Operating System:

[Win]

Published:

24 June 2019

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2019.0167
         Multiple McAfee products are updated to protect against a
          Process Reimaging security bypass in Microsoft Windows
                               24 June 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              McAfee products
Operating System:     Windows
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution:           Patch/Upgrade
Member content until: Wednesday, July 24 2019

OVERVIEW

        A vulnerability in Microsoft Windows affects multiple McAfee products. [1]
        
        Vulnerable McAfee products:
        
        "Anti-Virus Engine
        Application Control
        Data Exchange Layer (DXL) (Messaging)
        DXL (Messaging)
        DXL Broker (Messaging)
        DXL Client (Messaging)
        Endpoint Intelligence Agent (EIA)
        Groupshield Domino
        Groupshield Exchange
        GroupShield SharePoint
        McAfee Active Response (MAR)
        MAR
        McAfee Agent
        MVISION EDR
        MVISION Endpoint
        Real Protect
        Threat Intelligence Exchange Client for VirusScan Enterprise
        VirusScan Enterprise (VSE)
        VirusScan Enterprise for Storage" [1]


IMPACT

        The vendor has provided the following details regarding the vulnerability:
        
        "Vulnerability Description
        
        Windows Kernel APIs return stale and inconsistent FILE_OBJECT paths, which enable an adversary to bypass Windows operating system Process attribute verification." [1]
        
        +----------------------------+------------------------------------------------+
        |                            |Improper Access Control (CWE-287)               |
        | Impact of Vulnerability:   |Permissions, Privileges, and Access Control     |
        |                            |(CWE-264)                                       |
        +----------------------------+------------------------------------------------+
        | CVE ID:                    |None                                            |
        +----------------------------+------------------------------------------------+
        | Severity Rating:           |Medium                                          |
        +----------------------------+------------------------------------------------+
        | CVSS v3 Base/Temporal      |5.0 / 4.7                                       |
        |Scores:                     |                                                |
        +----------------------------+------------------------------------------------+
        | Recommendations:           |Deploy product updates as they are made         |
        |                            |available.                                      |
        +----------------------------+------------------------------------------------+
        | Security Bulletin          |None                                            |
        |Replacement:                |                                                |
        +----------------------------+------------------------------------------------+


MITIGATION

        McAfee advises the following remediations are available for affected McAfee products:
        
        "To remediate this issue, go to the Product Downloads site, and download the
        applicable product update/hotfix files. The table shows the first release that
        contained the remediation. Any releases after the version/date shown are
        protected." [1]
        
        +----------------------------------+-------------+----------------+-----------+
        | Product                          | Versions    | Type           | Release   |
        |                                  |             |                | Date      |
        +----------------------------------+-------------+----------------+-----------+
        | Anti-Virus Engine                | 6010        | Minor          | May 14,   |
        |                                  |             |                | 2019      |
        +----------------------------------+-------------+----------------+-----------+
        | Application Control              | 8.2.1       | Update         | March 6,  |
        |                                  | Update 3    |                | 2019      |
        +----------------------------------+-------------+----------------+-----------+
        | Data Exchange Layer (DXL)        | 4.0.0       | Hotfix         | November  |
        | (Messaging)                      | Hotfix 8    |                | 13, 2018  |
        +----------------------------------+-------------+----------------+-----------+
        | DXL (Messaging)                  | 4.1.2       | Update         | November  |
        |                                  |             |                | 13, 2018  |
        +----------------------------------+-------------+----------------+-----------+
        | DXL Broker (Messaging)           | 5.0.1       | Update         | February  |
        |                                  | Update 1    |                | 26, 2019  |
        +----------------------------------+-------------+----------------+-----------+
        | DXL Client (Messaging)           | 5.0.1       | Update         | February  |
        |                                  | Update 2    |                | 26, 2019  |
        +----------------------------------+-------------+----------------+-----------+
        | Endpoint Intelligence Agent      | 2.6.4       | Update         | December  |
        | (EIA)                            |             |                | 14, 2018  |
        +----------------------------------+-------------+----------------+-----------+
        | Groupshield Domino               | 7.5.3       | Hotfix         | March 6,  |
        |                                  |             |                | 2018      |
        +----------------------------------+-------------+----------------+-----------+
        | Groupshield Exchange             | 8.6 Patch 1 | Patch          | November  |
        |                                  |             |                | 13, 2018  |
        +----------------------------------+-------------+----------------+-----------+
        | GroupShield SharePoint           | 3.5 Patch 1 | Patch          | November  |
        |                                  |             |                | 13, 2018  |
        +----------------------------------+-------------+----------------+-----------+
        | McAfee Active Response (MAR)     | 2.3.0       | Hotfix         | November  |
        |                                  | Hotfix 4    |                | 13, 2018  |
        +----------------------------------+-------------+----------------+-----------+
        | MAR                              | 2.4.0       | Hotfix         | November  |
        |                                  | Hotfix 1    |                | 27, 2018  |
        +----------------------------------+-------------+----------------+-----------+
        | McAfee Agent                     | 5.6.1       | Update         | May 14,   |
        |                                  |             |                | 2019      |
        +----------------------------------+-------------+----------------+-----------+
        | MVISION EDR                      | 3.0.0       | Major          | March 27, |
        |                                  |             |                | 2019      |
        +----------------------------------+-------------+----------------+-----------+
        | MVISION Endpoint                 | 1811 Update | Update         | January   |
        |                                  | 2           |                | 8, 2019   |
        +----------------------------------+-------------+----------------+-----------+
        | Real Protect                     | 1.1.0.4963  | Update         | January   |
        |                                  |             |                | 16, 2019  |
        +----------------------------------+-------------+----------------+-----------+
        | Threat Intelligence Exchange     | 1.0.3       |                | February  |
        | Client for VirusScan Enterprise  | Hotfix      | Hotfix         | 12, 2019  |
        |                                  | 21090212    |                |           |
        +----------------------------------+-------------+----------------+-----------+
        | VirusScan Enterprise (VSE)       | 8.8 Patch   | Patch          | February  |
        |                                  | 12          |                | 12, 2019  |
        +----------------------------------+-------------+----------------+-----------+
        | VirusScan Enterprise for Storage | 8.8 Patch   | Patch as part  | February  |
        |                                  | 12          | of VSE above   | 12, 2019  |
        +----------------------------------+-------------+----------------+-----------+


REFERENCES

        [1] McAfee Security Bulletin - Multiple McAfee products are updated to
            protect against a Process Reimaging security bypass in Microsoft
            Windows
            https://kc.mcafee.com/corporate/index?page=content&id=SB10283

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXRBqfWaOgq3Tt24GAQhmkA//UXjHcQDkZ48CR2cPA2PkvTjbpX7yl927
LPBg1SBbKVxQQZqiXw5LCNQH6lGobHaGlmbNmqV2WMzrWz1RARhugbF+n+ExCxIt
/NNlCS4b8Isya3HBDqjSXivtZZbuQFiocLmKX56MO+CGZ0LfeXDLCel+c8FjoWpi
j/KcOO56CO4pVsq2yswflSJBTHjZ/QAlRQmkRyjYtimPqMLT75ELrCsYYEL6mljx
7o+vQa3eCj74zXZ8xpq1Lw8emYwHixi6/BGzTVlQSpXt0Cxc/D00hLOlJpTlpbZ5
stfrHT70pgn2UENdxJmSZFttEkBNidLAVV384dg+JY4Si+0GEDXFkZtclYbnUcjI
ckEzUA3IpMOka7fqYd9C8tdqO64ZyVLuv51dNmjiHcPrp8YbwA9O8Uj+BkfiGLAN
COz/TEb0Ffvk9rUE2jndui/R4Xh0qJ769oSOS1WZegk8/qCKaUYyzjTvXP1nIkv/
BxjBNUpB1LmoM8CV93U+qbE8oFdgKp3kTZ7n+7yKirpbFUnvDj5fgCeCPdGU1qxD
2l1oy4hQp5ggCR5XDm7yufNGRdUBpxU9ncgssflCICEtzs9ryvD97YcAbkQ0cbXL
KhDBxCa9D09haS7c0Nbo3550dIN6nMwfZsuMasguvfIvtrQo3W4h0+lrH579ugiq
k588hjZj51A=
=wmro
-----END PGP SIGNATURE-----