CVE-2021-31842

XML Entity Expansion injection vulnerability in McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 September 2021 Update allows a local user to initiate high CPU and memory consumption resulting in a Denial of Service attack through carefully editing the EPDeploy.xml file and then executing the setup process.

Weakness

The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.

Affected Software

Name	Vendor	Start Version	End Version
Endpoint_security	Mcafee	*	10.7.0 (excluding)
Endpoint_security	Mcafee	10.7.0-april_2020 (including)	10.7.0-april_2020 (including)
Endpoint_security	Mcafee	10.7.0-april_2021 (including)	10.7.0-april_2021 (including)
Endpoint_security	Mcafee	10.7.0-february_2020 (including)	10.7.0-february_2020 (including)
Endpoint_security	Mcafee	10.7.0-february_2021 (including)	10.7.0-february_2021 (including)
Endpoint_security	Mcafee	10.7.0-july_2020 (including)	10.7.0-july_2020 (including)
Endpoint_security	Mcafee	10.7.0-june_2021 (including)	10.7.0-june_2021 (including)
Endpoint_security	Mcafee	10.7.0-november_2020 (including)	10.7.0-november_2020 (including)
Endpoint_security	Mcafee	10.7.0-september_2020 (including)	10.7.0-september_2020 (including)

Potential Mitigations

https://cwe.mitre.org/data/definitions/197.html

References

https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10367

NVD	https://nvd.nist.gov/vuln/detail/CVE-2021-31842
CWE	https://cwe.mitre.org/data/definitions/776.html

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References