McAfee ePolicy Orchestrator 4.0.0 and McAfee Framework Service 18.104.22.1689 contain a format string vulnerability in the Framework Service that could allow an unauthenticated, remote attacker to cause a denial of service condition (DoS) or execute arbitrary code with the privileges of the affected service, likely to be SYSTEM.
The vulnerability exists due to a format string error in the Framework Service of the ePolicy Orchestrator product. An attacker may exploit this vulnerability by sending malicious packets containing format string specifiers to the affected service. An exploit could allow the attacker to cause the Framework Service to terminate or execute arbitrary code with the privileges of the affected service, likely to be SYSTEM.
Proof-of-concept code that demonstrates the DoS condition is publicly available.
McAfee has not confirmed this vulnerability and updates are not available.