McAfee antivirus software impacted by code execution vulnerability

The severe security flaw can bypass self-defense mechanisms.
Written by Charlie Osborne, Contributing Writer

Researchers have revealed a serious code execution vulnerability impacting all editions of McAfee software. 

On Tuesday, the SafeBreach Labs cybersecurity team said that CVE-2019-3648 can be used to bypass McAfee's self-defense mechanisms, potentially leading to further attacks on a compromised system.

The vulnerability exists due to a failure to validate whether or not loading DLLs have been signed, and a path issue in which wbemprox.dll attempts to load wbemcomn.dll from its working directory, rather than its actual location in the System32 folder.

As a result, arbitrary, unsigned DLLs can be loaded into multiple services that run as NT AUTHORITY\SYSTEM.

See also: These software vulnerabilities top MITRE's most dangerous list

Attackers need to have administrator privileges to take advantage of this security flaw. However, if this is achieved, as multiple parts of the software run as a Windows service with system-level permissions, arbitrary code execution can be achieved within the context of McAfee services. 

According to SafeBreach Labs, there are three main ways in which the vulnerability can be exploited in an attack chain. 

The bug permits attackers to load and execute malicious payloads using multiple signed services within the context of McAfee software, and this ability can, furthermore, be used for application whitelisting bypass and avoiding detection by protective software.

CNET: Alexa, delete what I just said! Here's how to keep Amazon from listening in 

"The antivirus might not detect the attacker's binary, because it tries to load it without any verification against it," the researchers say. 

In addition, malicious code can be set to reload each time a service is launched in order to maintain persistence on a vulnerable system. 

McAfee Total Protection (MTP), Anti-Virus Plus (AVP), and Internet Security (MIS) up to and including version 16.0.R22 are impacted. Version 16.0.R22 Refresh 1 is being released to resolve the security flaw. 

TechRepublic: VMware rolls out new Carbon Black security suite and Dell partnership

The vulnerability was first reported to McAfee on August 5 through the HackerOne bug bounty platform. The cybersecurity vendor responded on August 21 and later confirmed the validity of the security problem on September 3 after performing triage. 

By October 8, McAfee shared a fix deployment timescale with SafeBreach Labs, leading to the reservation of CVE-2019-3648.

ZDNet has reached out to McAfee but has not heard back at the time of publication. 

These are the worst hacks, cyberattacks, and data breaches of 2019 (so far)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards