McAfee patched a security vulnerability discovered in all editions of its Antivirus software for Windows and enabling potential attackers to escalate privileges and execute code using SYSTEM privileges.
McAfee Total Protection (MTP), McAfee Anti-Virus Plus (AVP), and McAfee Internet Security (MIS) up to and including 16.0.R22 are all impacted by this local privilege escalation (LPE) bug.
Privilege escalation bug patched by McAfee
The LPE flaw now tracked as CVE-2019-3648 requires attackers to have Administrator privileges for exploitation according to SafeBreach Labs security researcher Peleg Hadar who discovered the vulnerability.
While the level of severity for this type of security is not immediately obvious, they usually receive medium and high severity CVSS 3.x base scores [1, 2].
Threat actors regularly exploit DLL search-order hijacking flaws such as this as part of later stages of attacks after a machine was already infiltrated, when needing to elevate permissions to establish persistence and further compromise the targeted machine.
After exploitation, it can be used "to bypass McAfee’s Self-Defense mechanism; and achieve defense evasion and persistence by loading an arbitrary unsigned DLL into multiple services that run as NT AUTHORITY\SYSTEM," Hadar says.
The company is rolling out the 16.0.R22 Refresh 1 version which addresses the issue says the SafeBreach Labs security researcher in his report.
Arbitrary unsigned DLL loading from CWD
The SafeBreach Labs researcher says that CVE-2019-3648 is caused because the antivirus solution is attempting to load a DLL from its current working directory (CWD) instead of its actual location and by not validating if the DLLs it's trying to load is signed with a digital certificate.
Hadar found that the McAfee software running as NT AUTHORITY\SYSTEM tries to import the wbemcomn.dll from its CWD, the C:\Windows\System32\Wbem directory, instead of its actual location, in the System32 folder.
By abusing this bug, one could easily load an arbitrary unsigned DLL into these processes if already has Administrator privileges on the system, thus bypassing McAfee Antivirus' self-defense mechanism.
As part of a proof-of-concept demonstration, Hadar was able to implant an unsigned proxy DLL in the C:\Windows\System32\Wbem folder, load it, and execute it within several McAfee signed processes as NT AUTHORITY\SYSTEM, bypassing the self-defense mechanism of the McAfee Antivirus just as expected.
"The vulnerability gives attackers the ability to load and execute malicious payloads using multiple signed services, within the context of McAfee’s signed processes," Hadar says.
"This ability might be abused by an attacker for different purposes such as execution and evasion, for example: Application Whitelisting Bypass. The antivirus might not detect the attacker’s binary, because it tries to load it without any verification against it."
Exploiting the CVE-2019-3648 bug on devices running unpatched versions of McAfee Antivirus could also allow attackers to load and launch malicious payloads each time the McAfee services are loading, gaining persistence between system restarts.
More details on how the vulnerability was discovered, a detailed analysis of its root cause, and a full disclosure timeline are available at the end of the SafeBreach Labs report.
More LPE flaws reported to security vendors
This is not the first local privilege escalation security issue Hadar reported to a security vendor, since he also found more affecting Trend Micro's Password Manager, Check Point Software's Endpoint Security Initial Client, the free version of Bitdefender Antivirus, Avira's Antivirus 2019 software, and Avast Software's AVG Antivirus and Avast Antivirus.
Each of them could be exploited by attackers to drop and execute malicious payloads in a persistent way, as well as evading detection during later stages of an attack on machines running unpatched software.
Trend Micro, Check Point Software, Bitdefender, Avira, and Avast patched the security flaws (tracked as CVE-2019-14684, CVE-2019-8461, CVE-2019-15295, CVE-2019-17449, and CVE-2019-17093) after receiving Hadar's disclosure report, with users receiving the security updates via the automatic update features built within the apps.
Comments
NoneRain - 2 years ago
Any arguments to still use McAfee to this day? ...