Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2019.0167
Multiple McAfee products are updated to protect against a
Process Reimaging security bypass in Microsoft Windows
24 June 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: McAfee products
Operating System: Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution: Patch/Upgrade
Member content until: Wednesday, July 24 2019
OVERVIEW
A vulnerability in Microsoft Windows affects multiple McAfee products. [1]
Vulnerable McAfee products:
"Anti-Virus Engine
Application Control
Data Exchange Layer (DXL) (Messaging)
DXL (Messaging)
DXL Broker (Messaging)
DXL Client (Messaging)
Endpoint Intelligence Agent (EIA)
Groupshield Domino
Groupshield Exchange
GroupShield SharePoint
McAfee Active Response (MAR)
MAR
McAfee Agent
MVISION EDR
MVISION Endpoint
Real Protect
Threat Intelligence Exchange Client for VirusScan Enterprise
VirusScan Enterprise (VSE)
VirusScan Enterprise for Storage" [1]
IMPACT
The vendor has provided the following details regarding the vulnerability:
"Vulnerability Description
Windows Kernel APIs return stale and inconsistent FILE_OBJECT paths, which enable an adversary to bypass Windows operating system Process attribute verification." [1]
+----------------------------+------------------------------------------------+
| |Improper Access Control (CWE-287) |
| Impact of Vulnerability: |Permissions, Privileges, and Access Control |
| |(CWE-264) |
+----------------------------+------------------------------------------------+
| CVE ID: |None |
+----------------------------+------------------------------------------------+
| Severity Rating: |Medium |
+----------------------------+------------------------------------------------+
| CVSS v3 Base/Temporal |5.0 / 4.7 |
|Scores: | |
+----------------------------+------------------------------------------------+
| Recommendations: |Deploy product updates as they are made |
| |available. |
+----------------------------+------------------------------------------------+
| Security Bulletin |None |
|Replacement: | |
+----------------------------+------------------------------------------------+
MITIGATION
McAfee advises the following remediations are available for affected McAfee products:
"To remediate this issue, go to the Product Downloads site, and download the
applicable product update/hotfix files. The table shows the first release that
contained the remediation. Any releases after the version/date shown are
protected." [1]
+----------------------------------+-------------+----------------+-----------+
| Product | Versions | Type | Release |
| | | | Date |
+----------------------------------+-------------+----------------+-----------+
| Anti-Virus Engine | 6010 | Minor | May 14, |
| | | | 2019 |
+----------------------------------+-------------+----------------+-----------+
| Application Control | 8.2.1 | Update | March 6, |
| | Update 3 | | 2019 |
+----------------------------------+-------------+----------------+-----------+
| Data Exchange Layer (DXL) | 4.0.0 | Hotfix | November |
| (Messaging) | Hotfix 8 | | 13, 2018 |
+----------------------------------+-------------+----------------+-----------+
| DXL (Messaging) | 4.1.2 | Update | November |
| | | | 13, 2018 |
+----------------------------------+-------------+----------------+-----------+
| DXL Broker (Messaging) | 5.0.1 | Update | February |
| | Update 1 | | 26, 2019 |
+----------------------------------+-------------+----------------+-----------+
| DXL Client (Messaging) | 5.0.1 | Update | February |
| | Update 2 | | 26, 2019 |
+----------------------------------+-------------+----------------+-----------+
| Endpoint Intelligence Agent | 2.6.4 | Update | December |
| (EIA) | | | 14, 2018 |
+----------------------------------+-------------+----------------+-----------+
| Groupshield Domino | 7.5.3 | Hotfix | March 6, |
| | | | 2018 |
+----------------------------------+-------------+----------------+-----------+
| Groupshield Exchange | 8.6 Patch 1 | Patch | November |
| | | | 13, 2018 |
+----------------------------------+-------------+----------------+-----------+
| GroupShield SharePoint | 3.5 Patch 1 | Patch | November |
| | | | 13, 2018 |
+----------------------------------+-------------+----------------+-----------+
| McAfee Active Response (MAR) | 2.3.0 | Hotfix | November |
| | Hotfix 4 | | 13, 2018 |
+----------------------------------+-------------+----------------+-----------+
| MAR | 2.4.0 | Hotfix | November |
| | Hotfix 1 | | 27, 2018 |
+----------------------------------+-------------+----------------+-----------+
| McAfee Agent | 5.6.1 | Update | May 14, |
| | | | 2019 |
+----------------------------------+-------------+----------------+-----------+
| MVISION EDR | 3.0.0 | Major | March 27, |
| | | | 2019 |
+----------------------------------+-------------+----------------+-----------+
| MVISION Endpoint | 1811 Update | Update | January |
| | 2 | | 8, 2019 |
+----------------------------------+-------------+----------------+-----------+
| Real Protect | 1.1.0.4963 | Update | January |
| | | | 16, 2019 |
+----------------------------------+-------------+----------------+-----------+
| Threat Intelligence Exchange | 1.0.3 | | February |
| Client for VirusScan Enterprise | Hotfix | Hotfix | 12, 2019 |
| | 21090212 | | |
+----------------------------------+-------------+----------------+-----------+
| VirusScan Enterprise (VSE) | 8.8 Patch | Patch | February |
| | 12 | | 12, 2019 |
+----------------------------------+-------------+----------------+-----------+
| VirusScan Enterprise for Storage | 8.8 Patch | Patch as part | February |
| | 12 | of VSE above | 12, 2019 |
+----------------------------------+-------------+----------------+-----------+
REFERENCES
[1] McAfee Security Bulletin - Multiple McAfee products are updated to
protect against a Process Reimaging security bypass in Microsoft
Windows
https://kc.mcafee.com/corporate/index?page=content&id=SB10283
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXRBqfWaOgq3Tt24GAQhmkA//UXjHcQDkZ48CR2cPA2PkvTjbpX7yl927
LPBg1SBbKVxQQZqiXw5LCNQH6lGobHaGlmbNmqV2WMzrWz1RARhugbF+n+ExCxIt
/NNlCS4b8Isya3HBDqjSXivtZZbuQFiocLmKX56MO+CGZ0LfeXDLCel+c8FjoWpi
j/KcOO56CO4pVsq2yswflSJBTHjZ/QAlRQmkRyjYtimPqMLT75ELrCsYYEL6mljx
7o+vQa3eCj74zXZ8xpq1Lw8emYwHixi6/BGzTVlQSpXt0Cxc/D00hLOlJpTlpbZ5
stfrHT70pgn2UENdxJmSZFttEkBNidLAVV384dg+JY4Si+0GEDXFkZtclYbnUcjI
ckEzUA3IpMOka7fqYd9C8tdqO64ZyVLuv51dNmjiHcPrp8YbwA9O8Uj+BkfiGLAN
COz/TEb0Ffvk9rUE2jndui/R4Xh0qJ769oSOS1WZegk8/qCKaUYyzjTvXP1nIkv/
BxjBNUpB1LmoM8CV93U+qbE8oFdgKp3kTZ7n+7yKirpbFUnvDj5fgCeCPdGU1qxD
2l1oy4hQp5ggCR5XDm7yufNGRdUBpxU9ncgssflCICEtzs9ryvD97YcAbkQ0cbXL
KhDBxCa9D09haS7c0Nbo3550dIN6nMwfZsuMasguvfIvtrQo3W4h0+lrH579ugiq
k588hjZj51A=
=wmro
-----END PGP SIGNATURE-----