Numerous vulnerabilities, ten to be exact, have been discovered in McAfee’s VirusScan Enterprise client for Linux users. These severe security flaws, when chained together could enable an attacker to remotely gain root access to your system.
These vulnerabilities in Intel-owned McAfee’s enterprise software were first spotted by security researcher Andrew Fasano from MIT Lincoln Laboratory about six months ago. He had then reported all the security flaws spotted in various versions of the software, ranging from version 1.9.2 through 2.0.2, to the antivirus maker. McAfee had last updated the enterprise software in April earlier this year. Fasano started looking into the vulnerabilities because:
At a first glance, Intel’s McAfee VirusScan Enterprise for Linux has all the best characteristics that vulnerability researchers love: it runs as root, it claims to make your machine more secure, it’s not particularly popular, and it looks like it hasn’t been updated in a long time.
Further, Fasano goes on to detail how one could easily gain root access to the software by exploiting the vulnerabilities one at a time. The attackers will begin with security flaws CVE-2016-8022 and CVE-2016-8023 to brute-force an authentication token and connect to McAfee VirusScan Linux clients.
Now, the attacker will start running a malicious update server by sending scripts using the CVE-2016-8021 flaw. These scripts are then executed using CVE-2016-8020, and CVE-2016-8021 flaw to send a malformed request with the authentication token to start the virus scan. Thus, you’ve cracked and gained root access to the user’s system.
Fasano also reported the vulnerabilities in McAfee’s software to US computer emergency response team (CERT) and they deemed four of these critical. The antivirus maker had asked for a six month non-disclosure period and some other extensions to successfully patch the cohort of vulnerabilities. It took McAfee more than the required time to patch its widely popular enterprise software. It was fixed on December 9.