McAfee has taken six months to patch 10 critical vulnerabilities in its VirusScan Enterprise Linux client. And these were nasty bugs as when chained they resulted remote code execution as
Andrew Fasano, security researcher with MIT Lincoln Laboratory, says attackers can chain the flaws to compromise McAfee Linux clients by spinning up malicious update servers.
"At a first glance, Intel's McAfee VirusScan Enterprise for Linux has all the best characteristics that vulnerability researchers love: it runs as root, it claims to make your machine more secure, it's not particularly popular, and it looks like it hasn't been updated in a long time," Fasano writes.
"When I noticed all these, I decided to take a look."
His efforts now lead him to assert that "A system running Intel's McAfee VirusScan Enterprise for Linux can be compromised by remote attackers due to a number of security vulnerabilities [which] can be chained together to allow remote code execution as
Fasano reported the bugs on 23 June through the US computer emergency response team clearing house which passed the vulnerabilities on to McAfee. He says the security company asked for a six-month non-disclosure period, plus a couple of extensions that would take it significantly longer than the standard 90-days patch-or-perish guidance offered by the likes of Google.
McAfee made no subsequent contact after July, fixing the bugs on 9 December, four days after Fasano told the firm he would publish the vulnerabilities today.
The chained bugs showcase the dangers that antivirus platforms often present to the security of enterprises and users by way of its by-design
root privileges and large attack surfaces.
Fasano detailed the exploitation process including a proof-of-concept.
From there attackers use another flaw (CVE-2016-8021) to force targeted McAfee installs to create malicious scripts.
With those flaws combined the attacker's malicious script is then run as
root on the victim machines.
Fasano says exploitation depends on valid login tokens generated when users log into McAfee web interfaces and lasting about an hour.
Other bugs Fasano found include a remote unauthenticated file read and existence test (CVE-2016-8016, CVE-2016-8017); cross-site request forgery tokens (CVE-2016-8018); cross-site scripting (CVE-2016-8019); HTTP response splitting (CVE-2016-8024), and an authenticated SQL injection bug (CVE-2016-8025). ®