Loading...

Knowledge Center


McAfee Security Bulletin - McAfee MVT & ePO-MVT update fixes an "Escalation of Privileges" vulnerability
Security Bulletins ID:  SB10040
Last Modified:  10/03/2013
Rated:


Summary

 
 Who Should Read This Document: Technical and Security Personnel
 Impact of Vulnerability: Privilege Escalation
 CVE Number: None
 US CERT Number: None
 Severity Rating: Medium
 Overall CVSS Score: 6.4
 Recommendations: Run McAfee Virtual Technician (MVT). MVT auto-updates itself to the latest version at the beginning of every run. This is not user configurable.
 Security Bulletin Replacement: None
 Caveats: None
 Affected Software:

MVT 6.5.0.2101 (and earlier)  

 Location of Updated Software: http://mvt.mcafee.com/mvt

Description

McAfee Virtual Technician (MVT) and McAfee ePO-MVT are free tools that scan a system to ensure that the McAfee products are correctly installed and functioning. This tool identifies and assists with the resolution of problems detected during a check-up process. ePO-MVT is a version of the MVT tool that can be deployed through ePolicy Orchestrator (ePO)

MVT can be downloaded from multiple locations. The primary download location is: http://mvt.mcafee.com/mvt

MVT 6.5 and earlier contain a vulnerability where the Save() function could be used to cause an escalation of privileges. This issue mainly affects Consumer users, but can also affects Enterprise users who use MVT or have deployed ePO-MVT to systems in their environments for diagnostic purposes. MVT is not tied to a particular McAfee product. Any system could have MVT installed; potentially even systems that do not have McAfee products currently installed.

All of these issues are resolved in MVT 7.1, which was released on March 15, 2013. MVT now validates the caller to check if it is McAfee signed. If it is not signed, MVT does not grant any access on its files.

Additionally, see SB10028 (McAfee Security Bulletin - Vulnerability in MVT & ePO-MVT) published May 04, 2012.

Remediation

Run MVT. MVT auto-updates itself to the latest version when it runs. This function is not user-configurable.

For MVT Users:
Customers can access MVT in their Programs menu to run MVT and be automatically updated to the latest version. If MVT was previously uninstalled, access the McAfee website at http://mvt.mcafee.com/mvt  to run MVT and install the updated tool.

MVT download Instructions:
  1. Launch a web browser and navigate to:

    http://mvt.mcafee.com/mvt
     
  2. Download and run the MVTInstaller.
  3. Launch MVT application and follow onscreen instructions.
If you have MVT installed, you can also remediate the issue by uninstalling the MVT tool. To uninstall MVT, click Start, Control Panel, Add and Remove Programs, then uninstall the program.

For ePO-MVT Users:
McAfee ePO-MVT 1.1.0 is now available for download. This version resolves the vulnerability.

To download ePO-MVT 1.1.0, go to the ePO-MVT download site at:

http://mer.mcafee.com/enduser/downloadepomvt.aspx?lang=English

Workaround

There are no known workarounds. Uninstall or update MVT.

Acknowledgements

McAfee credits High-Tech Bridge Security Research Lab for reporting this flaw and responsible disclosure: https://www.htbridge.com/advisory/HTB23128.

This security bulletin was written by Harold Toomey, Principal Product Security Architect, Product Security Group, McAfee, Inc.

Support

Corporate Technical Support:
1-800-338-8754
http://www.mcafee.com/us/about/contact-us.aspx#ht=tab-techsupport 

Frequently Asked Questions (FAQs)

What is affected by this security vulnerability?
All McAfee customers using MVT 6.5.0.2101 (and earlier).
McAfee recommends that all customers verify that they have applied the latest updates.

NOTE: MVT Version 7.1 is not vulnerable.

Does this vulnerability affect McAfee enterprise products?
Yes, MVT is used by both consumer and enterprise users. A version of MVT (ePO-MVT) is available for deployment through ePO.

How do I know if my MVT is vulnerable or not?

  1. Go to your Microsoft Windows Control Panel and click Add and Remove Programs.
  2. The product version is displayed in the far right column.
NOTE: Versions 6.5.0.2101 (and earlier) are vulnerable. Version 7.1 (and later) are not vulnerable.

For ePO-MVT:

  1. Check the version and build of ePO that is installed. For more information on how to check the version, see: KB52634.
  2. Create a query in ePO for the product version of the MVT product installed within the organization.

What is CVSS?
CVSS, or Common Vulnerability Scoring System, is the result of the National Infrastructure Advisory Council’s effort to standardize a system of assessing the criticality of a vulnerability. This system offers an unbiased criticality score that customers can use to judge how critical a vulnerability is and plan accordingly. For more information, please visit the CVSS website at: http://www.first.org/cvss/


What are the CVSS scoring metrics that have been used?

 Base Score 8.2
 Related exploit range (AccessVector) Network
 Attack complexity (AccessComplexity) Medium
 Level of authentication needed (Authentication) Single Instance
 Confidentiality impact Complete
 Integrity impact Complete
 Availability impact Partial
 Temporal Score 6.4
 Availability of exploit (Exploitability) Proof of concept code
 Type of fix available (RemediationLevel) Official fix
 Level of verification that vulnerability exists (ReportConfidence) Confirmed

NOTE: CVSS version 2.0 was used to generate this score.
http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:C/I:C/A:P/E:P/RL:O/RC:C)     

What has McAfee done to resolve the issue?
McAfee has released an update to address this security flaw.

Where do I download the fix?
The fix can be downloaded from:  The fix can be downloaded from:
How does McAfee respond to this and any other security flaws?
McAfee’s key priority is the security of our customers. In the event that a vulnerability is found within any of McAfee’s software, we work closely with the relevant security research group to ensure rapid and effective development of a fix and communication plan. McAfee is an active member of the Organization for Internet Safety (OIS), which is dedicated to developing guidelines and best practices for the reporting and fixing of software vulnerabilities.

McAfee only publishes product vulnerability bulletins together with an actionable workaround, patch, or hotfix; otherwise we would simply be informing the hacker community that our products are a target, putting our customers at greater risk.

Resources

To download new Beta software or to read about the latest Beta information, go to: http://www.mcafee.com/us/downloads/beta-programs/index.aspx
 
To submit Beta feedback on any McAfee product, email: mcafee_beta@mcafee.com
 
For contact information, go to: http://www.mcafee.com/uk/about/contact-us.aspx
 
For copyright, trademark attributions, and license information, go to: http://us.mcafee.com/root/aboutUs.asp?id=copyright
 
For patents protecting this product, see your product documentation.

Disclaimer

The information provided in this security bulletin is provided as is without warranty of any kind. McAfee disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall McAfee or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if McAfee or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Rate this document

Did this article resolve your issue?

Please provide any comments below

Glossary of Technical Terms


Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.
United States - English
© 2003-2013 McAfee, Inc.