- On 12. Jan 2016
Bypassing McAfee Application Whitelisting for Critical Infrastructure Systems
The experts of the SEC Consult Vulnerability Lab conducted research in the field of the security of application whitelisting in critical infrastructures. In the course of that research the security of McAfee Application Control was checked.
The experts developed several methods to bypass the provided protections (application whitelisting, read- and write protections as well as memory corruption protections).
Moreover different vulnerabilities were identified including the installation of software from 1999 with a well-known buffer overflow in it on all protected systems.
McAfee was notified by SEC Consult on 2015-06-03. Since the vendor didn’t fix the described vulnerabilities within the responsible disclosure deadline an advisory was released on 2015-07-28. McAfee claimed to provide fixes for the identified vulnerabilities by the end of third quarter 2015, however, at the current moment all issues remain unfixed.
Due to this fact the experts of the SEC Consult Vulnerability Lab now release the whitepaper on the security of McAfee Application Control.
The whitepaper can be downloaded from our website here:
McAfee Application Control whitepaper
Talks on that topic were already presented at conferences such as IT-SeCX 2015, DeepSec 2015 and BSides Vienna 2015. Additional information can be found in the slides from the talks.
Out of our experience we at SEC Consult consider it necessary for critical infrastructures to regularly install new updates, use only software reviewed by security professionals and further increase the awareness of end users with security trainings. For such systems it’s not enough to solely rely on a security layer such as application whitelisting. Rather, the underlying security of the system itself must be increased.
We do not see a reason for not using application whitelisting if the software is secure and doesn’t tear holes in the overall system security but it’s important to understand that it doesn’t replace robust security measures.
The slides with further details including vendor response from IT-SeCX 2015 are available here:
A (German) video of the IT-SeCX 2015 talk can be found on YouTube:
Update (2016-01-20): The English video from DeepSec 2015 Vienna can be found here: https://vimeo.com/151894442
Link to the advisory (including workarounds):