McAfee Application Control Multiple Vulnerabilities

SEC Consult Vulnerability Lab Security Advisory < 20150728-0 >

=======================================================================

title: McAfee Application Control Multiple Vulnerabilities

product: McAfee Application Control

vulnerable version: verified in version 6.1.3.353

fixed version: a fixed version is currently not available

impact: high

homepage: www.mcafee.com/us/products/application-control.aspx

found: 28.04.2015

by: R. Freingruber (Office Vienna)

SEC Consult Vulnerability Lab

An integrated part of SEC Consult

Berlin - Frankfurt/Main - Montreal - Singapore

Vienna (HQ) - Vilnius - Zurich

www.sec-consult.com

=======================================================================

Vendor description:

-------------------

"McAfee Application Control software provides an effective way to block

unauthorized applications and code on servers, corporate desktops, and

fixed-function devices. This centrally managed whitelisting solution

uses a dynamic trust model and innovative security features that thwart

advanced persistent threats — without requiring signature updates or

labor-intensive list management."

Source: www.mcafee.com/us/products/application-control.aspx

 

Business recommendation:

------------------------

By combining the vulnerabilities documented in this advisory an attacker

can completely bypass the mitigations provided by McAfee Application

Control. This especially includes the application whitelisting as well as

the read and write protections. Moreover, an attacker can attack the

availability of the system.

SEC Consult recommends not to use this software until a thorough security

review has been performed by security professionals and all identified

issues have been resolved.

 

Vulnerability overview/description:

-----------------------------------

1) Injected library bypasses protections of the operating system

To add memory corruption protections (mp, mp-casp, mp-vasr,

mp-vasr-forced-relocation) McAfee Application Control injects it's own

library scinject.dll into all running processes. The library allocates a

write- and executable location which can be used to bypass the mitigation

technique Data Execution Protection (DEP) of the underlying operating

system. Moreover, it can also be used to bypass the mitigation technique

mp-casp from McAfee Application Control. This increases the possibility

to successfully exploit a memory corruption vulnerability. Since memory

corruption vulnerabilities can be used to compromise a system and to bypass

the application whitelisting protection it is very important to not decrease

the security of protections provided by the operating system.

 

2) Software shipped with an application from 1999 which includes publicly known

vulnerabilities

McAfee Application Control installs per default a ZIP application from 1999.

The ZIP application contains publicly known vulnerabilities including a buffer

overflow. An attacker can exploit the buffer overflow vulnerability to bypass

application whitelisting. However, a public exploit is not available and

exploitation of the vulnerability is considered not trivial.

 

3) Multiple kernel driver vulnerabilities

An attacker can send manipulated IOCTL requests to the kernel which lead to a

system crash. These vulnerabilities can be used to affect the availability of

the system. It is expected that these vulnerabilities can also be used to

escalate privileges to kernel level.

 

4) Insufficient application whitelisting protection

The main feature of McAfee Application Control is application whitelisting.

SEC Consult Vulnerability Lab discovered multiple ways to bypass this protection.

 

5) Insufficient file system read-/write-protection

Because of the design of McAfee Application Control write protection is mandatory

to ensure the security of application whitelisting. SEC Consult managed to bypass

the write protection to overwrite whitelisted applications to achieve full code

execution. Moreover, read protection was bypassed to dump the contents of

McAfee's password file. By bypassing write protection it's also possible to

delete the password file to interact with McAfee Application Control without

requiring a password. This can be used to completely disable McAfee Application

Control.

 

Proof of concept:

-----------------

Since no fix is available for any of the described vulnerabilities, the

proof of concept section was completely removed from the advisory.

 

Vulnerable / tested versions:

-----------------------------

The version 6.1.3.353 was found to be vulnerable.

This was the latest version at the time of discovery.

 

Vendor contact timeline:

------------------------

2015-06-03: Contacting vendor through security-alerts@mcafee.com

Sending PGP encrypted whitepaper to vendor.

Informed McAfee about the latest possible release date: 2015-07-24.

2015-06-04: Vendor response - issues will be tracked with case ID SBC1506031

2015-06-08: SEC Consult asked for a release date of a fix.

2015-07-02: SEC Consult asked for a release date of a fix and the current status.

2015-07-13: SEC Consult asked for a release date of a fix and the current status.

2015-07-14: Vendor response - Vendor confirmed vulnerabilities 1) and 2).

Vulnerabilities 3), 4) and 5) are classified as "not vulnerable"

because an attacker requires code execution to exploit them.

Vulnerabilities 1) and 2) are classified as low risk vulnerabilities.

A patch will therefore not be available, a fix is planned for the next

version update which will be released by end of Q3.

2015-07-21: SEC Consult informed McAfee that an advisory will be released on

28.07.2015. SEC Consult informed McAfee that vulnerabilities 3), 4)

and 5) should be fixed as well because code execution can easily be

achieved on a default installation of McAfee Application Control and

therefore it's possible to exploit all the described vulnerabilities.

2015-07-28: Public release of the advisory

 

Solution:

---------

At the time of writing, no solution exists.

The vendor plans to release an update by the end of Q3 2015.

However, this update only fixes some of the found vulnerabilities.

SEC Consult Vulnerability Lab strongly suggests to apply workarounds described

in this advisory, to lower the risk of an attack.

 

Workaround:

-----------

The following list contains configuration settings, hardening guidelines and

measures to secure the system.

*) Configure a strong password to protect McAfee Application Control

Without specifying a password for McAfee Application Control an attacker can

simply interact with the software to disable all protections.

McAfee Application Control does not enforce a strong password complexity.

It is recommended to use a strong password.

Command: sadmin passwd

 

*) Remove powershell.exe from the list of default whitelisted applications

Command: sadmin.exe unsolidify C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe

Command: sadmin.exe unsolidify C:\WINDOWS\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

(and all other occurrences of powershell.exe, e.g. in C:\Windows\winsxs\...)

 

*) Remove the default whitelisted ZIP application from the whitelist

Command: sadmin.exe unsolidify C:\Program Files\McAfee\Solidcore\Tools\GatherInfo\zip.exe

 

*) Remove interpreters (e.g. python, perl), debuggers, outdated software and other

applications which can be abused (e.g. java) from the whitelist

 

*) Only whitelist required software

To decrease the attack surface the list of whitelisted software should be as minimal

as possible.

 

*) Disable memory corruption protections from McAfee Application Control

This ensures that scinject.dll does not allocate a write- and executable

section in all applications. Since the protections offered by McAfee

Application Control correlate to the protections from the operating system,

these protections can be disabled. Only in some special situations

(e.g. the underlying hardware does not support hardware based DEP)

these protections should not be disabled.

Command: sadmin features disable mp

Command: sadmin features disable mp-casp

Command: sadmin features disable mp-vasr

Command: sadmin features disable mp-vasr-forced-relocation

 

*) Add JS and HTA files to the list of protected scripts

Per default McAfee Application Control does not protect the system from

malicious JS or HTA files. To secure this the hidden scripts command

can be used:

Command: sadmin.exe scripts add .js cscript.exe wscript.exe

Command: sadmin.exe scripts add .hta mshta.exe

 

*) Remove processes from the list of updaters / do not use the updater list

This recommendation is hard to follow because systems should

regularly be updated. However, the list of update process can be abused by

attackers. Therefore it's recommended to remove all elements from

the list. The recommended way to deal with updates is to add the

update process just before applying the update and remove the update process

after the system is successfully updated.

Command: sadmin.exe updaters list (get a list of all configured updaters)

Command: sadmin.exe updaters remove *name* (remove the identified updaters)

 

*) Do not configure trusted volumes

Trusted volumes completely bypass application whitelisting.

Therefore trusted volumes should not be configured.

Command: sadmin.exe trusted -l (get a list of all configured trusted volumes)

Command: sadmin.exe trusted -r *name* (remove the identified trusted volumes)

 

*) Regularly apply software and system updates.

This recommendation is not directly related to McAfee Application Control,

however SEC Consult Vulnerability Lab sees the importance to explicitly

mention this here. Keeping the system and all installed software

up-to-date is absolutely mandatory for the security of the system.

 

Advisory URL:

-------------

www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult

Berlin - Frankfurt/Main - Montreal - Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab

The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It

ensures the continued knowledge gain of SEC Consult in the field of network

and application security to stay ahead of the attacker. The SEC Consult

Vulnerability Lab supports high-quality penetration testing and the evaluation

of new offensive and defensive technologies for our customers. Hence our

customers obtain the most current information about vulnerabilities and valid

recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Interested to work with the experts of SEC Consult?

Send us your application www.sec-consult.com/career/

 

Interested in improving your cyber security with the experts of SEC Consult?

Contact our local offices www.sec-consult.com/contact/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com

Web: www.sec-consult.com

Blog: blog.sec-consult.com

Twitter: twitter.com/sec_consult

EOF R. Freingruber / @2015