-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SEC Consult Vulnerability Lab Security Advisory < 20150728-0 > ======================================================================= title: McAfee Application Control Multiple Vulnerabilities product: McAfee Application Control vulnerable version: verified in version 6.1.3.353 fixed version: a fixed version is currently not available impact: high homepage: www.mcafee.com/us/products/application-control.aspx found: 28.04.2015 by: R. Freingruber (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Berlin - Frankfurt/Main - Montreal - Singapore Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com ======================================================================= Vendor description: - ------------------- "McAfee Application Control software provides an effective way to block unauthorized applications and code on servers, corporate desktops, and fixed-function devices. This centrally managed whitelisting solution uses a dynamic trust model and innovative security features that thwart advanced persistent threats — without requiring signature updates or labor-intensive list management." Source: http://www.mcafee.com/us/products/application-control.aspx Business recommendation: - ------------------------ By combining the vulnerabilities documented in this advisory an attacker can completely bypass the mitigations provided by McAfee Application Control. This especially includes the application whitelisting as well as the read and write protections. Moreover, an attacker can attack the availability of the system. SEC Consult recommends not to use this software until a thorough security review has been performed by security professionals and all identified issues have been resolved. Vulnerability overview/description: - ----------------------------------- 1) Injected library bypasses protections of the operating system To add memory corruption protections (mp, mp-casp, mp-vasr, mp-vasr-forced-relocation) McAfee Application Control injects it's own library scinject.dll into all running processes. The library allocates a write- and executable location which can be used to bypass the mitigation technique Data Execution Protection (DEP) of the underlying operating system. Moreover, it can also be used to bypass the mitigation technique mp-casp from McAfee Application Control. This increases the possibility to successfully exploit a memory corruption vulnerability. Since memory corruption vulnerabilities can be used to compromise a system and to bypass the application whitelisting protection it is very important to not decrease the security of protections provided by the operating system. 2) Software shipped with an application from 1999 which includes publicly known vulnerabilities McAfee Application Control installs per default a ZIP application from 1999. The ZIP application contains publicly known vulnerabilities including a buffer overflow. An attacker can exploit the buffer overflow vulnerability to bypass application whitelisting. However, a public exploit is not available and exploitation of the vulnerability is considered not trivial. 3) Multiple kernel driver vulnerabilities An attacker can send manipulated IOCTL requests to the kernel which lead to a system crash. These vulnerabilities can be used to affect the availability of the system. It is expected that these vulnerabilities can also be used to escalate privileges to kernel level. 4) Insufficient application whitelisting protection The main feature of McAfee Application Control is application whitelisting. SEC Consult Vulnerability Lab discovered multiple ways to bypass this protection. 5) Insufficient file system read-/write-protection Because of the design of McAfee Application Control write protection is mandatory to ensure the security of application whitelisting. SEC Consult managed to bypass the write protection to overwrite whitelisted applications to achieve full code execution. Moreover, read protection was bypassed to dump the contents of McAfee's password file. By bypassing write protection it's also possible to delete the password file to interact with McAfee Application Control without requiring a password. This can be used to completely disable McAfee Application Control. Proof of concept: - ----------------- Since no fix is available for any of the described vulnerabilities, the proof of concept section was completely removed from the advisory. Vulnerable / tested versions: - ----------------------------- The version 6.1.3.353 was found to be vulnerable. This was the latest version at the time of discovery. Vendor contact timeline: - ------------------------ 2015-06-03: Contacting vendor through security-alerts@mcafee.com Sending PGP encrypted whitepaper to vendor. Informed McAfee about the latest possible release date: 2015-07-24. 2015-06-04: Vendor response - issues will be tracked with case ID SBC1506031 2015-06-08: SEC Consult asked for a release date of a fix. 2015-07-02: SEC Consult asked for a release date of a fix and the current status. 2015-07-13: SEC Consult asked for a release date of a fix and the current status. 2015-07-14: Vendor response - Vendor confirmed vulnerabilities 1) and 2). Vulnerabilities 3), 4) and 5) are classified as "not vulnerable" because an attacker requires code execution to exploit them. Vulnerabilities 1) and 2) are classified as low risk vulnerabilities. A patch will therefore not be available, a fix is planned for the next version update which will be released by end of Q3. 2015-07-21: SEC Consult informed McAfee that an advisory will be released on 28.07.2015. SEC Consult informed McAfee that vulnerabilities 3), 4) and 5) should be fixed as well because code execution can easily be achieved on a default installation of McAfee Application Control and therefore it's possible to exploit all the described vulnerabilities. 2015-07-28: Public release of the advisory Solution: - --------- At the time of writing, no solution exists. The vendor plans to release an update by the end of Q3 2015. However, this update only fixes some of the found vulnerabilities. SEC Consult Vulnerability Lab strongly suggests to apply workarounds described in this advisory, to lower the risk of an attack. Workaround: - ----------- The following list contains configuration settings, hardening guidelines and measures to secure the system. *) Configure a strong password to protect McAfee Application Control Without specifying a password for McAfee Application Control an attacker can simply interact with the software to disable all protections. McAfee Application Control does not enforce a strong password complexity. It is recommended to use a strong password. Command: sadmin passwd *) Remove powershell.exe from the list of default whitelisted applications Command: sadmin.exe unsolidify C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe Command: sadmin.exe unsolidify C:\WINDOWS\SysWOW64\WindowsPowerShell\v1.0\powershell.exe (and all other occurrences of powershell.exe, e.g. in C:\Windows\winsxs\...) *) Remove the default whitelisted ZIP application from the whitelist Command: sadmin.exe unsolidify C:\Program Files\McAfee\Solidcore\Tools\GatherInfo\zip.exe *) Remove interpreters (e.g. python, perl), debuggers, outdated software and other applications which can be abused (e.g. java) from the whitelist *) Only whitelist required software To decrease the attack surface the list of whitelisted software should be as minimal as possible. *) Disable memory corruption protections from McAfee Application Control This ensures that scinject.dll does not allocate a write- and executable section in all applications. Since the protections offered by McAfee Application Control correlate to the protections from the operating system, these protections can be disabled. Only in some special situations (e.g. the underlying hardware does not support hardware based DEP) these protections should not be disabled. Command: sadmin features disable mp Command: sadmin features disable mp-casp Command: sadmin features disable mp-vasr Command: sadmin features disable mp-vasr-forced-relocation *) Add JS and HTA files to the list of protected scripts Per default McAfee Application Control does not protect the system from malicious JS or HTA files. To secure this the hidden scripts command can be used: Command: sadmin.exe scripts add .js cscript.exe wscript.exe Command: sadmin.exe scripts add .hta mshta.exe *) Remove processes from the list of updaters / do not use the updater list This recommendation is hard to follow because systems should regularly be updated. However, the list of update process can be abused by attackers. Therefore it's recommended to remove all elements from the list. The recommended way to deal with updates is to add the update process just before applying the update and remove the update process after the system is successfully updated. Command: sadmin.exe updaters list (get a list of all configured updaters) Command: sadmin.exe updaters remove *name* (remove the identified updaters) *) Do not configure trusted volumes Trusted volumes completely bypass application whitelisting. Therefore trusted volumes should not be configured. Command: sadmin.exe trusted -l (get a list of all configured trusted volumes) Command: sadmin.exe trusted -r *name* (remove the identified trusted volumes) *) Regularly apply software and system updates. This recommendation is not directly related to McAfee Application Control, however SEC Consult Vulnerability Lab sees the importance to explicitly mention this here. Keeping the system and all installed software up-to-date is absolutely mandatory for the security of the system. Advisory URL: - ------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Berlin - Frankfurt/Main - Montreal - Singapore - Vienna (HQ) - Vilnius - Zurich About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/Career.htm Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/About/Contact.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF R. Freingruber / @2015 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) iQIcBAEBAgAGBQJVt0cgAAoJEC0t17XG7og/AREQAKcO6L1XMsOohTIV2I/6/Qhy FYNW9h7iJ/cSij8by3ktaZzaU40OhZt0ix51A158TWuezHImEqh/uDpz+TCNwviY /Qzl6uDSAqNKro6ZyhEGSpdv75yx5dllRMbhea0h4ugBr8yPKvIb35ZemqbyZ/sz SmcNorYwyJ8u32tJ/FV6+nvsviGlf+6QXYKEt8AtQDUdqkydf/YN+np+Gcmz4wse 5GFp/lX9ZbTSy6jUSfVWaYqr36NdzdZvaxb66qRo0aAlXCPUiRIDy/+x5EdUs5fL i5C1a4rV0qYzw8+Mf+VOj9TB2cwdOUZjftvU4DmKNvPcIA/IpiXXh5jd6B0t8qD1 S0WFglR5LL/MZ3eJts1NCAmgd3JaFBGUUfpy6PfrJGuvOaWIxI3MUJGJLlHcGpzM UKKO056E7OT54FrtxbPyP/J3XjBuXclva0wTeBlw2+t1I8lCYy+iRgDvMk+lTsnS Z+xwfqq46vaMDv7BdV2LEfe6le8q/DNhbVzSC0AqoW9FX7BT8sDwNEu8Ds0R2Ztu Sw4kKPupffm/MU3ovQkRQSfQshlTvh/kz91uIjDhad5i+bKY33eQ442GaHzuM++4 ONVigCzCSuobGjwz6emcq5jPbSkewXrgDaF9WYrIU6W4fNJRPRBCeOs+lsSiYUXL 1G020WXzemUseJZJC4t5 =3xKZ -----END PGP SIGNATURE-----