Potential vulnerabilities with Application Control 7.0.x and earlier
Technical Articles ID:
KB86405
Last Modified: 1/8/2020
Last Modified: 1/8/2020
Environment
McAfee Application and Change Control (MACC) 7.0.x, 6.2.x, 6.1.x
Summary
This article describes several potential vulnerabilities in MACC that claim potential bypass of MACC protections. The McAfee analysis has concluded that either these issues do not affect MACC or have a low risk.
Problem
On June 3, 2015, McAfee was provided with a list of potential vulnerabilities in the MACC product.
On July 30, 2015, McAfee responded to the discoverer with a Sustaining Statement. Sustaining Statements are 1–3 page documents sent only to the discoverer for low-severity issues and non-issues.
On January 10, 2016, the discoverer published a detailed article outlining the exact same list of potential vulnerabilities as provided to us in June 2015. The article is titled Bypassing McAfee’s Application Whitelisting for Critical Infrastructure Systems, 2016-01-12.
- http://blog.sec-consult.com/2016/01/mcafee-application-control-dinosaurs.html
- https://www.exploit-db.com/docs/39228.pdf
McAfee has chosen to publish our response in this informational Knowledge Base article to help the public place the discoverer's claims within a customer risk analysis.
The MACC executable/scripting authorization and prevention mechanisms are briefly described in this article. For a complete explanation of these features, see the product documentation.
Items in the whitelist are authorized to execute. Items not in the whitelist are prevented from execution. MACC provides another "scripts list" mechanism to control which script files are prevented and which can execute:
The MACC executable/scripting authorization and prevention mechanisms are briefly described in this article. For a complete explanation of these features, see the product documentation.
Items in the whitelist are authorized to execute. Items not in the whitelist are prevented from execution. MACC provides another "scripts list" mechanism to control which script files are prevented and which can execute:
- To authorize execution of an executable (for example, a script interpreter in Portable Executable (PE) format), the executable file name and path must be in the whitelist.
- When the executable is in the whitelist, an interpreter executes every script associated with that executable.
- To control which script files interpreters execute, place the script file extension and interpreter executable file name in the scripts list. See 3.2.1 below for an example.
- After an association is in the scripts list, script files of that extension are prevented from interpretation.
- To execute specific script files, add each required script file name and path to the whitelist.
- When the preceding steps have been performed, only specific script files, added to the whitelist with an associated extension and interpreter added to the scripts list, are interpreted by the whitelisted executable script interpreter.
The following sections offer more detail about the discoverer's claims.
|
Section 3.1.1
|
Basic Code Execution - Execution of Unchecked file types HTA and JS
|
|
Comments
|
MACC provides a mechanism to whitelist scripts. It also provides a default common configuration applicable to all customers. Based on their security posture, customers can add to this list. MACC does not allow any unauthorized execution of executable from the scripts. We continue to evaluate the default list.
MACC provides script execution control by associating file extensions with the interpreters that interpret the content of such files. To prevent untrusted execution of .JS and .js "cscript.exe" "wscript.exe" For more information, review the "Configure interpreters to allow execution of additional scripts" section of the Application Control 6.1 Product Guide. You can issue the needed commands from the ePolicy Orchestrator (ePO) console using the SC: Run Commands Client Task. |
|
Result
|
Not Vulnerable when the whitelist and scripts list are configured appropriately. See the example in section 3.2.1.
|
|
Overall CVSS Score
|
Not Applicable
|
|
Section 3.1.2
|
Basic Code Execution - File Shortcuts
|
|
Comments
|
MACC does not allow execution of any untrusted executable with shortcuts. Removing binaries, scripts, and shortcuts in emails is standard practice.
|
|
Result
|
Not Vulnerable
|
|
Overall CVSS Score
|
Not Applicable
|
|
Section 3.1.3
|
Basic Code Execution - Malicious USB Stick
|
|
Comments
|
MACC provides removable media protection. MACC does not allow execution of an unauthorized binary from a USB stick.
See the "Using a layered approach to security protection" section of the best practices listed in KB85337 - Application Control security best practices. |
|
Result
|
Not Vulnerable
|
|
Overall CVSS Score
|
Not Applicable
|
|
Section 3.1.4
|
Basic Code Execution - Pass The Hash
|
|
Comments
|
This is a workflow and is not applicable to MACC.
See Microsoft's best practices and resources on mitigating pass the hash attacks on Microsoft Windows. |
|
Result
|
Not Applicable
|
|
Overall CVSS Score
|
Not Applicable
|
|
Section 3.2.1
|
Abuse of whitelisted Applications - PowerShell
|
|
Comments
|
MAC currently provides mechanisms to completely disable unwanted interpreters such as PowerShell from the system by removing it from the whitelist. To still allow execution of scripts associated with non-whitelisted interpreters (for example, Powershell.exe), use any updater binary/script (for example, batch file) to start their associated scripts (.ps1 files in this case).
The default whitelist that ships with the product includes PowerShell based on customer requests. Customers are advised to follow the recommendations in KB85337 - Application Control security best practices. The product is not vulnerable when using the technique described above and when configured according to Application Control security best practices. The default configuration without local customization does allow the described whitelist bypass. This issue has been addressed with the release of MACC 8.0.0-651(GA). |
|
Result
|
Vulnerable with default configuration
|
|
Overall CVSS Score
|
|
Section 3.2.2
|
Abuse of Whitelisted Applications - Java Applets
|
|
Comments
|
The MACC scripts list can be configured to whitelist Java extensions such as .jar. See the script list examples in section 3.2.1. Generic instructions included at the top of this article.
Interpreters such as perl, python, ruby, or any other generic interpreters are sometimes present on systems protected by MACC. Scripting interpreters can be used to run scripts by an authenticated user. Users can also use such interpreters in interactive mode. MACC provides several mechanisms to control script interpreters. For example, registering the associated file-types using script commands or banning the interpreters by name if they are not needed. All these configurations can be performed via ePolicy Orchestrator (ePO) using policies or client tasks. See KB85337 - Application Control security best practices for more details. |
|
Result
|
Not Vulnerable
|
|
Overall CVSS Score
|
Not Applicable
|
|
Section 3.2.3
|
Abuse of Whitelisted Applications - Office Macros
|
|
Comments
|
Not a MACC protection workflow. MACC does not allow the execution of any unauthorized executable by macros.
|
|
Results
|
Not Vulnerable
|
|
Overall CVSS Score
|
Not Applicable
|
|
Section 3.2.4.1
|
Memory Corruption Exploitation – Windows XP
|
|
Comments
|
Upon investigation, McAfee has determined that scinject.dll is loaded at a random address due to the MP-VASR feature of MACC. The given attack is possible only when the MP-VASR feature is OFF. It is recommended to keep this feature ON. This issue has an overall CVSS score of 3.5, ranking it with a score of "low."
A fix that changes the behavior of scinject.dll was included with the release of MACC 6.2.0-509(HF9). |
|
Result
|
Vulnerable
|
|
Overall CVSS Score
|
3.5/2.6 (Low)
|
|
Section 3.2.4.2
|
Memory Corruption Exploitation – Windows 7.1
|
|
Comments
|
McAfee has determined that scinject.dll is loaded at a random address due to the MP-VASR feature of MACC. The given attack is possible only when the MP-VASR feature is OFF. It is recommended to keep this feature ON. This issue has an overall CVSS score of 3.5, ranking it with a score of "low."
A fix that changes the behavior of scinject.dll was included with the release of MACC 7.0.1-248(GA). |
|
Result
|
Vulnerable
|
|
Overall CVSS score
|
3.5/2.6 (Low)
|
|
Section 3.2.4.3
|
Memory Corruption Exploitation – Windows 8.1
|
|
Comments
|
Memory Protection techniques for Windows 8.1 are now available in MACC 7.0.0 released on February 15, 2016.
|
|
Result
|
Not Applicable
|
|
Overall CVSS score
|
Not Applicable
|
|
Section 3.2.4.4
|
Memory Corruption Exploitation - Exploitation of Installed ZIP application
|
|
Comments
|
This issue concerns the presence of an old version of the ZIP binary that could have a potential buffer overflow risk.
The vulnerable binary has been updated to the latest version in MACC 6.2.0-476 (and later), which was released on July 30, 2015.
|
|
Result
|
Vulnerable
|
|
Overall CVSS Score
|
1.5/1.1 (Low)
|
|
Section 3.3
|
Abuse of Whitelisted Applications - Bypassing UAC
|
|
Comments
|
User Account Control (UAC) is a protection and is not a MACC Workflow. MACC provides the same protection on a system with or without UAC.
|
|
Result
|
Not Vulnerable
|
|
Overall CVSS Score
|
Not Applicable
|
|
Section 4.1
|
Bypassing Read Write Protection – By Code Injection into Update-Process
|
|
Comments
|
McAfee has determined that for this attack to occur, the ability to execute untrusted code with logged in user rights is needed.
See the comments in section 3.2.1 for mitigation. MACC prevents execution of untrusted code and recommends that updater policy rules, such as trusted network drive, trusted process, and trusted user, are created with care. The reason is because updater processes executed in this manner runs with the permission of the logged in user. See KB85337 - Application Control security best practices for more details. As a general security practice, McAfee recommends that administrator rights be granted on an as-needed basis to trustworthy administrative personnel only. |
|
Result
|
Not Vulnerable
|
|
Overall CVSS Score
|
Not Applicable
|
|
Section 4.2
|
Bypassing Read Write Protection – By code injection into scsrvc.exe
|
|
Comments
|
Same as 4.1 above, but in this case administrator rights are needed to inject vulnerable code into scsrvc.exe.
See the comments in section 3.2.1 for mitigation. |
|
Result
|
Not Vulnerable
|
|
Overall CVSS Score
|
Not Applicable
|
|
Issue 5
|
Kernel Driver Vulnerabilities
|
|
Comments
|
This issue is about sending bad IOCTL commands to crash the system. McAfee has determined that for this attack to occur, the following is required: Ability to execute untrusted code that can send malicious IOCTL. MACC prevents execution of untrusted code and recommends that updater policy rules such as trusted network drive, trusted process, and trusted user, are created with care. See KB85337 - Application Control security best practices for more details. This issue is fixed in MACC 8.x. |
|
Result
|
Vulnerable
|
|
Overall CVSS Score
|
CVSSv3 - 5.0/4.5 (Medium)
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Solution
McAfee recommends that customers upgrade to the latest build of MACC 8.x.
Affected Products
Languages:
This article is available in the following languages:
English United StatesSpanish Spain
French
Italian
Portuguese Brasileiro
