Researchers have identified a code execution vulnerability that can be used to bypass McAfee’s self-defense mechanisms.
SafeBreach Labs discovered the vulnerability, CVE-2019-3648, in all the editions of McAfee Antivirus software.
Peleg Hadar, security researcher at SafeBreach Labs explained in a post: “In our exploration, we found that multiple services of the McAfee software which run as signed processes and as NT AUTHORITYSYSTEM try to load c:WindowsSystem32wbemwbemcomn.dll, which cannot be found (since it is actually located in System32 and not in the System32Wbem folder):.”
The vulnerability can be exploited based on the loading of an arbitrary unsigned DLL into these processes thus allowing threat actors to bypass the self-defence mechanism of the antivirus software, “mainly because the folders of the McAfee software are protected by a mini-filter filesystem driver, which restricts writing operations even by an Administrator.”
“If the mini-filter filesystem driver is effective, even if we run as an Administrator and implant a DLL which doesn’t exist in order to load it into McAfee’s processes, we won’t be able to do that.”
SafeBreach Labs tested this vulnerability which resulted in the team being able to bypass the self-defense mechanism of the program.
There are three ways to which an attacker could leverage the vulnerability. Firstly, it provides the attacker an ability to load and execute malicious payloads using multiple signed services within the context of McAfee’s signed processes.
The vulnerability can also be used for Application Whitelisting Bypass and avoiding detection. In addition, the vulnerability allows attackers to load and execute malicious payloads persistently each time the services are loaded.
“That means that once the attacker drops a malicious DLL, the services will load the malicious code each time the services are restarted,” Hadar explained.
The impacted versions include McAfee Total Protection (MTP), McAfee Anti-Virus Plus (AVP) and McAfee Internet Security (MIS).
The vulnerability was first reported to McAfee on August 5, to which McAfee only confirmed on September 3. Only this week did McAfee publish a security advisory.
The post #Privacy: Flaw in McAfee products can bypass self-defense mechanisms appeared first on PrivSec Report.