2 Replies Latest reply on Oct 14, 2015 4:46 PM by aus_mick

    Multiple Vulnerabilities in McAfee Application Control

    Troja

      Hi all,

      i have this information about vulnerabilities in the Application Control Product. Has anyone some information for me??

       

      The tested version was 6.1.3.353. At the moment there is no information if the vulnerabilities are fixed with actual version.

       

      https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20150728- 0_McAfee_Application_Control_Multiple_Vulnerabilities_v10.txt

       

      Cheers

        • 1. Re: Multiple Vulnerabilities in McAfee Application Control
          saucysiem

          They just released a hotfix for 6.1.3 on Monday morning. Not sure if any of these specific findings have been addressed, however the link you provided provides some remedies. You can create a SC: Run Commands Task and include multiple commands for each of their suggestions below (test and verify before applying to a live environment) Ensure that the client CLI is in lockdown before running any SC: Run Commands task as well as they will ignore any tasks sent from ePO if the CLI is in a "recovered' state.

           

          Workaround:

          -----------

          The following list contains configuration settings, hardening guidelines and

          measures to secure the system.

           

          *) Configure a strong password to protect McAfee Application Control

          Without specifying a password for McAfee Application Control an attacker can

          simply interact with the software to disable all protections.

          McAfee Application Control does not enforce a strong password complexity.

          It is recommended to use a strong password.  (this can also be set in ePO policy settings under Client Config or locally via the command line)

          Command: sadmin passwd

           

           

          *) Remove powershell.exe from the list of default whitelisted applications

          Command: sadmin unsolidify C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe

          Command: sadmin unsolidify C:\WINDOWS\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

          (and all other occurrences of powershell.exe, e.g. in C:\Windows\winsxs\...)

           

           

          *) Remove the default whitelisted ZIP application from the whitelist

          Command: sadmin.exe unsolidify C:\Program Files\McAfee\Solidcore\Tools\GatherInfo\zip.exe

           

           

          *) Remove interpreters (e.g. python, perl), debuggers, outdated software and other

          applications which can be abused (e.g. java) from the whitelist

           

           

          *) Only whitelist required software

          To decrease the attack surface the list of whitelisted software should be as minimal

          as possible.

           

           

          *) Disable memory corruption protections from McAfee Application Control

          This ensures that scinject.dll does not allocate a write- and executable

          section in all applications. Since the protections offered by McAfee

          Application Control correlate to the protections from the operating system,

          these protections can be disabled. Only in some special situations

          (e.g. the underlying hardware does not support hardware based DEP)

          these protections should not be disabled.

          Command: sadmin features disable mp

          Command: sadmin features disable mp-casp

          Command: sadmin features disable mp-vasr

          Command: sadmin features disable mp-vasr-forced-relocation

           

           

          *) Add JS and HTA files to the list of protected scripts

          Per default McAfee Application Control does not protect the system from

          malicious JS or HTA files. To secure this the hidden scripts command

          can be used:

          Command: sadmin scripts add .js cscript.exe wscript.exe

          Command: sadmin scripts add .hta mshta.exe

           

           

          *) Remove processes from the list of updaters / do not use the updater list

          This recommendation is hard to follow because systems should

          regularly be updated. However, the list of update process can be abused by

          attackers. Therefore it's recommended to remove all elements from

          the list. The recommended way to deal with updates is to add the

          update process just before applying the update and remove the update process

          after the system is successfully updated.

          Command: sadmin updaters list (get a list of all configured updaters)

          Command: sadmin updaters flush (remove the identified updaters)  * WARNING THIS WILL probably block a lot of legitimate changes on protected systems

           

           

          *) Do not configure trusted volumes

          Trusted volumes completely bypass application whitelisting.

          Therefore trusted volumes should not be configured.

          Command: sadmin trusted -l (get a list of all configured trusted volumes)

          Command: sadmin trusted flush (removes the identified trusted volumes)

           

           

          *) Regularly apply software and system updates.

          This recommendation is not directly related to McAfee Application Control,

          however SEC Consult Vulnerability Lab sees the importance to explicitly

          mention this here. Keeping the system and all installed software

          up-to-date is absolutely mandatory for the security of the system.

           

           

          McAfee Application Control (MAC) 6.1.3 Hotfix 12 is now available. This release includes fixes for the following issues:

          • When the inventory is corrupt on a system, the system might erroneously restart in a loop. This issue occurs because the Federal Information Processing Standard (FIPS) driver fails to load on the system, thereby making it difficult for Application Control to detect the corrupt inventory. (4-9922780391)
          • While creating a Windows backup on a system where Application Control is enabled, the system might stop responding. (4-10570835111)


          You can sign up to the SNS service to receive notifications related to new releases and hotfixes here

          • 2. Re: Multiple Vulnerabilities in McAfee Application Control
            aus_mick

            Do you know if MAC 6.2 is vulnerable to these exploits?

             

            Regards,

            Mick