Category Archives: mcafee

McAfee MVISION Cloud for AWS now includes support for Amazon Detective

McAfee, the device-to-cloud cybersecurity company, announced that McAfee MVISION Cloud for Amazon Web Services (AWS) now includes support for Amazon Detective, providing customers with seamless incident detection and remediation. Through the integration of MVISION Cloud with Amazon Detective, customers have the ability to react to security issues quickly and confidently while leveraging the appropriate tools for incident investigation. Amazon Detective is a security service that is designed to easily analyze, investigate, and quickly identify the … More

The post McAfee MVISION Cloud for AWS now includes support for Amazon Detective appeared first on Help Net Security.

CVE-2019-3648 flaw in all McAfee AV allows DLL Hijacking

McAfee a vulnerability in its antivirus software that could allow an attacker to escalate privileges and execute code with SYSTEM privileges.

Security experts at SafeBreach have discovered a vulnerability in McAfee antivirus software tracked as CVE-2019-3648 that could allow an attacker with Administrator privileges to escalate privileges and execute code with SYSTEM privileges.

The flaw impacts McAfee Total Protection (MTP), McAfee Anti-Virus Plus (AVP), and all McAfee Internet Security (MIS) versions including 16.0.R22.

The CVE-2019-3648 flaw could be exploited by attackers to load unsigned DLLs into multiple services that run as NT AUTHORITY\SYSTEM.

this vulnerability could have been used in order to bypass McAfee’s Self-Defense mechanism; and achieve defense evasion and persistence by loading an arbitrary unsigned DLL into multiple services that run as NT AUTHORITY\SYSTEM.” reads the analysis published by SafeBreach. 

“Multiple parts of the software run as a Windows service executed as “NT AUTHORITY\SYSTEM,” which provides it with very powerful permissions.” “this vulnerability can be exploited to achieve arbitrary code execution within the context of multiple McAfee services, gaining access with NT AUTHORITY\SYSTEM level privileges.

The experts discovered that multiple services of the McAfee software try to load a library from the path c:\Windows\System32\wbem\wbemcomn.dll, that cannot be found because it is located in System32 and not in the System32\Wbem folder.

An attacker can place a malicious dll named wbemcomn.dll. in the wbem folder and get it executed.

Experts explained that it is possible to bypass the self-defense mechanism of the antivirus because the antivirus doesn’t validate digital signature of the DLL file.

The researchers tested the flaw by compiling a proxy DLL (unsigned) out of the original wbemcomn.dll DLL file, which writes the name of the process which loaded it, the username which executed it and the name of the DLL file. Then the experts implanted it in C:\Windows\System32\Wbem, and restarted the computer:

“We were able to load an arbitrary DLL and execute our code within multiple processes which are signed by McAfee, LLC as NT AUTHORITY\SYSTEM, resulting in bypassing the self-defense mechanism of the program.” continue the experts.

Experts reported the flaw to McAfee in August and on November 12 Mcafee published a security advisory and releases a patch to address the issue. McAfee confirmed that it is not aware of the vulnerability being exploited in attacks in the wild.

SafeBreach discovered similar issues in other security solutions from other vendors, including Trend Micro, Check Point, Bitdefender, AVG and Avast.

Pierluigi Paganini

(SecurityAffairs – McAfee, hacking)

The post CVE-2019-3648 flaw in all McAfee AV allows DLL Hijacking appeared first on Security Affairs.