Loading...

Knowledge Center


McAfee response to GitHub Post – HackStory / McAfeePrivesc.md - 1 Feb 2016
Technical Articles ID:   KB86503
Last Modified:  4/7/2017
Rated:


Environment

McAfee Agent 5.x, 4.x
McAfee ePolicy Orchestrator 5.x
McAfee VirusScan Enterprise 8.8

Summary

A claim of exploitability was made against VirusScan Enterprise 8.8, and published without notification to McAfee. 
 
According to the author of the post, an attacker can use a low privilege account to manipulate a VSE file on successive systems. In this scenario, on the second of these systems, the attacker must have elevated privileges to gain unauthorized privilege escalation in an Active Directory Domain Controller. This exploit could allow the attacker to access all workstations within the domain.
 
Affected Component:
SiteList.xml

For additional information on the original vulnerability claim, see:
 
 
CWE-16: Configuration
 
CWE-269: Improper Privilege Management

Cause

This issue exists only when too much privilege has been granted to an account that is used to retrieve McAfee product updates from UNC shares and other update sites.

Solution

This is not a security flaw in any McAfee product. This vulnerability is encountered only when the Active Directory Domain Controller is not properly secured. 

It is strongly recommended you use a Service Account with Read-Only permissions on the share and never use a Domain Admin account for the purpose of user update facilitation.

Recommended methods:
The scenario referenced in KB70999 (Recommendations for download credentials when using UNC shares as software repositories in ePolicy Orchestrator) uses a static key across all deployments worldwide, which is true only when using the legacy size (1024 bit) in older (McAfee Agent 4.5.x – 4.8.x) agent-to-server communication keys. Environments that use the new versions of the agent-to-server communication use 2048 bit keys and a different encryption algorithm.

The best practice is to use HTTP Repositories or SuperAgents with no credentials required for reading repository content. In this scenario the UNC credentials required to populate the HTTP repository never appear in the Sitelist.xml file.

Rate this document

Did this article resolve your issue?

Please provide any comments below

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.