Security researcher Andrew Fasano has discovered a multitude of vulnerabilities in McAfee Virus Scan Enterprise product for Linux – vulnerabilities that can be chained together to achieve root access to the machine running the software, and ultimately execute malicious code on it.
Fasano delineated the attack sequence as follows:
- Exploit CVE-2016-8022 and CVE-2016-8023 to brute force the authentication token,
- Start running a malicious update server
- Send request with authentication token to update update server using CVE-2016-8022
- Force target to create malicious script on their system using CVE-2016-8021
- Send malformed request with authentication token to start virus scan but execute malicious script instead by using CVE-2016-8020 and CVE-2016-8021
- The malicious script is then run by the root user on the victim machine.
- Caveat: Exploiting this vulnerability depends on the existence of a valid login token which is generated whenever a user logs into the web interface. These tokens are valid for approximately an hour after login.
“Intel’s McAfee VirusScan Enterprise for Linux has all the best characteristics that vulnerability researchers love: it runs as root, it claims to make your machine more secure, it’s not particularly popular, and it looks like it hasn’t been updated in a long time,” he noted.
These and other discovered vulnerabilities affect v1.9.2 through v2.0.2 of the software, but there will be no security updates for it, as it has been discontinued.
Instead, McAffee has advised users to upgrade to its Endpoint Security for Linux product (v10.2 or later), in which all these vulnerabilities have been fixed. The upgrade is available free of charge to existing users.
Fasano discovered the flaws back in June 2016, and it took until now for McAfee to come up with the fixes for Endpoint Security for Linux.
CERT/CC has issued a vulnerability note detailing the findings, as well as a separate vulnerability affecting the Windows version of the software (discovered by Shelby Kaba).