Security flaw in McAfee enterprise software gives attackers root access

The security company took six months to patch the set of security vulnerabilities.
Written by Charlie Osborne, Contributing Writer

Vulnerabilities discovered in Intel McAfee's VirusScan Enterprise for Linux which could lead to the remote takeover of a system were patched six months after disclosure.


Security researcher Andrew Fasano from MIT Lincoln Laboratory said this week that a total of 10 security flaws, if chained together, allows the execution of code remotely as a root user.

"At a first glance, Intel's McAfee VirusScan Enterprise for Linux has all the best characteristics that vulnerability researchers love: it runs as root, it claims to make your machine more secure, it's not particularly popular, and it looks like it hasn't been updated in a long time," the security advisory reads. "When I noticed all these, I decided to take a look."

The vulnerabilities are present from at least VirusScan Enterprise for Linux version 1.9.2 through 2.0.2, which was released in April this year.

"The only difference from the older release appears to be updating to a newer version of libc which makes exploiting these vulnerabilities easier," Fasano says.

There are ten vulnerabilities in total, four of which are deemed critical. The first pair, CVE-2016-8016 and CVE-2016-8017, is an information disclosure flaw and a bug caused by the failure to sanitize special elements which allow attackers to remotely test file existence and read files with some constraints.

Once these flaws have been exploited, attackers can then utilize CVE-2016-8021 to force the McAfee software to create malicious scripts without the need for proper authentication or cryptographic controls.

These scripts can then be executed through this bug, but two additional bugs, CVE-2016-8020 and CVE-2016-8021, can also be leveraged to escalate privileges and remotely execute code.

When chained together, these vulnerabilities allow a remote attacker to execute code with root access control.

In addition, the researcher found six additional bugs, an authenticated SQL injection, CVE-2016-8025, an HTTP response splitting flaw -- CVE-2016-8024 -- two issues relating to brute-force attacks against authentication tokens, CVE-2016-8022 and CVE-2016-8023, alongside a cross-site scripting issue, CVE-2016-8019, and CVE-2016-801, a forgery tokens problem.

The vulnerabilities were originally reported in June this year with public disclosure scheduled for August. Following communication between the McAfee security team and Fasano, the company requested an extension until September or even the end of the year.

Three months of radio silence then occurred before McAfee was issued a public disclosure date of December 12 on December 5.

Once this date was set in stone, McAfee finally stirred and published a security bulletin and assigned CVE IDs before the disclosure date on December 9.

2016 Holiday gift guide: Top tech, gadgets to give this season

Editorial standards