McAfee Antivirus Suffered And Patched A Serious Code Execution Vulnerability

McAfee logo

When antivirus software are meant to secure other software, remember that antivirus solutions are themselves software. What this means, they can be vulnerable as well.

Researchers from SafeBreach Labs cybersecurity revealed a serious code execution vulnerability impacting all editions of McAfee software. The bug in question can be exploited by hackers to bypass McAfee's self-defense mechanisms.

The bug existed because there weren't any digital signature validation made against the binary, and there were multiple services of the McAfee software which ran as signed processes, and as NT AUTHORITY\SYSTEM are trying to load C:\Windows\System32\wbem\wbemcomn.dll, while in fact, the file cannot be found.

When this happens, hackers can execute arbitrary code via carefully placing malicious files in specific locations protected by administrator permission, potentially leading to further attacks on compromised systems.

According to the announcement:

"We suspected that a vulnerability could be exploited if we could load an arbitrary unsigned DLL into these processes. This would enable us to bypass the self-defense mechanism of the antivirus software, mainly because the folders of the McAfee software are protected by a mini-filter filesystem driver, which restricts writing operations even by an Administrator."

But for an exploit to happen, hackers need to first have the administrator privileges.

However, if this is achieved, as multiple parts of the software run as a Windows service with system-level permissions, arbitrary code execution can be achieved within the context of McAfee services.

McAfee bug
McAfee service trying to load C:\Windows\System32\wbem\wbemcomn.dll. (Credit: SafeBreach Labs)
"The vulnerability gives attackers the ability to load and execute malicious payloads using multiple signed services, within the context of McAfee’s signed processes. This ability might be abused by an attacker for different purposes such as execution and evasion, for example: Application Whitelisting Bypass. The antivirus might not detect the attacker’s binary, because it tries to load it without any verification against it."

In addition, malicious code can be set to reload each time a service is launched in order to maintain persistence on a vulnerable system.

According to the researchers, McAfee Total Protection (MTP), Anti-Virus Plus (AVP), and Internet Security (MIS) up to and including version 16.0.R22 are impacted.

Version 16.0.R22 Refresh 1 is being released to all users to resolve this security flaw.

The vulnerability was first reported to McAfee on August 5 through the HackerOne bug bounty platform. McAfee responded on August 21, before confirming the validity of the security issue on September 3.

By October 8, McAfee shared a fix deployment timescale with SafeBreach Labs, leading to the reservation of CVE-2019-3648.