CVE-2020-7308 : Cleartext Transmission of Sensitive Information between McAfee Endpoint Security

Cleartext Transmission of Sensitive Information between McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 February 2021 Update and McAfee Global Threat Intelligence (GTI) servers using DNS allows a remote attacker to view the requests from ENS and responses from GTI over DNS. By gaining control of an intermediate DNS server or altering the network DNS configuration, it is possible for an attacker to intercept requests and send their own responses.

Published 2021-04-15 08:15:14

Updated 2023-11-16 14:22:12

Source Trellix

View at NVD, CVE.org

Products affected by CVE-2020-7308

Mcafee » Endpoint Security » For Windows
Versions up to, including, (<=) 10.6.1
cpe:2.3:a:mcafee:endpoint_security:*:*:*:*:*:windows:*:*
Matching versions
Mcafee » Endpoint Security » Version: 10.6.1 For Windows
cpe:2.3:a:mcafee:endpoint_security:10.6.1:-:*:*:*:windows:*:*
Matching versions
Mcafee » Endpoint Security » Version: 10.6.1 Update April 2020 For Windows
cpe:2.3:a:mcafee:endpoint_security:10.6.1:april_2020:*:*:*:windows:*:*
Matching versions
Mcafee » Endpoint Security » Version: 10.6.1 Update December 2018 For Windows
cpe:2.3:a:mcafee:endpoint_security:10.6.1:december_2018:*:*:*:windows:*:*
Matching versions
Mcafee » Endpoint Security » Version: 10.6.1 Update December 2019 For Windows
cpe:2.3:a:mcafee:endpoint_security:10.6.1:december_2019:*:*:*:windows:*:*
Matching versions
Mcafee » Endpoint Security » Version: 10.6.1 Update February 2019 For Windows
cpe:2.3:a:mcafee:endpoint_security:10.6.1:february_2019:*:*:*:windows:*:*
Matching versions
Mcafee » Endpoint Security » Version: 10.6.1 Update February 2020 For Windows
cpe:2.3:a:mcafee:endpoint_security:10.6.1:february_2020:*:*:*:windows:*:*
Matching versions
Mcafee » Endpoint Security » Version: 10.6.1 Update July 2019 For Windows
cpe:2.3:a:mcafee:endpoint_security:10.6.1:july_2019:*:*:*:windows:*:*
Matching versions
Mcafee » Endpoint Security » Version: 10.6.1 Update July 2020 For Windows
cpe:2.3:a:mcafee:endpoint_security:10.6.1:july_2020:*:*:*:windows:*:*
Matching versions
Mcafee » Endpoint Security » Version: 10.6.1 Update May 2019 For Windows
cpe:2.3:a:mcafee:endpoint_security:10.6.1:may_2019:*:*:*:windows:*:*
Matching versions
Mcafee » Endpoint Security » Version: 10.6.1 Update November 2018 For Windows
cpe:2.3:a:mcafee:endpoint_security:10.6.1:november_2018:*:*:*:windows:*:*
Matching versions
Mcafee » Endpoint Security » Version: 10.6.1 Update November 2020 For Windows
cpe:2.3:a:mcafee:endpoint_security:10.6.1:november_2020:*:*:*:windows:*:*
Matching versions
Mcafee » Endpoint Security » Version: 10.6.1 Update October 2019 For Windows
cpe:2.3:a:mcafee:endpoint_security:10.6.1:october_2019:*:*:*:windows:*:*
Matching versions
Mcafee » Endpoint Security » Version: 10.6.1 Update September 2020 For Windows
cpe:2.3:a:mcafee:endpoint_security:10.6.1:september_2020:*:*:*:windows:*:*
Matching versions
Mcafee » Endpoint Security » Version: 10.7.0 Update February 2020 For Windows
cpe:2.3:a:mcafee:endpoint_security:10.7.0:february_2020:*:*:*:windows:*:*
Matching versions
Mcafee » Endpoint Security » Version: 10.7.0 Update July 2020 For Windows
cpe:2.3:a:mcafee:endpoint_security:10.7.0:july_2020:*:*:*:windows:*:*
Matching versions
Mcafee » Endpoint Security » Version: 10.7.0 Update November 2020 For Windows
cpe:2.3:a:mcafee:endpoint_security:10.7.0:november_2020:*:*:*:windows:*:*
Matching versions
Mcafee » Endpoint Security » Version: 10.7.0 Update September 2020 For Windows
cpe:2.3:a:mcafee:endpoint_security:10.7.0:september_2020:*:*:*:windows:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2020-7308

EPSS FAQ

0.09%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 23 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2020-7308

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.4	MEDIUM	AV:N/AC:L/Au:N/C:P/I:P/A:N	10.0	4.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: None
6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N	3.9	2.5	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: Low Availability: None
4.8	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N	2.2	2.5	McAfee (DEFUNCT)
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: Low Availability: None
4.8	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N	2.2	2.5	Trellix
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: Low Availability: None

CWE ids for CVE-2020-7308

CWE-319 Cleartext Transmission of Sensitive Information

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
Assigned by:
- nvd@nist.gov (Primary)
- psirt@mcafee.com (Primary)
- trellixpsirt@trellix.com (Secondary)

References for CVE-2020-7308

https://kc.mcafee.com/corporate/index?page=content&id=SB10354

McAfee Security Bulletin - Endpoint Security for Windows update fixes one vulnerability (CVE-2020-7308)
Broken Link;Vendor Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2020-7308

Products affected by CVE-2020-7308

Exploit prediction scoring system (EPSS) score for CVE-2020-7308

CVSS scores for CVE-2020-7308

CWE ids for CVE-2020-7308

References for CVE-2020-7308