A serious security breach has been identified in McAfee’s anti-virus software code execution. This can potentially circumvent the mechanisms of self-defense provided by the publisher.
Cybersecurity researchers revealed on Tuesday serious code execution vulnerabilities that affect all editions of antivirus software published by McAfee. SafeBreach Labs’ team of cybersecurity researchers have revealed that the code-named flaw CVE-2019-3648 can be used to bypass McAfee’s self-defense mechanisms. What potentially lead to other attacks on a system that we now know compromised.
For the SafeBreach Labs researchers, this vulnerability is a result of a path problem in which wbemprox.dll attempts to load wbemcomn.dll from its working directory, rather than its actual location in the System32 folder. As a result, arbitrary and unsigned DLLs can be loaded into multiple services that run as NT AUTHORITY \ SYSTEM.
Still, attackers must have administrator privileges to take advantage of this security vulnerability. In this case, and since several parts of the software work as a Windows service with system-level permissions, arbitrary code execution can be performed in the context of McAfee services, with all the potential risks that this poses for the security of the services. users of the American giant’s software.
Three possible exploitations
According to SafeBreach Labs, there are three main ways to exploit a vulnerability in a chain of attack. This bug allows attackers to first load and execute malicious payloads using multiple signed services in the context of McAfee software. This capability can also be used to bypass the white list of applications and avoid detection by protection software. “The antivirus might not detect the attacker’s binary, because he’s trying to charge it without any checks against him,” the researchers say.
Also, malicious code can be configured to reload each time a service is started to maintain persistence on a vulnerable system. McAfee Total Protection (MTP), Anti-Virus Plus (AVP), and Internet Security (MIS) up to and including 16.0.R22 are affected. The 16.0.R22 Refresh 1 version is available to solve the security problem.
The vulnerability was first reported to McAfee on August 5th through the HackerOne bug bounty platform. The cybersecurity provider responded on August 21st and confirmed the security problem on September 3rd after triage. On October 8, McAfee shared with SafeBreach Labs a patch deployment schedule, which resulted in CVE-2019-3648 being booked. Contacted by ZDNet, the management of McAfee has not yet responded to our requests at the time these lines were written.