Patch now: McAfee enterprise AV for Linux riddled with remotely exploitable bugs

Intel Security took half a year to patch 10 bugs
  • Liam Tung (CSO Online)
  • 13 December, 2016 12:16

Intel Security has rolled out patches to remedy four high and six medium severity flaws that a remote attacker can combine to execute code as the root user. Andrew Fasano, a security researcher with MIT’s national security technology research centre, Lincoln Lab, reported the issues through US CERT in June, however Intel’s fix only arrived last week on December 9.

As CERT notes in its advisory, another researcher Shelby Kaba also found that one of the issues affects Virus Scan Enterprise for Windows version 8.7i through at least 8.8.

Intel Security said it “highly recommends” customers upgrade to Endpoint Security for Linux (ENSL) 10.2 or later, which resolves vulnerabilities in VirusScan Enterprise for Linux (VSEL) 2.0.3 and earlier.

According to Fasano, the McAfee bugs for Linux date back to version 1.9.2, released in February 2015, through to version 2.0.2, which was released in April 2016.

The key issue Fasano found that the VSEL web interface doesn’t do enough to restrict what data an attacker can send to the main virus scanner, which runs as root.

As he explains, VSEL has one service running as root and another, called nails, running as an unprivileged.

“The main scanner service runs as root and listens on a local Unix socket at /var/opt/NAI/LinuxShield/dev/nails_monitor. The webserver runs as the nails user and listens on 0.0.0:55443.”

“The webserver is essentially a UI on top of the scanner service. When a user makes a request to the webserver, the request is reformatted, sent to the root service and then the user is shown the response rendered in an html template. The web interface doesn't do much to limit what data a malicious user can send to the root service.”

The first of the four high severity bugs, tagged as CVE-2016-8023, relates to VSEL’s authentication scheme and data in it that was wrongly assumed couldn’t be modified by an attacker.

“The web interface uses an authentication cookie that embeds the server start time as the DATE parameter. A remote attacker may be able to brute-force guess the server start time stored in DATE, which may lead to authentication bypass,” notes US CERT.

Bug CVE-2016-8024 is a result of failing to neutralize CR and LF characters in HTTP headers.

“A remote attacker may be able to spoof an HTTP GET request for a CSV export of the system logs with newlines encoded in the URL in such a manner that arbitrary HTTP headers may be spoofed in the server response,” notes US CERT.

Bug CVE-2016-8020 describes a code-injection flaw related to the final page in McAfee’s system scan form.

“The nailsd.profile.ODS_9.scannerPath variable contains the path that the system will execute to run the scan. An authenticated remote user may manipulate this value in the HTTP request to execute an arbitrary binary as the root user,” US CERT explains.

Finally, CVE-2016-8022 refers to another authentication bypass linked to an authentication cookie that contains the user’s IP address, which an attacker can manipulate to make the cookie appear as if it came from the user’s IP address.

Fasano originally intended to publish details of the bugs on August 23 after reporting it to US CERT in June. However, in July McAfee asked Fasano to defer publication until September or December. McAfee halted communications with Fasano until December 5 when it informed him he could disclose the bugs on Monday, a few days after it published its bulletin.

Had the bugs been reported by Google’s Project Zero team, Intel Security would have had 90 days to either inform customers, or roll out fixes.

Project Zero’s lead antivirus researcher Tavis Ormandy has reported numerous bugs in popular security products, highlighting the risk of flaws in products that are meant to protect users but instead may endanger them, in particular due to them running in privileged processes.

“Intel's McAfee VirusScan Enterprise for Linux has all the best characteristics that vulnerability researchers love: it runs as root, it claims to make your machine more secure, it's not particularly popular, and it looks like it hasn't been updated in a long time,” wrote Fasano, explaining why he decided to probe the McAfee products.