Security Intel's security productsVirusScan Linux McAfee Enterprise EditionThe 10 vulnerability was traced, composed of several vulnerabilities chain can be done with root permissions remote code execution.
A few months ago, the Massachusetts Institute of Technology Lincoln Laboratory Security Expert Andrew Fasano on McAfee VirusScan Linux Enterprise Edition (VSEL) found multiple vulnerabilities, these vulnerabilities exist in the VSEL 1.9.2 version to 2.0.2 version. He is inBlogThese vulnerabilities are described in detail, and that a number of loopholes in the joint use of root permissions to perform remote code.
10 vulnerabilities, of which 4 are at high risk
Fasano as early as June this year by the CERT/CC (U.S. computer emergency response team coordination center) submitted a vulnerability report to Security Intel, the public date was originally scheduled for August. But the McAfee security team did not agree, and after consultation with Fasano, decided to postpone the open date to September or even December. Three months passed quietly, time came in December 5th, ahead of McAfee disclosed vulnerabilities (scheduled for December 12th), homeopathy in December 9th when released a security bulletin and the distribution of these vulnerabilities CVE ID.
The disclosure of information of this announcement, McAfee VirusScan Linux Enterprise Edition by all kinds of loopholes, including information disclosure, Cross Site Request Forgery (CSRF), cross site scripting (XSS), remote code execution, privilege escalation, special elements, violent enumeration authentication, SQL injection and arbitrary file writing problems.
Fasano wrote in a blog post:
Even if a Linux system running a Intel VirusScan McAfee Enterprise Edition, it will be due to a number of security vulnerabilities and remote attacks. Some of these vulnerabilities can be combined or even root permissions to perform remote code.
10 vulnerabilities in 4 high-risk vulnerabilities, and the remaining 6 of the medium
Using 4 vulnerabilities to build an attack chain
Fasano explains the VirusScan Linux McAfee enterprise edition into a crisis throughout the attack chain.
Everything starts with one of the holes, the vulnerability.CVE-2016-8022) allow for remote use of identity authentication token, and another vulnerability is needed here.CVE-2016-8023Enumeration of violence.
Attackers deployed a malicious update server, and then trigger the CVE-2016-8022 vulnerability, so that the client product will go to use this malicious upgrade server. Then, the attacker needs to useCVE-2016-8021Arbitrary file write vulnerabilities to build malicious scripts from the upgrade server. Final useCVE-2016-8020The vulnerability of the right to make this malicious script can be executed with root permissions.
The last step, and then send a serious token with identity malicious request to start the virus scan, so you can achieve root permissions to execute malicious scripts. Overall, the whole process is the following:
1 exploit CVE-2016-8022 vulnerabilities and CVE-2016-8023 vulnerabilities to brute force to crack the identity authentication token;
2 start running malicious upgrade server;
3 the use of CVE-2016-8022 vulnerabilities, the request to send authentication token to upgrade the server;
4 exploit CVE-2016-8021 vulnerabilities, forcing the target device to build a malicious script in its system;
5 the use of CVE-2016-8020 and CVE-2016-8021 vulnerabilities, issued with authentication token malicious requests to start the virus scanning process, but in fact, is the implementation of malicious script;
6 malicious scripts will be executed on the target device with Root permissions.
Affected by the vulnerability of users should upgrade as soon as possible to Endpoint Security for Linux (ENSL) version 10.2 or higher, VSEL products will soon come to an end.
CERT / CC (the United States Computer Emergency Response Team Coordination Center) also releasedsecurityNotice, to inform the customer VirusScan Linux McAfee enterprise version of the problem.