Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2019.0167 Multiple McAfee products are updated to protect against a Process Reimaging security bypass in Microsoft Windows 24 June 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: McAfee products Operating System: Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Resolution: Patch/Upgrade Member content until: Wednesday, July 24 2019 OVERVIEW A vulnerability in Microsoft Windows affects multiple McAfee products. [1] Vulnerable McAfee products: "Anti-Virus Engine Application Control Data Exchange Layer (DXL) (Messaging) DXL (Messaging) DXL Broker (Messaging) DXL Client (Messaging) Endpoint Intelligence Agent (EIA) Groupshield Domino Groupshield Exchange GroupShield SharePoint McAfee Active Response (MAR) MAR McAfee Agent MVISION EDR MVISION Endpoint Real Protect Threat Intelligence Exchange Client for VirusScan Enterprise VirusScan Enterprise (VSE) VirusScan Enterprise for Storage" [1] IMPACT The vendor has provided the following details regarding the vulnerability: "Vulnerability Description Windows Kernel APIs return stale and inconsistent FILE_OBJECT paths, which enable an adversary to bypass Windows operating system Process attribute verification." [1] +----------------------------+------------------------------------------------+ | |Improper Access Control (CWE-287) | | Impact of Vulnerability: |Permissions, Privileges, and Access Control | | |(CWE-264) | +----------------------------+------------------------------------------------+ | CVE ID: |None | +----------------------------+------------------------------------------------+ | Severity Rating: |Medium | +----------------------------+------------------------------------------------+ | CVSS v3 Base/Temporal |5.0 / 4.7 | |Scores: | | +----------------------------+------------------------------------------------+ | Recommendations: |Deploy product updates as they are made | | |available. | +----------------------------+------------------------------------------------+ | Security Bulletin |None | |Replacement: | | +----------------------------+------------------------------------------------+ MITIGATION McAfee advises the following remediations are available for affected McAfee products: "To remediate this issue, go to the Product Downloads site, and download the applicable product update/hotfix files. The table shows the first release that contained the remediation. Any releases after the version/date shown are protected." [1] +----------------------------------+-------------+----------------+-----------+ | Product | Versions | Type | Release | | | | | Date | +----------------------------------+-------------+----------------+-----------+ | Anti-Virus Engine | 6010 | Minor | May 14, | | | | | 2019 | +----------------------------------+-------------+----------------+-----------+ | Application Control | 8.2.1 | Update | March 6, | | | Update 3 | | 2019 | +----------------------------------+-------------+----------------+-----------+ | Data Exchange Layer (DXL) | 4.0.0 | Hotfix | November | | (Messaging) | Hotfix 8 | | 13, 2018 | +----------------------------------+-------------+----------------+-----------+ | DXL (Messaging) | 4.1.2 | Update | November | | | | | 13, 2018 | +----------------------------------+-------------+----------------+-----------+ | DXL Broker (Messaging) | 5.0.1 | Update | February | | | Update 1 | | 26, 2019 | +----------------------------------+-------------+----------------+-----------+ | DXL Client (Messaging) | 5.0.1 | Update | February | | | Update 2 | | 26, 2019 | +----------------------------------+-------------+----------------+-----------+ | Endpoint Intelligence Agent | 2.6.4 | Update | December | | (EIA) | | | 14, 2018 | +----------------------------------+-------------+----------------+-----------+ | Groupshield Domino | 7.5.3 | Hotfix | March 6, | | | | | 2018 | +----------------------------------+-------------+----------------+-----------+ | Groupshield Exchange | 8.6 Patch 1 | Patch | November | | | | | 13, 2018 | +----------------------------------+-------------+----------------+-----------+ | GroupShield SharePoint | 3.5 Patch 1 | Patch | November | | | | | 13, 2018 | +----------------------------------+-------------+----------------+-----------+ | McAfee Active Response (MAR) | 2.3.0 | Hotfix | November | | | Hotfix 4 | | 13, 2018 | +----------------------------------+-------------+----------------+-----------+ | MAR | 2.4.0 | Hotfix | November | | | Hotfix 1 | | 27, 2018 | +----------------------------------+-------------+----------------+-----------+ | McAfee Agent | 5.6.1 | Update | May 14, | | | | | 2019 | +----------------------------------+-------------+----------------+-----------+ | MVISION EDR | 3.0.0 | Major | March 27, | | | | | 2019 | +----------------------------------+-------------+----------------+-----------+ | MVISION Endpoint | 1811 Update | Update | January | | | 2 | | 8, 2019 | +----------------------------------+-------------+----------------+-----------+ | Real Protect | 1.1.0.4963 | Update | January | | | | | 16, 2019 | +----------------------------------+-------------+----------------+-----------+ | Threat Intelligence Exchange | 1.0.3 | | February | | Client for VirusScan Enterprise | Hotfix | Hotfix | 12, 2019 | | | 21090212 | | | +----------------------------------+-------------+----------------+-----------+ | VirusScan Enterprise (VSE) | 8.8 Patch | Patch | February | | | 12 | | 12, 2019 | +----------------------------------+-------------+----------------+-----------+ | VirusScan Enterprise for Storage | 8.8 Patch | Patch as part | February | | | 12 | of VSE above | 12, 2019 | +----------------------------------+-------------+----------------+-----------+ REFERENCES [1] McAfee Security Bulletin - Multiple McAfee products are updated to protect against a Process Reimaging security bypass in Microsoft Windows https://kc.mcafee.com/corporate/index?page=content&id=SB10283 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXRBqfWaOgq3Tt24GAQhmkA//UXjHcQDkZ48CR2cPA2PkvTjbpX7yl927 LPBg1SBbKVxQQZqiXw5LCNQH6lGobHaGlmbNmqV2WMzrWz1RARhugbF+n+ExCxIt /NNlCS4b8Isya3HBDqjSXivtZZbuQFiocLmKX56MO+CGZ0LfeXDLCel+c8FjoWpi j/KcOO56CO4pVsq2yswflSJBTHjZ/QAlRQmkRyjYtimPqMLT75ELrCsYYEL6mljx 7o+vQa3eCj74zXZ8xpq1Lw8emYwHixi6/BGzTVlQSpXt0Cxc/D00hLOlJpTlpbZ5 stfrHT70pgn2UENdxJmSZFttEkBNidLAVV384dg+JY4Si+0GEDXFkZtclYbnUcjI ckEzUA3IpMOka7fqYd9C8tdqO64ZyVLuv51dNmjiHcPrp8YbwA9O8Uj+BkfiGLAN COz/TEb0Ffvk9rUE2jndui/R4Xh0qJ769oSOS1WZegk8/qCKaUYyzjTvXP1nIkv/ BxjBNUpB1LmoM8CV93U+qbE8oFdgKp3kTZ7n+7yKirpbFUnvDj5fgCeCPdGU1qxD 2l1oy4hQp5ggCR5XDm7yufNGRdUBpxU9ncgssflCICEtzs9ryvD97YcAbkQ0cbXL KhDBxCa9D09haS7c0Nbo3550dIN6nMwfZsuMasguvfIvtrQo3W4h0+lrH579ugiq k588hjZj51A= =wmro -----END PGP SIGNATURE-----