Security Bulletin - Application Control updates resolve unauthorized execution of binary vulnerability (CVE-2014-9920)
Security Bulletins ID:
SB10077
Last Modified: 5/4/2022
Last Modified: 5/4/2022
Summary
| Who Should Read This Document: | Technical and Security Personnel |
| Impact of Vulnerability: | MAC unauthorized execution |
| CVE Number: | CVE-2014-9920 |
| US CERT Number: | none |
| Severity Rating: | Medium |
| Base / Overall CVSS Score: | 4.1 / 3.4 |
| Recommendations: | Update to: McAfee Application Control 6.0.0 build 9726 or later McAfee Application Control 6.0.1 build 9068 or later McAfee Application Control 6.1.0 build 692 or later McAfee Application Control 6.1.1 build 399 or later McAfee Application Control 6.1.2 build 426 or later McAfee Application Control 6.1.3 build 357 or later |
| Security Bulletin Replacement: | none |
| Caveats: | none |
| Affected Software: | McAfee Application Control 6.0.0 (RTW and all HFs earlier than 9726) McAfee Application Control 6.0.1 (RTW and all HFs earlier than 9068) McAfee Application Control 6.1.0 (RTW and all HFs earlier than 692) McAfee Application Control 6.1.1 ( RTW and all HFs earlier than 399) McAfee Application Control 6.1.2 (RTW and all HFs earlier than 426) McAfee Application Control 6.1.3 (RTW and all HFs earlier than 357) |
| Location of Updated Software: | Product Downloads site |
Description
CVE-2014-9920
Unauthorized execution of binary vulnerability in Application Control (MAC) 6.0.0 before hotfix 9726, 6.0.1 before hotfix 9068, 6.1.0 before hotfix 692, 6.1.1 before hotfix 399, 6.1.2 before hotfix 426, and 6.1.3 before hotfix 357 and earlier allows attackers to create a malformed Windows binary that is considered non-executable and is not protected through the whitelisting protection feature via a specific set of circumstances.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9920
Under a specific set of circumstances, a malformed Windows binary is considered by Application Control (MAC) as non-executable and is not protected through the MAC whitelisting protection feature. Consequently, Windows allows the unauthorized execution of the binary.
Unauthorized execution of binary vulnerability in Application Control (MAC) 6.0.0 before hotfix 9726, 6.0.1 before hotfix 9068, 6.1.0 before hotfix 692, 6.1.1 before hotfix 399, 6.1.2 before hotfix 426, and 6.1.3 before hotfix 357 and earlier allows attackers to create a malformed Windows binary that is considered non-executable and is not protected through the whitelisting protection feature via a specific set of circumstances.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9920
Under a specific set of circumstances, a malformed Windows binary is considered by Application Control (MAC) as non-executable and is not protected through the MAC whitelisting protection feature. Consequently, Windows allows the unauthorized execution of the binary.
We recommend that customers upgrade to any of the updated versions of MAC, as described in the Remediation section of this bulletin.
Remediation
Apply the appropriate hotfix to the currently supported versions of MAC 6.0.0, 6.0.1, 6.1.0, 6.1.1, 6.1.2, and 6.1.3. These fixes are included with hotfix versions listed below:
| Product | Type | Patch Version | File Name | Release Date |
| MAC 6.0.0 | Hotfix | 6.0.0 Build 9726 | SOLIDCOR600-9726_WIN.zip | July 2, 2014 |
| MAC 6.0.1 | Hotfix | 6.0.1 Build 9068 | SOLIDCOR601-9068_WIN.zip | July 2, 2014 |
| MAC 6.1.0 | Hotfix | 6.1.0 Build 692 | SOLIDCOR610-692_WIN.zip | July 2, 2014 |
| MAC 6.1.1 | Hotfix | 6.1.1 Build 399 | SOLIDCOR611-399_WIN.zip | July 2, 2014 |
| MAC 6.1.2 | Hotfix | 6.1.2 Build 426 | SOLIDCOR612-426_WIN.zip | July 2, 2014 |
| MAC 6.1.3 | Hotfix | 6.1.3 Build 357 | SOLIDCOR613-357_WIN.zip | July 2, 2014 |
Application Control download Instructions:
- Launch Internet Explorer.
- Go to the Product Downloads site.
- Provide your valid grant number.
- Select the product from the available downloads
- Download the product version as mentioned in the Remediation section.
For instructions to download product updates and hotfixes, see KB56057 - How to download Enterprise product updates and documentation. Review the Release Notes and Installation Guide for instructions on how to install these updates. All documentation is available at our Product Documentation site.
Workaround
None.
Frequently Asked Questions (FAQs)
What is affected by this security vulnerability?
Application Control
Application Control
Affected Versions:
- Application Control 6.0.0 (RTW and all HFs earlier than 9726)
- Application Control 6.0.1 (RTW and all HFs earlier than 9068)
- Application Control 6.1.0 (RTW and all HFs earlier than 692)
- Application Control 6.1.1 (RTW and all HFs earlier than 399)
- Application Control 6.1.2 (RTW and all HFs earlier than 426)
- Application Control 6.1.3 (RTW and all HFs earlier than 357)
Protected Versions:
- Application Control 6.0.0 build 9726 or later
- Application Control 6.0.1 build 9068 or later
- Application Control 6.1.0 build 692 or later
- Application Control 6.1.1 build 399 or later
- Application Control 6.1.2 build 426 or later
- Application Control 6.1.3 build 357 or later
We recommend that all customers verify that they have applied the latest updates.
How do I know if my product is vulnerable?
- Right click the McAfee tray shield icon on the Windows task bar.
- Select About.
- In the About box, see the product version under the McAfee Application Control section.
What is CVSS?
CVSS, or Common Vulnerability Scoring System, is the result of the National Infrastructure Advisory Council’s effort to standardize a system of assessing the criticality of a vulnerability. This system offers an unbiased criticality score that customers can use to judge how critical a vulnerability is and plan accordingly. For more information, please visit the CVSS website.
CVSS, or Common Vulnerability Scoring System, is the result of the National Infrastructure Advisory Council’s effort to standardize a system of assessing the criticality of a vulnerability. This system offers an unbiased criticality score that customers can use to judge how critical a vulnerability is and plan accordingly. For more information, please visit the CVSS website.
What are the CVSS scoring metrics that have been used?
| Base Score | 4.1 |
| Related exploit range (AccessVector) | Local |
| Attack complexity (AccessComplexity) | Medium |
| Level of authentication needed (Authentication) | Single Instance |
| Confidentiality impact | Partial |
| Integrity impact | Partial |
| Availability impact | Partial |
| Temporal Score | 3.4 |
| Availability of exploit (Exploitability) | Functional exploit exists |
| Type of fix available (RemediationLevel) | Official fix |
| Level of verification that vulnerability exists (ReportConfidence) | Confirmed |
NOTE: CVSS version 2.0 was used to generate this score.
http://nvd.nist.gov/cvss.cfm?calculator&version=2
What have you done to resolve the issue?
We've released hotfixes to address this security flaw in affected product versions.
Where do I download the fix?Download the fix from the Product Downloads site. You will need to provide a valid gran number to initiate the download.
Where can I find a list of all Security Bulletins?
All Security Bulletins are published on our Knowledge Center. Security Bulletins are retired (removed) once a product is both End of Sale and End of Support (End of Life).
How do I report a product vulnerability to you?
If you have information about a security issue or vulnerability with a product, follow the instructions provided in KB95563 - Report a vulnerability.
How do you respond to this and any other reported security flaws?
Our key priority is the security of our customers. If a vulnerability is found within any of our software or services, we work closely with the relevant security software development team to ensure the rapid and effective development of a fix and communication plan.
We only publish Security Bulletins if they include something actionable such as a workaround, mitigation, version update, or hotfix. Otherwise, we would simply be informing the hacker community that our products are a target, putting our customers at greater risk. For products that are updated automatically, a non-actionable Security Bulletin might be published to acknowledge the discoverer.
To view our PSIRT policy, see KB95564 - About PSIRT.
All Security Bulletins are published on our Knowledge Center. Security Bulletins are retired (removed) once a product is both End of Sale and End of Support (End of Life).
How do I report a product vulnerability to you?
If you have information about a security issue or vulnerability with a product, follow the instructions provided in KB95563 - Report a vulnerability.
How do you respond to this and any other reported security flaws?
Our key priority is the security of our customers. If a vulnerability is found within any of our software or services, we work closely with the relevant security software development team to ensure the rapid and effective development of a fix and communication plan.
We only publish Security Bulletins if they include something actionable such as a workaround, mitigation, version update, or hotfix. Otherwise, we would simply be informing the hacker community that our products are a target, putting our customers at greater risk. For products that are updated automatically, a non-actionable Security Bulletin might be published to acknowledge the discoverer.
To view our PSIRT policy, see KB95564 - About PSIRT.
Resources
To contact Technical Support, go to the Create a Service Request page and log on to the ServicePortal.
- If you are a registered user, type your User ID and Password, and then click Log In.
- If you are not a registered user, click Register and complete the fields to have your password and instructions emailed to you.
Disclaimer
The information provided in this Security Bulletin is provided as is without warranty of any kind. We disclaim all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall we or our suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits, or special damages, even if we or our suppliers have been advised of the possibility of such damages. Some states don't allow the exclusion or limitation of liability for consequential or incidental damages, so the preceding limitation may not apply.
Any future product release dates mentioned in this Security Bulletin are intended to outline our general product direction, and they shouldn't be relied on in making a purchasing decision. The product release dates are for information purposes only, and may not be incorporated into any contract. The product release dates aren't a commitment, promise, or legal obligation to deliver any material, code, or functionality. The development, release, and timing of any features or functionality described for our products remain at our sole discretion and may be changed or canceled at any time.
Any future product release dates mentioned in this Security Bulletin are intended to outline our general product direction, and they shouldn't be relied on in making a purchasing decision. The product release dates are for information purposes only, and may not be incorporated into any contract. The product release dates aren't a commitment, promise, or legal obligation to deliver any material, code, or functionality. The development, release, and timing of any features or functionality described for our products remain at our sole discretion and may be changed or canceled at any time.
