cancel
Showing results for 
Search instead for 
Did you mean: 
Troja
Level 14

Multiple Vulnerabilities in McAfee Application Control

Hi all,

i have this information about vulnerabilities in the Application Control Product. Has anyone some information for me??

The tested version was 6.1.3.353. At the moment there is no information if the vulnerabilities are fixed with actual version.

https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20150728-0_McAfee_Application...

Cheers

0 Kudos
2 Replies
saucysiem
Level 8

Re: Multiple Vulnerabilities in McAfee Application Control

They just released a hotfix for 6.1.3 on Monday morning. Not sure if any of these specific findings have been addressed, however the link you provided provides some remedies. You can create a SC: Run Commands Task and include multiple commands for each of their suggestions below (test and verify before applying to a live environment) Ensure that the client CLI is in lockdown before running any SC: Run Commands task as well as they will ignore any tasks sent from ePO if the CLI is in a "recovered' state.

Workaround:

-----------

The following list contains configuration settings, hardening guidelines and

measures to secure the system.

*) Configure a strong password to protect McAfee Application Control

Without specifying a password for McAfee Application Control an attacker can

simply interact with the software to disable all protections.

McAfee Application Control does not enforce a strong password complexity.

It is recommended to use a strong password.  (this can also be set in ePO policy settings under Client Config or locally via the command line)

Command: sadmin passwd

*) Remove powershell.exe from the list of default whitelisted applications

Command: sadmin unsolidify C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe

Command: sadmin unsolidify C:\WINDOWS\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

(and all other occurrences of powershell.exe, e.g. in C:\Windows\winsxs\...)

*) Remove the default whitelisted ZIP application from the whitelist

Command: sadmin.exe unsolidify C:\Program Files\McAfee\Solidcore\Tools\GatherInfo\zip.exe

*) Remove interpreters (e.g. python, perl), debuggers, outdated software and other

applications which can be abused (e.g. java) from the whitelist

*) Only whitelist required software

To decrease the attack surface the list of whitelisted software should be as minimal

as possible.

*) Disable memory corruption protections from McAfee Application Control

This ensures that scinject.dll does not allocate a write- and executable

section in all applications. Since the protections offered by McAfee

Application Control correlate to the protections from the operating system,

these protections can be disabled. Only in some special situations

(e.g. the underlying hardware does not support hardware based DEP)

these protections should not be disabled.

Command: sadmin features disable mp

Command: sadmin features disable mp-casp

Command: sadmin features disable mp-vasr

Command: sadmin features disable mp-vasr-forced-relocation

*) Add JS and HTA files to the list of protected scripts

Per default McAfee Application Control does not protect the system from

malicious JS or HTA files. To secure this the hidden scripts command

can be used:

Command: sadmin scripts add .js cscript.exe wscript.exe

Command: sadmin scripts add .hta mshta.exe

*) Remove processes from the list of updaters / do not use the updater list

This recommendation is hard to follow because systems should

regularly be updated. However, the list of update process can be abused by

attackers. Therefore it's recommended to remove all elements from

the list. The recommended way to deal with updates is to add the

update process just before applying the update and remove the update process

after the system is successfully updated.

Command: sadmin updaters list (get a list of all configured updaters)

Command: sadmin updaters flush (remove the identified updaters)  * WARNING THIS WILL probably block a lot of legitimate changes on protected systems

*) Do not configure trusted volumes

Trusted volumes completely bypass application whitelisting.

Therefore trusted volumes should not be configured.

Command: sadmin trusted -l (get a list of all configured trusted volumes)

Command: sadmin trusted flush (removes the identified trusted volumes)

*) Regularly apply software and system updates.

This recommendation is not directly related to McAfee Application Control,

however SEC Consult Vulnerability Lab sees the importance to explicitly

mention this here. Keeping the system and all installed software

up-to-date is absolutely mandatory for the security of the system.

McAfee Application Control (MAC) 6.1.3 Hotfix 12 is now available. This release includes fixes for the following issues:

  • When the inventory is corrupt on a system, the system might erroneously restart in a loop. This issue occurs because the Federal Information Processing Standard (FIPS) driver fails to load on the system, thereby making it difficult for Application Control to detect the corrupt inventory. (4-9922780391)
  • While creating a Windows backup on a system where Application Control is enabled, the system might stop responding. (4-10570835111)


You can sign up to the SNS service to receive notifications related to new releases and hotfixes here

0 Kudos
aus_mick
Level 10

Re: Multiple Vulnerabilities in McAfee Application Control

Do you know if MAC 6.2 is vulnerable to these exploits?

Regards,

Mick

0 Kudos