Researchers have identified a severe code execution vulnerability that affects all editions of McAfee software.
The SafeBreach Labs cybersecurity team said CVE-2019-3648 could be used to bypass McAfee’s self-defense mechanisms, which could lead to further attacks in a compromised system.
The vulnerability exists due to an error that verifies whether the loading of DLL files has been signed or not, and a problem with the path where wbemprox.dll tries to load wbemcomn.dll from its working directory and not from its actual location in the folder System32.
Therefore, all unsigned DLLs can be loaded into multiple services running as NT AUTHORITY\SYSTEM.
Attackers need administrator rights to exploit this vulnerability. However, if this is done because multiple software is running as a Windows service with system level privileges, any code execution can be done in the context of McAfee services.
According to SafeBreach Labs, there are three ways in which vulnerability could be exploited in an attack chain.
The error allows attackers to load and execute a malicious load using several signed services in the context of McAfee software. This feature can also be used to skip the white list of applications and prevent detection by protection software.
In addition, malicious code can be configured to reload each time a service is started to maintain persistence in a vulnerable system.
McAfee Total Protection (MTP), Anti-Virus Plus (AVP) and Internet Security (MIS) up to version 16.0.R22 included. Version 16.0.R22 Refresh 1 is released to correct the vulnerability.
The vulnerability was first reported to McAfee on August 5 through the HackerOne Bug Bounty platform. The cybersecurity provider responded on August 21 and then confirmed that the security issue was valid on September 3 after classification.
Until October 8, McAfee announced to SafeBreach Labs a fixed implementation schedule that led to the CVE-2019-3648 reserve.