Release Notes for McAfee® ePolicy Orchestrator(TM) Version 2.0, 2.5, and 2.5.1 Patch 2 © 2003 Networks Associates Technology, Inc. All Rights Reserved ===================================================== This release was developed and tested with: ePolicy Orchestrator: 2.0.0, 2.5.0, and 2.5.1 Make sure you have installed one of these versions before using this release. ===================================================== Thank you for using the ePolicy Orchestrator(TM) software. This file contains important information regarding this release. We strongly recommend that you read the entire document. The attached files are provided as is, and with no warranty either expressed or implied as to their suitability for any particular use or purpose. Network Associates, Inc. assumes no liability for damages incurred either directly or indirectly as a result of the use of these files, including but not limited to the loss or damage of data or systems, loss of business or revenue, or incidental damages arising from their use. Patch files should be applied only on the advice of McAfee Security Technical Support, and only when you are actually experiencing the issue being addressed by the Patch. Patch files should not be proactively applied in order to prevent potential product issues. You are responsible for reading and following all instructions for preparation, configuration, and installation of Patch files. Patch files are not a substitute or replacement for product Service Packs which may be released by Network Associates, Inc. It is a violation of your software license agreement to distribute or share these files with any other person or entity without written permission from Network Associates, Inc. Further, posting of McAfee Security Patch files to publicly available Internet sites is prohibited. Network Associates, Inc. reserves the right to refuse distribution of Patch files to any company or person guilty of unlawful distribution of McAfee software products. Questions or issues with McAfee Patch files should be directed to McAfee Security Technical Support. _____________________________________________________ WHAT'S IN THIS FILE - About This Release - Purpose - Language Support - Files Included with This Release - Installation - Installation Requirements - Installation Steps - Installing the Patch - Securing ePolicy Orchestrator SQL Server Logins - Removing This Release - Contacting McAfee Security and Network Associates - Copyright and Trademark Attributions - Trademarks - License Agreement and Attributions _____________________________________________________ ABOUT THIS RELEASE PURPOSE This release addresses the following vulnerabilities: - ePolicy Orchestrator MSDE SA Account Compromise -- The default installation of MSDE, via ePolicy Orchestrator, configures a connection between the ePolicy Orchestrator server and MSDE to use an SA account. The following two steps would allow a knowledgeable user to obtain the SA password to this account. The ePolicy Orchestrator server configuration file, encrypted with 3DES, can be obtained by issuing a carefully targeted HTTP request to the ePolicy Orchestrator server. It is then possible to decrypt this file and obtain the password by reverse engineering the product. Vulnerability identifier: CAN-2003-0148 - ePolicy Orchestrator 2.X Post Parameters Heap Overflow -- Sending a POST request to the ePolicy Orchestrator agent, where parameters in the URL are substituted for a large number of A's will cause the service to stop responding. A carefully targeted request will allow an attacker to overwrite arbitrary data and thus execute code. Vulnerability identifier: CAN-2003-0149 - ePolicy Orchestrator 2.X Computerlist Format String -- Sending a POST request to the ePolicy Orchestrator server, where the computerlist parameter contains a few format characters, will cause the ePolicy Orchestrator server service to stop responding when it tries to log a failed name resolution. A maliciously constructed string containing format string characters will allow the execution of arbitrary code. Vulnerability identifier: CAN-2003-0616 This release also includes the following HotFix and Patch releases for each product version: - Version 2.0 -- Includes HotFix 1 through HotFix 6. If you have installed HotFix 7, 8, 9, 10, 11, or 12, you do NOT need to re-install them. - Version 2.5 -- Does not include any HotFix releases. If you have installed HotFix 1, 2, 3, 4, 5, 6, or 7, you do NOT need to re-install them. - Version 2.5.1 -- Includes Patch 1. LANGUAGE SUPPORT This release supports all language versions of the ePolicy Orchestrator software. FILES INCLUDED WITH THIS RELEASE This release consists of a package called EPO2X2.ZIP, which contains the following files: EPO2XP2.EXE = Setup program EPOSQLSEC.SQL = SQL script PACKING.LST = List of Patch files PATCH2.TXT = This text file _____________________________________________________ INSTALLATION INSTALLATION REQUIREMENTS To use this release, you must have ePolicy Orchestrator 2.0, 2.5, or 2.5.1 software installed on the ePolicy Orchestrator server that you intend to update with this release. NOTE: This release does not work with earlier versions of the ePolicy Orchestrator software. INSTALLATION STEPS 1. Create a temporary folder on the hard drive of the ePolicy Orchestrator server. 2. Extract the EPO2X2.ZIP file to the temporary folder that you created in Step 1. INSTALLING THE PATCH WARNING Close the Windows Services dialog box to avoid installation issues. 1. Back up ePolicy Orchestrator databases. If you are using Microsoft SQL Server as the ePolicy Orchestrator database, see the SQL Server product documentation. If you are using Microsoft Data Engine (MSDE) as the ePolicy Orchestrator database, you can use the Database Backup Utility (DBBAK.EXE) to back up ePolicy Orchestrator MSDE databases on the database server. For instructions, see "Backing up ePolicy Orchestrator MSDE databases" in the ePolicy Orchestrator 3.0 Product Guide. 2. Log on to the desired computer using a user account with local administrator permissions. 3. Close all ePolicy Orchestrator consoles. 4. On the taskbar, click the "Start" button, then point to "Run." The "Run" dialog box appears. 5. In "Open," type the path where the Setup program (EPO2XP2.EXE) is located, then click "OK." The "ePolicy Orchestrator 2.x Patch 2 Setup" wizard appears. 6. Click "Next" to begin the installation. 7. Click "Finish" to complete the installation. 8. In the "Services" dialog box, select the "NAI ePolicy Orchestrator 2.5.1 Server" service and edit the service to change the account back to the original setting. For example, if you specified a domain administrator account during the initial installation, you need to provide that account information again. The account is not automatically restored. SECURING EPOLICY ORCHESTRATOR SQL SERVER LOGINS If you installed MSDE as part of the ePolicy Orchestrator installation, you need to complete these steps. 1. In a text editor, open the EPOSQLSEC.SQL file from the temporary folder you created in Step 1 of "Installation Steps." It contains these lines: EXEC sp_addlogin '', '', '' EXEC sp_grantdbaccess '' EXEC sp_addrolemember 'db_owner', '' 2. Replace the variable with a user name for a new SQL Server user account (login). This variable appears three times. 3. Replace the variable with a password for the new user account. This variable appears once. 4. Replace the variable with the name of the ePolicy Orchestrator database. The default database name is EPO_, where is the name of the ePolicy Orchestrator server. This variable appears once. For example, if the user name is EPODBO, the password is T2M0912, and the database name is ePO_MANAGE, the resulting file would be: EXEC sp_addlogin 'EPODBO', 'T2M0912', 'ePO_MANAGE' EXEC sp_grantdbaccess 'EPODBO' EXEC sp_addrolemember 'db_owner', 'EPODBO' 5. Save the file. 6. At the command prompt, run the following command: NOTE This command is case-sensitive. OSQL -d -U -P -iEPOSQLSEC.SQL Where is the name of the ePolicy Orchestrator database. The default database name is EPO_, where is the name of the ePolicy Orchestrator server. And where and are the user name and password of an account with system administrator permissions on the database. And where is the location of the EPOSQLSEC.SQL file. For example, if the ePolicy Orchestrator database name is ePO_MANAGE, the user name is SA, the password is 53cr3t, and the EPOSQLSEC.SQL file is in C:\TEMP, the resulting command would be: OSQL -dePO_MANAGE -USA -P53cr3t -iC:\TEMP\EPOSQLSEC.SQL 7. Start the Server Configuration program (CFGNAIMS.EXE). The default location is: C:\PROGRAM FILES\MCAFEE\EPO\2.0 8. Click the "Administrator" tab. 9. Select "Use SQL authentication." 10. In "User name," type the value you provided for the variable in Step 3. 11. In "Password," type the value you provided for the variable in Step 4. 12. Click "OK." REMOVING THIS RELEASE To remove this Patch from your computer, uninstall, then reinstall ePolicy Orchestrator. NOTE: We recommend that you do NOT remove the Patch files once you install them. If you reinstall the ePolicy Orchestrator software, we recommend that you also reinstall the Patch. _____________________________________________________ CONTACTING MCAFEE SECURITY & NETWORK ASSOCIATES Technical Support Home Page http://www.networkassociates.com/us/support/ KnowledgeBase Search https://knowledgemap.nai.com/phpclient/homepage.aspx PrimeSupport Service Portal http://mysupport.nai.com Login credentials required. McAfee Security Beta Program Beta Web Site http://www.networkassociates.com/us/downloads/beta/ E-mail avbeta@nai.com Security Headquarters -- AVERT (Anti-Virus Emergency Response Team) Home Page http://www.networkassociates.com/us/security/home.asp Virus Information Library http://vil.nai.com Submit a Virus Sample – AVERT WebImmune https://www.webimmune.net/default.asp AVERT DAT Notification Service http://www.networkassociates.com/us/downloads/updates/ Download Site Home Page http://www.networkassociates.com/us/downloads/ DAT File and Engine Updates http://www.networkassociates.com/us/downloads/updates/ ftp://ftp.nai.com/pub/antivirus/datfiles/4.x Product Upgrades https://secure.nai.com/us/forms/downloads/upgrades/login.asp Valid grant number required. Contact Network Associates Customer Service Training McAfee Security University http://www.networkassociates.com/us/services/education/mcafee/university.htm Network Associates Customer Service US, Canada, and Latin America toll-free: Phone: +1-888-VIRUS NO or +1-888-847-8766 Monday - Friday, 8 a.m. - 8 p.m., Central Time E-mail: services_corporate_division@nai.com Web: http://www.nai.com/us/index.asp http://www.networkassociates.com/us/products/mcafee_security_home.htm For additional information on contacting Network Associates and McAfee Security – including toll-free numbers for other geographic areas – see the documentation that accompanied your original product release. _____________________________________________________ COPYRIGHT AND TRADEMARK ATTRIBUTIONS © 2003 Networks Associates Technology, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of Networks Associates Technology, Inc., or its suppliers or affiliate companies. To obtain this permission, write to the attention of the Network Associates legal department at: 5000 Headquarters Drive, Plano, Texas 75024, or call +1-972- 963-8000. TRADEMARKS Active Firewall, Active Security, Active Security (in Katakana), ActiveHelp, ActiveShield, AntiVirus Anyware and design, Appera, AVERT, Bomb Shelter, Certified Network Expert, Clean-Up, CleanUp Wizard, ClickNet, CNX, CNX Certification Certified Network Expert and design, Covert, Design (stylized N), Disk Minder, Distributed Sniffer System, Distributed Sniffer System (in Katakana), Dr Solomon’s, Dr Solomon’s label, E and Design, Entercept, Enterprise SecureCast, Enterprise SecureCast (in Katakana), ePolicy Orchestrator, Event Orchestrator (in Katakana), EZ SetUp, First Aid, ForceField, GMT, GroupShield, GroupShield (in Katakana), Guard Dog, HelpDesk, HelpDesk IQ, HomeGuard, Hunter, Impermia, InfiniStream, Intrusion Prevention Through Innovation, IntruShield, IntruVert Networks, LANGuru, LANGuru (in Katakana), M and design, Magic Solutions, Magic Solutions (in Katakana), Magic University, MagicSpy, MagicTree, McAfee, McAfee (in Katakana), McAfee and design, McAfee.com, MultiMedia Cloaking, NA Network Associates, Net Tools, Net Tools (in Katakana), NetAsyst, NetCrypto, NetOctopus, NetScan, NetShield, NetStalker, Network Associates, Network Performance Orchestrator, Network Policy Orchestrator, NetXray, NotesGuard, nPO, Nuts & Bolts, Oil Change, PC Medic, PCNotary, PortalShield, Powered by SpamAssassin, PrimeSupport, Recoverkey, Recoverkey – International, Registry Wizard, Remote Desktop, ReportMagic, RingFence, Router PM, Safe & Sound, SalesMagic, SecureCast, SecureSelect, Service Level Manager, ServiceMagic, SmartDesk, Sniffer, Sniffer (in Hangul), SpamKiller, SpamAssassin, Stalker, SupportMagic, ThreatScan, TIS, TMEG, Total Network Security, Total Network Visibility, Total Network Visibility (in Katakana), Total Service Desk, Total Virus Defense, Trusted Mail, UnInstaller, VIDS, Virex, Virus Forum, ViruScan, VirusScan, WebScan, WebShield, WebShield (in Katakana), WebSniffer, WebStalker, WebWall, What's The State Of Your IDS?, Who’s Watching Your Network, WinGauge, Your E-Business Defender, ZAC 2000, Zip Manager are registered trademarks or trademarks of Network Associates, Inc. and/or its affiliates in the US and/or other countries. Sniffer® brand products are made only by Network Associates, Inc. All other registered and unregistered trademarks in this document are the sole property of their respective owners. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEB SITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO NETWORK ASSOCIATES, INC. OR THE PLACE OF PURCHASE FOR A FULL REFUND. Attributions This product includes or may include: - Software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openss1.org/). - Cryptographic software written by Eric Young (eay@cryptsoft.com) and software written by Tim J. Hudson (tjh@cryptsoft.com). - Some software programs that are licensed (or sublicensed) to the user under the GNU General Public License (GPL) or other similar Free Software licenses which, among other rights, permit the user to copy, modify and redistribute certain programs, or portions thereof, and have access to the source code. The GPL requires that for any software covered under the GPL which is distributed to someone in an executable binary format, that the source code also be made available to those users. For any such software covered under the GPL, the source code is made available on this CD. If any Free Software licenses require that Network Associates provide rights to use, copy or modify a software program that are broader than the rights granted in this agreement, then such rights shall take precedence over the rights and restrictions herein. - Software originally written by Henry Spencer, Copyright 1992, 1993, 1994, 1997 Henry Spencer. - Software originally written by Robert Nordier, Copyright © 1996-7 Robert Nordier. All rights reserved. - Software written by Douglas W. Sauder. - Software developed by the Apache Software Foundation (http://www.apache.org/). - International Components for Unicode ("ICU") Copyright © 1995-2002 International Business Machines Corporation and others. All rights reserved. - Software developed by CrystalClear Software, Inc., Copyright © 2000 CrystalClear Software, Inc. - FEAD® Optimizer® technology, Copyright Netopsystems AG, Berlin, Germany. DBN 006-ENG