Whokeys Blogs
  • McAfee Antivirus Software Affected by Code Execution Vulnerability
    Time: Dec. 23, 2019

    Researchers have discovered a serious code execution vulnerability that affects all editions of McAfee Antivirus software.

    On Tuesday, the SafeBreach Labs cybersecurity team announced that CVE-2019-3648 could bypass McAfee's self-defense mechanisms, which could lead to further attacks in a compromised system.

    The vulnerability exists when it is not possible to verify if the DLLs have been signed or not and when there is a path problem where wbemprox.dll tries to load wbemcomn.dll from the working directory and not from the actual location in the System32 folder.

    Therefore, all unsigned DLLs can be loaded into multiple services that run as NT AUTHORITY\SYSTEM.

    Attackers need administrator rights to exploit this vulnerability. However, if this is done because multiple software is running as a Windows service with system level privileges, any code execution may occur in the context of McAfee services.

    The error allowed attackers to load and execute a malicious load using services with multiple signatures in McAfee software. This feature can also be used to skip the white list of applications and prevent detection by protection software.

    In addition, malicious code can be configured to reload each time a service is started to maintain persistence in a vulnerable system.

    McAfee Total Protection, McAfee Anti-Virus Plus and Internet Security up to version 16.0.R22 included. Version 16.0.R22 Refresh 1 is released to close the vulnerability.

    The vulnerability was first reported to McAfee on August 5 through the HackerOne error platform. The cybersecurity provider responded on August 21 and then confirmed that the security issue was valid on September 3 after classification.