Attackers can exploit flaws in McAfee enterprise software for root access

McAfee has issued patches for ten flaws in its enterprise version of VirusScan for Linux that allow attackers to remotely take over a system, after originally being notified of the security holes six months ago. 

MIT Lincoln Laboratory researcher Andrew Fasano yesterday revealed he had reported to McAfee in June that attackers could remotely execute code as a root user by combining ten separate security vulnerabilities.

Four of the flaws are deemed critical. Attackers can exploit CVE-2016-8020, CVE-2016-8021, CVE-2016-8022, and CVE-2016-8023 to escalate their privileges to root and remotely force the target machine to run malicious script.

The six additional flaws involve a cross-site scripting vulnerability, file test and read bugs, HTTP response splitting, tokens forgery, and authenticated SQL injection.

The vulnerabilities exist in at least VirusScan Enterprise for Linux version 1.9.2 to version 2.0.2, released in April, Fasano said.

"At a first glance, Intel's McAfee VirusScan Enterprise for Linux has all the best characteristics that vulnerability researchers love: it runs as root, it claims to make your machine more secure, it's not particularly popular, and it looks like it hasn't been updated in a long time," Fasano said.

"When I noticed all these, I decided to take a look."

He said he reported the flaws to McAfee in June.

Public disclosure had initially been set for August, but Fasano said the company requested an extension until September at the earliest.

He claims to have heard nothing for three months from the September deadline, before he issued McAfee a public disclosure date of December 12 in the first week of that month.

McAfee published a security bulletin and assigned the CVE IDs on December 9.