McAfee VirusScan for Linux vulnerabilities gave hackers root access

A SECURITY PRODUCT offered by Intel’s security business McAfee has, or had, as many as 10 security vulnerabilities that allowed the execution of code remotely as a root user.

A blog from a security dude from straight outta MIT would have had anyone running McAfee VirusScan running for the hills, had the issues not been fixed already and applicable patches been applied.

“At a first glance, Intel’s McAfee VirusScan Enterprise for Linux has all the best characteristics that vulnerability researchers love: it runs as root, it claims to make your machine more secure, it’s not particularly popular, and it looks like it hasn’t been updated in a long time,” said Andrew Fasano from MIT Lincoln Laboratory on the semi-explosive blog. “When I noticed all these, I decided to take a look.”

And what a look. Fasano found 10 possible vulnerable points in the software. He had spoken to McAfee before publishing his findings, but only managed to illicit a response when he gave it a week deadline before he would go public.

Fasano says that the issues come about because of the way that the system works. Intel, which is McAfee, issued an update with a lot of fixes in it, and a lot of CVEs.

“The webserver is essentially a UI on top of the scanner service. When a user makes a request to the webserver, the request is reformatted, sent to the root service and then the user is shown the response rendered in an html template,” he added.

“The web interface doesn’t do much to limit what data a malicious user can send to the root service.”

McAfee issued fixes for the issues for VirusScan last Friday, and the firm put out a blog post went live this week.

“VSEL 2.0.3 (and earlier) is vulnerable to the following published security vulnerabilities. The ENSL 10.2 release resolves the following vulnerabilities. Intel Security highly recommends that all customers upgrade from VSEL to ENSL,” said the firm.

“Intel Security credits Andrew Fasano who reported these issues to CERT.


. . . . . . . .

Leave a Reply