Loading...

Knowledge Center


McAfee Security Bulletin: VirusScan Enterprise 8.8 Patch 6 and Endpoint Security 10.1 Hotfix 1111757 resolve a memory allocation flaw
Security Bulletins ID:   SB10142
Last Modified:  4/7/2017
Rated:


Summary

Impact of Vulnerability: Application Protections Bypass
CVE Numbers: CVE-2015-8577
Severity Rating: Low
Base / Overall CVSS v2 Scores: 1.0 / 0.8
Recommendations: Install or update to VSE 8.8.0 Patch 6
Update ENS 10.1 to Hotfix 1111757
Security Bulletin Replacement: None
Affected Software: VSE 8.8.0 Patch 5 and earlier
ENS 10.1
Location of Updated Software: http://www.mcafee.com/us/downloads/downloads.aspx

{GENSUB.EN_US}
Article contents:

Description

The Buffer Overflow Protection (BOP) feature of VirusScan Enterprise (VSE) 8.8.0 and Endpoint Security (ENS) 10.1 allocate memory pages with RWX permissions at predictable addresses in processes that it protects.

For the flaw to be exposed, the BOP feature must be enabled and the targeted application must be included in the list of applications that are protected by BOP. Only in the case of a vulnerable third-party application protected by BOP, an attacker can leverage the allocated RWX page to copy and then execute malicious code after exploiting an existing third-party application vulnerability.
 
IMPORTANT:
  • The vulnerability in VSE/ENS is exposed only when an exploitable vulnerability exists in another application that is not a part of a McAfee product. It is not exploitable in isolation.
  • The BOP feature is applicable only to 32-bit systems. For a list of processes protected by BOP, see KB58007.
  • The BOP feature will automatically defer to more sophisticated buffer overflow protections that may be available in other McAfee products, including Host Intrusion Prevention (Host IPS).
CVE Information:
 
CVE Number Vulnerability Title Publicly Disclosed Exploited CVE Page
CVE-2015-8577 Memory page with RWX permissions on a constant/predictable address Yes No https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8577

Affected Components:
  • Buffer Overflow Protection (BOP) of VSE 8.8.0
  • Buffer Overflow Protection (BOP) of ENS 10.1
The RWX page permission flaw is resolved in VSE 8.8.0 Patch 6 (released on August 26, 2015) and ENS 10.1 Hotfix 1111757 (released December 28, 2015).

Remediation

Go to the Product Downloads site and download the applicable product patch/hotfix files:
 
Product Type Version File Name Release Date
VSE 8.8.0 Patch 8.8.0 Patch 6 VSE880p6.zip August 26, 2015
ENS 10.1 Hotfix 1111757 Threat Prevention: Threat_Prevention_10_1_0_HF1111757_Client.zip
Web Control: Web_Control_10_1_0_HF1112734_Client.zip
December 28, 2015

For additional information on this update, such as remediation steps and compatibility issues, see PD26069 - VirusScan Enterprise 8.8.0 Patch 6 Release Notes or PD26325 - Endpoint Security 10.1 Hotfix 1111757, 1112734 Release Notes.

Download and Installation Instructions
See KB56057 for instructions on how to download McAfee products, documentation, security updates, patches, and hotfixes.  Review the Release Notes and the Installation Guide, which you can download from the Documentation tab, for instructions on how to install these updates.

Product Specific Notes

Affected Versions:
  • VSE 8.8.0 with Patch 5 and earlier patches on 32-bit systems with the Buffer Overflow Protection (BOP) feature enabled.
  • ENS 10.1 32-bit systems with the Buffer Overflow Protection (BOP) feature enabled.
Protected Versions:
  • VSE Patch 6 and later, on all systems
  • All VSE 8.8.0 versions on 64-bit systems
  • All previous versions of ENS, on all systems
  • ENS 10.1 on 64-bit systems

Workaround

Any of the following options will successfully mitigate the flaw:
  • Disable the BOP feature locally or via the ePolicy Orchestrator (ePO) console. You can minimize the risk of disabling BOP by ensuring that all protected processes are at current patch levels.
     
  • Ensure that all protected processes are at current patch levels. In the absence of a vulnerability in the protected process, this vulnerability does not present any risk.
     
  • Change the BOP configuration using exclusions. You can exclude specific process names from within the BOP configuration settings. For details on configuring BOP exclusions, see KB84283 or consult the Product Guide for your software version.
     
  • Manually disable the BOP feature by modifying the registry settings:
    1. Open the registry editor and navigate to:

      HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\McAfee\SystemCore\VSCore\On Access Scanner\BehaviourBlocking
       
    2. Set the Value data for BOPEnabled to 0.
       
  • Confirm that Host IPS is installed on the system. The BOP feature automatically defers to the Generic Buffer Overflow Protection (GBOP) feature of Host IPS.

Mitigations

None.

Acknowledgements

McAfee credits Tomer Bitton (tomer@ensilo.com) from EnSilo for reporting this flaw.

Frequently Asked Questions (FAQs)

How do I know whether my McAfee product is vulnerable or not?

For Endpoint products:
Use the following instructions for endpoint or client-based products:
  1. Right-click on the McAfee tray shield icon on the Windows task bar.
  2. Select Open Console.
  3. In the console, select Action Menu.
  4. In the Action Menu, select Product Details. The product version is displayed.
For ePO / Server products:
Use the following instructions for server-based products:
  • Check the version and build of ePO that is installed. For more information on how to check the version, see KB52634.
  • Or, create a query in ePO for the product version of the product installed within your organization.
For Appliances:
Use the following instructions for Appliance-based products:
  1. Open the Administrator's User Interface (UI).
  2. Click the About link. The product version is displayed.
What is CVSS?
CVSS, or Common Vulnerability Scoring System, is the result of the National Infrastructure Advisory Council’s effort to standardize a system of assessing the criticality of a vulnerability. This system offers an unbiased criticality score between 0 and 10 that customers can use to judge how critical a vulnerability is and plan accordingly. For more information, please visit the CVSS website at: http://www.first.org/cvss/.

When calculating CVSS v2 scores, McAfee has adopted a philosophy that fosters consistency and repeatability. Our guiding principle for CVSS scoring is to score the exploit under consideration by itself. We consider only the immediate and direct impact of the exploit under consideration. We do not factor into a score any potential follow-on exploits that might be made possible by successful exploitation of the issue being scored.

CVSS v3 scoring is in final review as of March 2015. CVSS v2 will be replaced with CVSS v3 when v3 is fully approved.
https://www.first.org/cvss/v3/development
https://www.first.org/cvss/calculator/3.0
 
What are the CVSS scoring metrics that have been used?
 
1073094 - Memory page with RWX permissions on a constant/predictable address
 
 Base Score 1.0
 Related exploit range (AccessVector) Local
 Attack complexity (AccessComplexity) High
 Level of authentication needed (Authentication) Single
 Confidentiality impact None
 Integrity impact Partial
 Availability impact None
 Temporal Score (Overall) 0.8
 Availability of exploit (Exploitability) Proof of concept code
 Type of fix available (RemediationLevel) Official fix
 Level of verification that vulnerability exists (ReportConfidence) Confirmed

NOTE: The below CVSS version 2.0 vector was used to generate this score.
https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:L/AC:H/Au:S/C:N/I:P/A:N/E:POC/RL:OF/RC:C)

Where can I find a list of all security bulletins or how do I report a product vulnerability?
To find a list of all security bulletins, or if you have information about a security issue or vulnerability with a McAfee product, please visit our product security website at: http://www.mcafee.com/us/threat-center/product-security-bulletins.aspx.

Resources

{GENAA.EN_US}

Disclaimer

The information provided in this security bulletin is provided as is without warranty of any kind. McAfee disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall McAfee or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits, or special damages, even if McAfee or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
 
Any future product release dates mentioned in this security bulletin are intended to outline our general product direction and they should not be relied on in making a purchasing decision. The product release dates are for information purposes only, and may not be incorporated into any contract. The product release dates are not a commitment, promise, or legal obligation to deliver any material, code, or functionality. The development, release, and timing of any features or functionality described for our products remains at our sole discretion and may be changed or cancelled at any time.

Rate this document

Did this article resolve your issue?

Please provide any comments below

Languages:

This article is available in the following languages:

English United States
Japanese

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.