Researchers have revealed a serious code execution vulnerability impacting all editions of McAfee software.
The vulnerability exists due to a failure to validate whether or not loading DLLs have been signed, and a path issue in which wbemprox.dll attempts to load wbemcomn.dll from its working directory, rather than its actual location in the System32 folder.
As a result, arbitrary, unsigned DLLs can be loaded into multiple services that run as NT AUTHORITY\SYSTEM.
Attackers need to have administrator privileges to take advantage of this security flaw. However, if this is achieved, as multiple parts of the software run as a Windows service with system-level permissions, arbitrary code execution can be achieved within the context of McAfee services.
According to SafeBreach Labs, there are three main ways in which the vulnerability can be exploited in an attack chain.
The bug permits attackers to load and execute malicious payloads using multiple signed services within the context of McAfee software, and this ability can, furthermore, be used for application whitelisting bypass and avoiding detection by protective software.
"The antivirus might not detect the attacker's binary, because it tries to load it without any verification against it," the researchers say.
In addition, malicious code can be set to reload each time a service is launched in order to maintain persistence on a vulnerable system.
McAfee Total Protection (MTP), Anti-Virus Plus (AVP), and Internet Security (MIS) up to and including version 16.0.R22 are impacted. Version 16.0.R22 Refresh 1 is being released to resolve the security flaw.
The vulnerability was first reported to McAfee on August 5 through the HackerOne bug bounty platform. The cybersecurity vendor responded on August 21 and later confirmed the validity of the security problem on September 3 after performing triage.
By October 8, McAfee shared a fix deployment timescale with SafeBreach Labs, leading to the reservation of CVE-2019-3648.
ZDNet has reached out to McAfee but has not heard back at the time of publication.
Previous and related coverage
- Nvidia patches severe GeForce, GPU vulnerabilities
- Aventura charged for flogging Chinese spy equipment to US gov't with security vulnerabilities
- Hook, line and sinker: How I fell victim to phishing attacks - again and again
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0