Operating System:

[Linux]

Published:

19 September 2018

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2018.0218
 McAfee Security Bulletin - Endpoint Security for Linux Threat Prevention
update fixes privilege escalation vulnerability allowing unprivileged users
                 to delete arbitrary files (CVE-2018-6693)
                             19 September 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Endpoint Security for Linux Threat Prevention
Operating System:     Linux variants
Impact/Access:        Delete Arbitrary Files -- Existing Account
Resolution:           Patch/Upgrade
CVE Names:            CVE-2018-6693  
Member content until: Friday, October 19 2018
Reference:            ESB-2018.0746

OVERVIEW

        A vulnerability has been identified in McAfee Endpoint Security for 
        Linux Threat Prevention (ENSLTP) prior to versions 10.2.3 with 
        Hotfix 1251530 and 10.5.1 with Hotfix 1251617. [1]


IMPACT

        McAfee has provided the following details regarding the vulnerabilities: 
        
        "CVE-2018-6693 By exploiting a time of check to time
        of use (TOCTOU) race condition during a specific scanning sequence,
        the unprivileged user is able to perform a privilege escalation to 
        delete arbitrary files." [1]
        
        "An unprivileged user can delete arbitrary files on a Linux system 
        running ENSLTP 10.5.1, 10.5.0, and 10.2.3 Hotfix 1246778 and 
        earlier." [1]


MITIGATION

        McAfee advises:
        
        
        "To remediate this issue, go to the Product Downloads site, and download the 
        applicable product hotfix files:
        
        +-------+--------------+------+-----------------------------------+-----------+
        |Product|Version       |Type  |File Name                          |Release    |
        |       |              |      |                                   |Date       |
        +-------+--------------+------+-----------------------------------+-----------+
        |       |              |      |ISecTP-10.2.3-<build_number>       |           |
        |ENSLTP |10.2.3 Hotfix |Hotfix|-HF1251530-standalone.tar.gz       |September  |
        |       |1251530       |      |ISecTP-10.2.3-<build_number>       |11, 2018   |
        |       |              |      |-HF1251530-ePO.zip                 |           |
        +-------+--------------+------+-----------------------------------+-----------+
        |       |              |      |ISecTP-10.5.1-<build_number>       |           |
        |ENSLTP |10.5.1 Hotfix |Hotfix|-HF1251617-standalone.tar.gz       |September  |
        |       |1251617       |      |ISecTP-10.5.1-<build_number>       |11, 2018   |
        |       |              |      |-HF1251617-ePO.zip                 |           |
        +-------+--------------+------+-----------------------------------+-----------+
        
        Download and Installation Instructions
        See KB56057 for instructions on how to download McAfee products, documentation, 
        updates, and hotfixes. Review the Release Notes and the Installation Guide, 
        which you can download from the Documentation tab, for instructions on how to 
        install these updates." [1]
        
        
        McAfee does provide configuration change instructions in the advisory as
        a temporary workaround for those who cannot upgrade. [1]


REFERENCES

        [1] McAfee Security Bulletin - Endpoint Security for Linux Threat
            Prevention update fixes privilege escalation vulnerability allowing
            unprivileged users to delete arbitrary files (CVE-2018-6693)
            https://kc.mcafee.com/corporate/index?page=content&id=SB10248

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW6HrS2aOgq3Tt24GAQgQrhAAsHrwiT28lDRKER0ehZykFlcKlWiQ7gfh
5CO2heou3fZO5N7/MHAzMJ/rSrIGw78ZQ3BUteOsZjeBZkozlzBQmZVadtTId984
c0V/N5uZfVbuPdkwht6BEZsLjHOOkcn9zS8ahZ+qUy9/8FK8P1HJccRrxBuJqxIu
PZOr7TmeEa02hp/cs5lAS7RMpPWlmGLLCuMIAtWJfTyahqW4WJ0/+faRul3sw8g4
31Z/18js+iwEIi8Ak91wOjWurQe5tx+2LZZITjKJ1PXJ/Z1lsXUFX6XMH7zxx4R9
QKHxJ4b42d2MPSicAyA4PvF32go0kgw+sZeNG2AvLWEbL88NOxwroj6OcVoYq2B8
G7YVu2oknEGcYlQQVRcV2uuKvxaWhmtYZV3pbLbltMZeQhjziI/VDhY7E/YAQeYG
3mmKFn32H/5wZZwl3+kwOSwnb+ixHMghpAEfX4GZkPxTequgEhgBa838DEhEMpl9
wp/BGrXXxi+Qx3D+5sou00H5hZQl47sev4nxJ5PM02RBtAFJ4rEaRsF+L/4RwhEM
IcjXmTh4XnqfwmTK1cMJX5+TtrhrfDi9H+MFCag5S1XAwA+1LZP0briEyeU97fEc
iVIbPAXMhTM9gaIqmuIji3i+bfM2zJvGlejBR+j7kUeGiRjyQhIEuAHw6d9vpkDN
UGcCgX4Nrzo=
=T2Tw
-----END PGP SIGNATURE-----