McAfee has patched 10 critical vulnerabilities in its VirusScan Enterprise for Linux, reportedly six months after they were disclosed. According to security researcher Andrew Fasano from MIT Lincoln Laboratory, the vulnerabilities when chained could result in the execution of the code remotely as a root user.
"At a first glance, Intel's McAfee VirusScan Enterprise for Linux has all the best characteristics that vulnerability researchers love: it runs as root, it claims to make your machine more secure, it's not particularly popular, and it looks like it hasn't been updated in a long time," the security advisory reads. "When I noticed all these, I decided to take a look."
Fasano said that attackers could chain the flaws to compromise VirusScan Enterprise for Linux by running malicious update servers. The malicious script after chaining the vulnerabilities is then run by the root user on the victim machine.
The vulnerabilities have been found present from at least version 1.9.2 through version 2.0.2, which was released in April 2016.
Fasano originally reported the vulnerabilities in June through the US computer emergency response team clearing house which passed on the information to McAfee. The security company in return asked for a six month non-disclosure extension until December. The company made no contact after July and was informed on December 5 that the report would be published on December 12.
Fasano detailed the process which requires four of the 10 vulnerabilities to complete the exploit. The first pair, CVE-2016-8016 and CVE-2016-8017 allows an authentication token to be brute-forced and used to connect with McAfee Linux clients.
The attackers then use another flaw CVE-2016-8021 to force the target to create a malicious script. A request is then sent to authenticate the start of virus scan but which will execute the malicious script instead using CVE-2016-8020 and CVE-2016-8021. With these flaws combined, the attackers malicious script is run as root on the victim's machine.
In addition to this, Fasano found six more bugs which include an authenticated SQL injection, CVE-2016-8025, HTTP response splitting (CVE-2016-8024), cross-site scripting (CVE-2016-8019), cross-site request forgery tokens (CVE-2016-8018) and a remote unauthenticated file read and existence test (CVE-2016-8016, CVE-2016-8017).