CVE-2021-23890

Name of the Vulnerable Software and Affected Versions: McAfee ePolicy Orchestrator (ePO) versions prior to 5.10 Update 10

Description: The issue allows an unauthenticated user to download McAfee product packages, specifically McAfee Agent, available in the ePO repository and install them on their own machines to have it managed. This can then allow the user to get policy details from the ePO server. The vulnerability is exploitable when the ePO Agent Handler is installed in a Demilitarized Zone (DMZ) to service machines not connected to the network through a VPN.

Recommendations: For versions prior to 5.10 Update 10, update to version 5.10 Update 10 or later to resolve the issue. As a temporary workaround, consider restricting access to the ePO Agent Handler when it is installed in a DMZ, or ensure that machines serviced by the Agent Handler in the DMZ are properly secured and monitored.