-7 Robert Nordier. All rights reserved. - Software written by Douglas W. Sauder. - Software developed by the Apache Software Foundation (http://www.apache.org/). - International Components for Unicode ("ICU") Copyright (C) 1995-2002 International Business Machines Corporation and others. All rights reserved. - Software developed by CrystalClear Software, Inc., Copyright (C) 2000 CrystalClear Software, Inc. - FEAD(R) Optimizer(R) technology, Copyright Netopsystems AG, Berlin, Germany. - Outside In(R) Viewer Technology (C) 1992-2001 Stellent Chicago, Inc. and/or Outside In(R) HTML Export, (C) 2001 Stellent Chicago, Inc. - Software copyrighted by Thai Open Source Software Center Ltd. and Clark Cooper, (C) 1998, 1999, 2000. - Software copyrighted by Expat maintainers. - Software copyrighted by The Regents of the University of California, (C) 1989. - Software copyrighted by Gunnar Ritter. - Software copyrighted by Sun Microsystems(C), Inc. - Software copyrighted by Gisle Aas. All rights reserved, (C) 1995-2003. - Software copyrighted by Michael A. Chase, (C) 1999-2000. - Software copyrighted by Neil Winton, (C) 1995-1996. - Software copyrighted by RSA Data Security, Inc., (C) 1990-1992. - Software copyrighted by Sean M. Burke, (C) 1999, 2000. - Software copyrighted by Martijn Koster, (C) 1995. - Software copyrighted by Brad Appleton, (C) 1996-1999. - Software copyrighted by Michael G. Schwern, (C) 2001. - Software copyrighted by Graham Barr, (C) 1998. - Software copyrighted by Larry Wall and Clark Cooper, (C) 1998-2000. - Software copyrighted by Frodo Looijaard, (C) 1997. DBN 006-ENG