CVE-2020-7263 : Improper access control vulnerability in ESconfigTool.exe in McAfee Endpoint Sec

Improper access control vulnerability in ESconfigTool.exe in McAfee Endpoint Security (ENS) for Windows all current versions allows local administrator to alter ENS configuration up to and including disabling all protection offered by ENS via insecurely implemented encryption of configuration for export and import.

Published 2020-04-01 07:15:13

Updated 2022-06-02 20:27:30

Source McAfee (DEFUNCT)

View at NVD, CVE.org

Products affected by CVE-2020-7263

Mcafee » Endpoint Security » Version: 10.5.0 For Windows
cpe:2.3:a:mcafee:endpoint_security:10.5.0:*:*:*:*:windows:*:*
Matching versions
Mcafee » Endpoint Security » Version: 10.5.1 For Windows
cpe:2.3:a:mcafee:endpoint_security:10.5.1:*:*:*:*:windows:*:*
Matching versions
Mcafee » Endpoint Security » Version: 10.5.2 For Windows
cpe:2.3:a:mcafee:endpoint_security:10.5.2:*:*:*:*:windows:*:*
Matching versions
Mcafee » Endpoint Security » Version: 10.5.3 For Windows
cpe:2.3:a:mcafee:endpoint_security:10.5.3:*:*:*:*:windows:*:*
Matching versions
Mcafee » Endpoint Security » Version: 10.5.4 For Windows
cpe:2.3:a:mcafee:endpoint_security:10.5.4:*:*:*:*:windows:*:*
Matching versions
Mcafee » Endpoint Security » Version: 10.5.5 For Windows
cpe:2.3:a:mcafee:endpoint_security:10.5.5:*:*:*:*:windows:*:*
Matching versions
Mcafee » Endpoint Security » Version: 10.6.0 For Windows
cpe:2.3:a:mcafee:endpoint_security:10.6.0:*:*:*:*:windows:*:*
Matching versions
Mcafee » Endpoint Security » Version: 10.7.0 For Windows
cpe:2.3:a:mcafee:endpoint_security:10.7.0:*:*:*:*:windows:*:*
Matching versions
Mcafee » Endpoint Security » Version: 10.6.1 For Windows
cpe:2.3:a:mcafee:endpoint_security:10.6.1:*:*:*:*:windows:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2020-7263

EPSS FAQ

0.09%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 24 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2020-7263

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.6	MEDIUM	AV:L/AC:L/Au:N/C:P/I:P/A:P	3.9	6.4	NIST
Access Vector: Local Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
6.7	MEDIUM	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	0.8	5.9	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: High User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
6.5	MEDIUM	CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H	0.6	5.9	McAfee (DEFUNCT)
Attack Vector: Local Attack Complexity: Low Privileges Required: High User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2020-7263

CWE-264

Assigned by: psirt@mcafee.com (Secondary)
CWE-732 Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2020-7263

https://kc.mcafee.com/corporate/index?page=content&id=SB10314

McAfee Security Bulletin - Endpoint Security issues workaround for configuration editing vulnerability (CVE-2020-7263)
Mitigation;Patch;Vendor Advisory

Jump to

Vulnerability Details : CVE-2020-7263

Products affected by CVE-2020-7263

Exploit prediction scoring system (EPSS) score for CVE-2020-7263

CVSS scores for CVE-2020-7263

CWE ids for CVE-2020-7263

References for CVE-2020-7263