Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.2017 McAfee Security Bulletin - VirusScan Enterprise update fixes three vulnerabilities 11 June 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: VirusScan Enterprise Publisher: McAfee Operating System: Windows Impact/Access: Increased Privileges -- Remote with User Interaction Modify Arbitrary Files -- Existing Account Unauthorised Access -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2020-7280 CVE-2019-3588 CVE-2019-3585 Original Bulletin: https://kc.mcafee.com/corporate/index?page=content&id=SB10302 - --------------------------BEGIN INCLUDED TEXT-------------------- McAfee Security Bulletin - VirusScan Enterprise update fixes three vulnerabilities (CVE-2019-3585, CVE-2019-3588, and CVE-2020-7280) Security Bulletins ID : SB10302 Last Modified : 6/9/2020 Summary First Published: June 9, 2020 +----------------------+------------------------------------------------------+ |Impact of |Permissions, Privileges, and Access Control (CWE-264) | |Vulnerability: |Privilege Escalation (CWE-274) | | |Data Leakage via Privilege Escalation (CWE-269) | +----------------------+------------------------------------------------------+ | |CVE-2019-3585 | |CVE ID: |CVE-2019-3588 | | |CVE-2020-7280 | +----------------------+------------------------------------------------------+ | |CVE-2019-3585: High | |Severity Rating: |CVE-2019-3588: Medium | | |CVE-2020-7280: High | +----------------------+------------------------------------------------------+ |CVSS v3 Base/Temporal |CVE-2019-3585: 7.0 / 6.3 | |Scores: |CVE-2019-3588: 6.3 / 5.7 | | |CVE-2020-7280: 7.8 / 7.0 | +----------------------+------------------------------------------------------+ |Recommendations: |Install or update to VirusScan Enterprise (VSE) 8.8 | | |Patch 15 | +----------------------+------------------------------------------------------+ |Security Bulletin |None | |Replacement: | | +----------------------+------------------------------------------------------+ | |VSE prior to 8.8 Patch 14 is affected by CVE- | |Affected Software: |2019-3585 and CVE-2019-3588 | | |VSE prior to 8.8 Patch 15 is affected by CVE-2020-7280| +----------------------+------------------------------------------------------+ |Location of updated |https://www.mcafee.com/us/downloads/downloads.aspx | |software: | | +----------------------+------------------------------------------------------+ To receive email notification when this Security Bulletin is updated, click Subscribe on the right side of the page. You must be logged on to subscribe. Article contents: o Vulnerability Description o Remediation o Acknowledgments o Frequently Asked Questions (FAQs) o Resources o Disclaimer Vulnerability Description CVE-2019-3585 o By default, McTray.exe is configured to run with the logged in user's privileges. If you do not start McTray.exe with elevated privileges, you are not impacted by this issue. o When the process McTray.exe runs with elevated privileges, VSE might spawn a process inheriting the parent's privileges. This issue exposes the system to be manipulated by an attacker. CVE-2019-3588 When a threat is detected and the Alert Notifications are turned on (On-Access Scan Messages), the 'Alert Message' window would open with Admin privileges, allowing a standard user to interact with the available menus with elevated privileges. In certain conditions, this issue may also cause the On-Access Scan Messages window to pop-up on top of the Windows Lock Screen. This update resolves all of the following vulnerabilities. 1. CVE-2019-3585 Privilege Escalation vulnerability in Microsoft Windows client (McTray.exe) in McAfee VirusScan Enterprise (VSE) 8.8 prior to Patch 14 may allow local users to interact with the On-Access Scan Messages - Threat Alert Window with elevated privileges via running McAfee Tray with elevated privileges. https://web.nvd.nist.gov/view/vuln/detailvulnId=CVE-2019-3585 https://cve.mitre.org/cgi-bin/cvename.cginame=CVE-2019-3585 2. CVE-2019-3588 Privilege Escalation vulnerability in Microsoft Windows client (McTray.exe) in McAfee VirusScan Enterprise (VSE) 8.8 prior to Patch 14 may allow unauthorized users to interact with the On-Access Scan Messages - Threat Alert Window when the Windows Login Screen is locked. https://web.nvd.nist.gov/view/vuln/detailvulnId=CVE-2019-3588 https://cve.mitre.org/cgi-bin/cvename.cginame=CVE-2019-3588 3. CVE-2020-7280 Privilege Escalation vulnerability during daily DAT updates when using McAfee Virus Scan Enterprise (VSE) prior to 8.8 Patch 15 allows local users to cause the deletion and creation of files they would not normally have permission to through altering the target of symbolic links. This is timing dependent. https://web.nvd.nist.gov/view/vuln/detailvulnId=CVE-2020-7280 https://cve.mitre.org/cgi-bin/cvename.cginame=CVE-2020-7280 Remediation To remediate all these issues, update to VSE 8.8 Patch 15. Go to the Product Downloads site, and download the applicable product update file: +-------+------------+------+------------+ |Product|Version |Type |Release Date| +-------+------------+------+------------+ |VSE |8.8 Patch 15|Update|June 9, 2020| +-------+------------+------+------------+ Download and Installation Instructions See KB56057 for instructions on how to download McAfee products, documentation, updates, and hotfixes. Review the Release Notes and the Installation Guide, which you can download from the Documentation tab, for instructions on how to install these updates. Acknowledgments CVE-2019-3585 and CVE-2019-3588 - McAfee credits Patrick Murphy from the Lockheed Martin Red Team for reporting these flaws. CVE-2020-7280 - McAfee credits Glennlloyd working with Trend Micro's Zero Day Initiative for reporting this flaw. Frequently Asked Questions (FAQs) How do I know if my McAfee product is vulnerable or not For Endpoint products: Use the following instructions for endpoint or client-based products: 1. Right-click on the McAfee tray shield icon on the Windows taskbar. 2. Select Open Console. 3. In the console, select Action Menu . 4. In the Action Menu, select Product Details . The product version displays. What is CVSS CVSS, or Common Vulnerability Scoring System, is the result of the National Infrastructure Advisory Council's effort to standardize a system of assessing the criticality of a vulnerability. This system offers an unbiased criticality score between 0 and 10 that customers can use to judge how critical a vulnerability is and plan accordingly. For more information, visit the CVSS website at: https://www.first.org/cvss/ . When calculating CVSS scores, McAfee has adopted a philosophy that fosters consistency and repeatability. Our guiding principle for CVSS scoring is to score the exploit under consideration by itself. We consider only the immediate and direct impact of the exploit under consideration. We do not factor into a score any potential follow-on exploits that might be made possible by the successful exploitation of the issue being scored. What are the CVSS scoring metrics 1. CVE-2019-3585: VSE Escalation of Privileges through Alert pop-up window +------------------------+--------------------+ |Base Score |7.0 | +------------------------+--------------------+ |Attack Vector (AV) |Local (L) | +------------------------+--------------------+ |Attack Complexity (AC) |High (H) | +------------------------+--------------------+ |Privileges Required (PR)|None (N) | +------------------------+--------------------+ |User Interaction (UI) |Required (R) | +------------------------+--------------------+ |Scope (S) |Unchanged (U) | +------------------------+--------------------+ |Confidentiality (C) |High (H) | +------------------------+--------------------+ |Integrity (I) |High (H) | +------------------------+--------------------+ |Availability (A) |High (H) | +------------------------+--------------------+ |Temporal Score (Overall)|6.3 | +------------------------+--------------------+ |Exploitability (E) |Proof-of-Concept (P)| +------------------------+--------------------+ |Remediation Level (RL) |Official Fix (O) | +------------------------+--------------------+ |Report Confidence (RC) |Confirmed (C) | +------------------------+--------------------+ NOTE: The below CVSS version 3.1 vector was used to generate this score. https://nvd.nist.gov/vuln-metrics/cvss/v3-calculatorvector=AV:L/AC:H/PR:N/ UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C&version=3.1 2. CVE-2019-3588: Using VSE to bypass Windows Credentials on Lock screen +------------------------+--------------------+ |Base Score |6.3 | +------------------------+--------------------+ |Attack Vector (AV) |Physical (P) | +------------------------+--------------------+ |Attack Complexity (AC) |High (H) | +------------------------+--------------------+ |Privileges Required (PR)|None (N) | +------------------------+--------------------+ |User Interaction (UI) |Required (R) | +------------------------+--------------------+ |Scope (S) |Unchanged (U) | +------------------------+--------------------+ |Confidentiality (C) |High (H) | +------------------------+--------------------+ |Integrity (I) |High (H) | +------------------------+--------------------+ |Availability (A) |High (H) | +------------------------+--------------------+ |Temporal Score (Overall)|5.7 | +------------------------+--------------------+ |Exploitability (E) |Proof-of-Concept (P)| +------------------------+--------------------+ |Remediation Level (RL) |Official Fix (O) | +------------------------+--------------------+ |Report Confidence (RC) |Confirmed (C) | +------------------------+--------------------+ NOTE: The below CVSS version 3.1 vector was used to generate this score. https://nvd.nist.gov/vuln-metrics/cvss/v3-calculatorvector=AV:P/AC:H/PR:N/ UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C&version=3.1 3. CVE-2020-7280: Symbolic Link vulnerability during DAT update +------------------------+--------------------+ |Base Score |7.8 | +------------------------+--------------------+ |Attack Vector (AV) |Local (L) | +------------------------+--------------------+ |Attack Complexity (AC) |Low (L) | +------------------------+--------------------+ |Privileges Required (PR)|Low (L) | +------------------------+--------------------+ |User Interaction (UI) |None (N) | +------------------------+--------------------+ |Scope (S) |Unchanged (U) | +------------------------+--------------------+ |Confidentiality (C) |High (H) | +------------------------+--------------------+ |Integrity (I) |High (H) | +------------------------+--------------------+ |Availability (A) |High (H) | +------------------------+--------------------+ |Temporal Score (Overall)|7.0 | +------------------------+--------------------+ |Exploitability (E) |Proof-of-Concept (P)| +------------------------+--------------------+ |Remediation Level (RL) |Official Fix (O) | +------------------------+--------------------+ |Report Confidence (RC) |Confirmed (C) | +------------------------+--------------------+ NOTE: The below CVSS version 3.1 vector was used to generate this score. https://nvd.nist.gov/vuln-metrics/cvss/v3-calculatorvector=AV:L/AC:L/PR:L/ UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C&version=3.1 Where can I find a list of all Security Bulletins All Security Bulletins are published on our external PSIRT website at https:// www.mcafee.com/us/threat-center/product-security-bulletins.aspx > Security Bulletins. Security Bulletins are retired (removed) once a product is both End of Sale and End of Support (End of Life). How do I report a product vulnerability to McAfee If you have information about a security issue or vulnerability with a McAfee product, visit the McAfee PSIRT website for instructions at https:// www.mcafee.com/us/threat-center/product-security-bulletins.aspx > Report a Security Vulnerability. How does McAfee respond to this and any other reported security flaws McAfee's key priority is the security of our customers. If a vulnerability is found within any of McAfee's software or services, we work closely with the relevant security software development team to ensure the rapid and effective development of a fix and communication plan. McAfee only publishes Security Bulletins if they include something actionable such as a workaround, mitigation, version update, or hotfix; otherwise we would simply be informing the hacker community that our products are a target, putting our customers at greater risk. For products that are updated automatically, a non-actionable Security Bulletin might be published to acknowledge the discoverer. View our PSIRT policy on the McAfee PSIRT website at https://www.mcafee.com/us/ threat-center/product-security-bulletins.aspx > About PSIRT. Resources To contact Technical Support, log on to the ServicePortal and go to the Create a Service Request page at https://support.mcafee.com/ServicePortal/faces/ serviceRequests/createSR : o If you are a registered user, type your User ID and Password, and then click Log In . o If you are not a registered user, click Register and complete the required fields. Your password and logon instructions will be emailed to you. Disclaimer The information provided in this Security Bulletin is provided as is without warranty of any kind. McAfee disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall McAfee or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if McAfee or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the preceding limitation may not apply. Any future product release dates mentioned in this Security Bulletin are intended to outline our general product direction, and they should not be relied on in making a purchasing decision. The product release dates are for information purposes only, and may not be incorporated into any contract. The product release dates are not a commitment, promise, or legal obligation to deliver any material, code, or functionality. The development, release, and timing of any features or functionality described for our products remains at our sole discretion and may be changed or canceled at any time - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXuFtR+NLKJtyKPYoAQidPg//bG/b26XJ8gP3vcntBe6QaTlIsIBjUapd gN3GIsWHagwV8Wxmu+ExjOimA1ghgptCxng8xKZd0vfC6a4jTXT6dnbSPCb8Hzpd OCOQkjn6itFKpx4JHVlyePS0FiXl168z2R2B7Y9irNN9NHo/Zp9sQ8Rslu4RC/8s Mv+6IV6G2zPpGkZBJbHpn/By3/ztAp2kwkzgqqJLJk1sPHE3gDc7xyz9tasiU8IL uOxkD9SHn77vgktri++iOLaVq+S2323zzPJP0Dru8eIuyw00d5QxK2MI7JBduYP/ xh6RcAgrobZ+m2In2TF3e3cyAVPJ2HcARxntMKsusEYxD2Ns8T9IzivevnrFkphN x+ffYesLSce1XrKcYonnJFDPVRmASYRR2AgBHDwzgUQKCO+2onOJcdK2ovRZ0p9b zPVk5HTpQRvmahUfYUWbvLPdZE599Te0h95Wnxvur24gxKVnZPI/vXwl9tjuVF0u dxK65tUHFPOvgLQfUb/VlZ/57vM/hOVwMQuqGjzEo0V2j3Qr0Gqk/qROcaD6OwaS oaVDmm3YMC732eOOmu7lZvIIyN/oUY40uJYaV4mlZjOwy8mo5VWG+5RSjqebyETv Y+Kjc4BxvxVEsAQRSE0MItZX5pErJgcUL1mK4a1zRaE/EnHcsqFBuV5fRk1emuhp T2LmOwp+hxw= =pqoq -----END PGP SIGNATURE-----