CVE-2021-23890: 
McAfee ePolicy Orchestrator vulnerability analysis and mitigation

An information leak vulnerability was identified in the Agent Handler of McAfee ePolicy Orchestrator (ePO) prior to version 5.10 Update 10. The vulnerability, tracked as CVE-2021-23890, was discovered and assigned on January 12, 2021. The vulnerability affects McAfee ePolicy Orchestrator installations, specifically when the ePO Agent Handler is deployed in a Demilitarized Zone (DMZ) configuration (NVD, CVE).

The vulnerability allows an unauthenticated user to download McAfee product packages (specifically McAfee Agent) from the ePO repository and install them on their machines. This enables unauthorized systems to be managed by the ePO server and access policy details. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N. It is categorized under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) (NVD).

The exploitation of this vulnerability can lead to unauthorized access to McAfee product packages and policy details from the ePO server. This exposure is particularly significant when the ePO Agent Handler is installed in a DMZ to service machines not connected to the network through a VPN, potentially compromising the security posture of the affected organizations (NVD).

The vulnerability has been addressed in McAfee ePolicy Orchestrator version 5.10 Update 10. Organizations running affected versions should upgrade to the patched version to mitigate this security risk (NVD).