Loading...

Knowledge Center


McAfee Security Bulletin - Vulnerability in MVT & ePO-MVT
Security Bulletins ID:  SB10028
Last Modified:  01/13/2014
Rated:


Summary

 Who should read this document: Technical and Security Personnel
 Impact of Vulnerability:  Security Bypass Remote Code Execution
 CVE Number:  None
 US CERT Number:  None
 Severity Rating:  Critical
 Overall CVSS Rating:  7
 Recommendations: Uninstall McAfee Virtual Technician v6.3 or earlier, or re-download and re-install McAfee Virtual Technician v6.4 or later
 Security Bulletin Replacement:  None
 Caveats:  Internet Explorer must be running for this vulnerability to be exploited
 Affected Software: McAfee Virtual Technician 6.3.0.1911 and earlier
 Location of updated software:  http://mvt.mcafee.com/mvt

 

Description

McAfee Virtual Technician (MVT) and McAfee ePO-MVT are free tools that will scan a system to ensure that the McAfee products are installed correctly.   This tool will identify possible problems and help resolve problems detected during a check-up process.

MVT can be downloaded from multiple locations.   The primary download location is:   http://mvt.mcafee.com/mvt

McAfee Virtual Technician v6.3 and earlier installed an ActiveX control that contained a vulnerability.   This vulnerability allows an attacker to bypass Internet Explorer browser security settings to remotely execute operating system commands.   An Internet Explorer script can also be created to remotely crash the browser by specifying an arbitrary memory address.   It is possible for a malicious website to exploit the MVT vulnerability and run malicious code.  

This issue mainly affects consumer users, however it also affects enterprise users who have MVT or have deployed ePO-MVT onto their machines.

In order for this attack to be effective, users would need to have installed MVT on their machine and that machine would need to have Internet Explorer, or other browser that supports ActiveX controls, up and running.   The attacker would only be granted the same privileges as the currently logged in user, which may or may not have administrator privileges.   With a cleverly crafted set of operating system commands on a computer run by a user with administrator rights, full access could be granted to the attacker.   This could cause a significant disruption starting with a single computer, which may be trusted by other computers on the network.

MVT is not tied to a particular McAfee product.   Any system could have MVT installed; potentially even those systems which have uninstalled their McAfee products.
 

Remediation

For MVT Users
Customers can access MVT in their Programs menu to run MVT and be automatically updated to the latest version.   If MVT was previously uninstalled, access the McAfee website at http://mvt.mcafee.com/mvt to run MVT and recover install the updated tool.

McAfee Virtual Technician download Instructions.

  1. Launch Internet Explorer.
  2. Navigate to: http://mvt.mcafee.com/mvt.
  3. Click Scan your system now.
  4. Follow the onscreen directions.
  5. Download and run the MVTInstaller.


Users with MVT can choose to remediate by uninstalling the MVT tool. To uninstall MVT, go to the Microsoft Windows Control Panel, access Add and Remove Programs and uninstall the program.
 
For ePO-MVT Users
McAfee ePO-MVT 1.0.8 is now available for download. This version resolves the vulnerability in this McAfee tool.

To download ePO-MVT 1.0.8, go to the ePO-MVT download site at: http://mer.mcafee.com/enduser/downloadepomvt.aspx?lang=English.  

 

Acknowledgements

This vulnerability was first disclosed by BugTraq.

Support

Corporate Technical Support:

Frequently Asked Questions (FAQs)

Who is affected by this security vulnerability?
All McAfee customers using McAfee Virtual Technician 6.3.0.1911 and earlier.
McAfee recommends that all customers verify that they have applied the latest updates.

Does this vulnerability affect McAfee enterprise products?
Yes, McAfee Virtual Technician is used by both consumer and enterprise users.   A version of MVT called ePO-MVT is used by ePO with a different UI.

How do I know if my McAfee Virtual Technician is vulnerable or not?

  1. Go to your Microsoft Windows Control Panel, then access Add and Remove Programs.
  2. The product version is displayed in the far right column.
  3. Versions 6.3.0.1911 and earlier are vulnerable.

What is CVSS?
CVSS, or Common Vulnerability Scoring System, is the result of the National Infrastructure Advisory Council’s effort to standardize a system of assessing the criticality of a vulnerability. This system offers an unbiased criticality score that customers can use to judge how critical a vulnerability is and plan accordingly. For more information, please visit the CVSS website at: http://www.first.org/cvss/

What are the CVSS scoring metrics that have been used?

 Base Score  9
 Access Vector  Network
 Access Complexity  Medium
 Authentication  None
 Confidentiality Impact  Complete
 Integrity Impact  Complete
 Availability Impact  Partial
 Adjusted Temporal Score  7
 Exploitability  Proof of concept code
 Remediation Level  Official fix
 Report Confidence  Confirmed


NOTE: CVSS version 2.0 was used to generate this score.   http://nvd.nist.gov/cvss.cfm?calculator&version=2

What has McAfee done to resolve the issue?
McAfee has released an update to address this security flaw.

Where do I download the fix?
The fix can be downloaded from:  
• http://mvt.mcafee.com/mvt
• http://mvt.mcafee.com/mvt/en-us/default.html?en-us (English)
• http://www.mcafee.com/us/downloads/free-tools/virtual-technician.aspx (English)
• http://www.mcafee.com/it/downloads/free-tools/virtual-technician.aspx (Italian)

How does McAfee respond to this and any other security flaws?
McAfee’s key priority is the security of our customers. In the event that a vulnerability is found within any of McAfee’s software, we work closely with the relevant security research group to ensure rapid and effective development of a fix and communication plan. McAfee is an active member of the Organization for Internet Safety (OIS), which is dedicated to developing guidelines and best practices for the reporting and fixing of software vulnerabilities.


 

Disclaimer

The information provided in this security bulletin is provided as is without warranty of any kind. McAfee disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall McAfee or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if McAfee or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Rate this document

Did this article resolve your issue?

Please provide any comments below

Glossary of Technical Terms


Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.
United States - English
© 2003-2013 McAfee, Inc.