430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

CVE-2019-3648 flaw in all McAfee AV allows DLL Hijacking

McAfee a vulnerability in its antivirus software that could allow an attacker to escalate privileges and execute code with SYSTEM privileges. Security experts at SafeBreach have discovered a vulnerability in McAfee antivirus software tracked as CVE-2019-3648 that could allow an attacker with Administrator privileges to escalate privileges and execute code with SYSTEM privileges. The flaw […]

McAfee Agent

McAfee a vulnerability in its antivirus software that could allow an attacker to escalate privileges and execute code with SYSTEM privileges.

Security experts at SafeBreach have discovered a vulnerability in McAfee antivirus software tracked as CVE-2019-3648 that could allow an attacker with Administrator privileges to escalate privileges and execute code with SYSTEM privileges.

The flaw impacts McAfee Total Protection (MTP), McAfee Anti-Virus Plus (AVP), and all McAfee Internet Security (MIS) versions including 16.0.R22.

The CVE-2019-3648 flaw could be exploited by attackers to load unsigned DLLs into multiple services that run as NT AUTHORITY\SYSTEM.

this vulnerability could have been used in order to bypass McAfee’s Self-Defense mechanism; and achieve defense evasion and persistence by loading an arbitrary unsigned DLL into multiple services that run as NT AUTHORITY\SYSTEM.” reads the analysis published by SafeBreach. 

“Multiple parts of the software run as a Windows service executed as “NT AUTHORITY\SYSTEM,” which provides it with very powerful permissions.” “this vulnerability can be exploited to achieve arbitrary code execution within the context of multiple McAfee services, gaining access with NT AUTHORITY\SYSTEM level privileges.

The experts discovered that multiple services of the McAfee software try to load a library from the path c:\Windows\System32\wbem\wbemcomn.dll, that cannot be found because it is located in System32 and not in the System32\Wbem folder.

An attacker can place a malicious dll named wbemcomn.dll. in the wbem folder and get it executed.

Experts explained that it is possible to bypass the self-defense mechanism of the antivirus because the antivirus doesn’t validate digital signature of the DLL file.

The researchers tested the flaw by compiling a proxy DLL (unsigned) out of the original wbemcomn.dll DLL file, which writes the name of the process which loaded it, the username which executed it and the name of the DLL file. Then the experts implanted it in C:\Windows\System32\Wbem, and restarted the computer:

“We were able to load an arbitrary DLL and execute our code within multiple processes which are signed by McAfee, LLC as NT AUTHORITY\SYSTEM, resulting in bypassing the self-defense mechanism of the program.” continue the experts.

Experts reported the flaw to McAfee in August and on November 12 Mcafee published a security advisory and releases a patch to address the issue. McAfee confirmed that it is not aware of the vulnerability being exploited in attacks in the wild.

SafeBreach discovered similar issues in other security solutions from other vendors, including Trend Micro, Check Point, Bitdefender, AVG and Avast.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – McAfee, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]