CVE-2003-0148

Severity Score

7.2

*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The default installation of MSDE via McAfee ePolicy Orchestrator 2.0 through 3.0 allows attackers to execute arbitrary code via a series of steps that (1) obtain the database administrator username and encrypted password in a configuration file from the ePO server using a certain request, (2) crack the password due to weak cryptography, and (3) use the password to pass commands through xp_cmdshell.

La instalación por defecto de MSDE mediante McAfee ePolicy Orchestrator 2.0 a 3.0 permite a atacantes ejecutar código arbitrario mediante una serie de pasos que:
obtienen el nombre de usuario y la contraseña del adminstrador de la base de datos de un fichero de configuración del servidor ePO usando una cierta petición,
cascan la contraseña debido a criptografía débil, y
usan la contraseña para pasar comandos mediante xp_cmdshell

*Credits: N/A

CVSS Scores

NISTv2 7.2

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2003-03-17 CVE Reserved
2003-08-01 CVE Published
2023-03-08 EPSS Updated
2024-08-08 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (2)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC
http://www.atstake.com/research/advisories/2003/a073103-1.txt	2008-09-10
http://www.nai.com/us/promos/mcafee/epo_vulnerabilities.asp	2008-09-10

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Mcafee Search vendor "Mcafee"		Epolicy Orchestrator Search vendor "Mcafee" for product "Epolicy Orchestrator"				2.0 Search vendor "Mcafee" for product "Epolicy Orchestrator" and version "2.0"		-		Affected
Mcafee Search vendor "Mcafee"		Epolicy Orchestrator Search vendor "Mcafee" for product "Epolicy Orchestrator"				2.5 Search vendor "Mcafee" for product "Epolicy Orchestrator" and version "2.5"		-		Affected
Mcafee Search vendor "Mcafee"		Epolicy Orchestrator Search vendor "Mcafee" for product "Epolicy Orchestrator"				2.5 Search vendor "Mcafee" for product "Epolicy Orchestrator" and version "2.5"		sp1		Affected
Mcafee Search vendor "Mcafee"		Epolicy Orchestrator Search vendor "Mcafee" for product "Epolicy Orchestrator"				2.5.1 Search vendor "Mcafee" for product "Epolicy Orchestrator" and version "2.5.1"		-		Affected
Mcafee Search vendor "Mcafee"		Epolicy Orchestrator Search vendor "Mcafee" for product "Epolicy Orchestrator"				3.0 Search vendor "Mcafee" for product "Epolicy Orchestrator" and version "3.0"		-		Affected