Cybersecurity Threat Advisory 0063-19: McAfee Antivirus and Symantec Endpoint LPE Flaw
Recently, both McAfee and Symantec anti-malware tools were discovered to have vulnerabilities that allowed a threat actor to overcome the protection systems that these tools typically provide. While the attack requires the threat actor to have Administrative privileges on the victim’s machine, there are various other techniques that can be used to gain the required privileges and undertake the attack itself. Essentially, threat actors can force Windows to load malware files by tricking the anti-malware tools into not being able to verify the mathematical signature used to determine if these files are valid or malware. This allows the threat actor to then use this malware to gain even higher-level privileges and undertake further malicious actions on the victim’s machine and potentially on other machines. Updates to remove the vulnerability are available, contact your IT team and/or your Managed Services Provider to have these updates applied as soon as possible.
Technical detail and additional information
What is the threat?
Both McAfee and Symantec Endpoint protection software recently had security vulnerabilities discovered in various versions of their individual software. A local privilege escalation vulnerability has allowed attackers to gain root privileges and execute malicious code on victim machines. For this flaw to be executed, attackers must already have Administrative privileges on the system to continue to persist through the network and exploit commands. Once Administrative privileges are gained, attackers continue to infiltrate the infected machines by loading unsigned DLL files into services that run as NT AUTHORITY\SYSTEM. Researchers have discovered that this flaw was caused because the antivirus platforms were loading DLL files from the incorrect file path locations. The DLL files were being loaded from the current directory instead of from the full paths in which they were located. Due to this file path error, the antivirus platforms were unable to validate the digital signature of the DLL files. Since no signatures could be authenticated, the execution of these files went undetected and led to bypassing the self-defense mechanism of these platforms.
Why is this noteworthy?
Both McAfee and Symantec Endpoint are highly reputable antivirus software utilized by organizations and individuals on a global scale. McAfee Total Protection (MTP), McAfee Anti-Virus Protection (AVP), and McAfee Internet Security (MIS) versions including 16.0.R22 are all affected. All versions of Symantec Endpoint Protection prior to 14.2 RU2 are affected. The attack is also notable as it allows a threat actor who has obtained Administrative access to elevate to root – given them total control over the infected system and making detection and blocking of the threat actor significantly more difficult.
What is the exposure or risk?
When an attacker has gained Administrative privileges, they have access to multiple services that should only be attainable for selected users. Using it to their advantage, they execute powerful commands that will ultimately have a large impact to a company’s infrastructure as they gain full root access to the infected system. With such full control of a target’s system, attackers can copy and exfiltrate highly sensitive and confidential data, engage in data-dumping processes to obtain additional credentials, and/or compromise other systems and services.
This vulnerability also gives attackers the ability to launch and execute dangerous payloads to stay persistent through the network. Once a DLL file is dropped, the code permanently stays in the same location and loads each time the antivirus services are started. This persistence is used to further compromise the already infected machine and to re-infect machines which have been cleaned by other tools which may not remove the malware DLL files.
What are the recommendations?
- SKOUT recommends upgrading all systems using the McAfee or Symantec tools known to be impacted by this vulnerability at the earliest possible opportunity.
- Restrict access to Administrative/management privileges to authorized privileged users and train all users to recognize threat techniques that attempt to gain Administrative access (such as attempts to get users to download unknown files or open unknown attachments, threat actions that attempt to gain USB access through trickery or obfuscation, etc.).
- Ensure both firewall and antivirus applications are run for multi-layer security to provide multiple points of detection and protection for both inbound and outbound threats; and to detect lateral movements and other threat actions beyond single workstations and servers.
For more in-depth information about the recommendations, please visit the following links: