Vulnerabilities > CVE-2018-6674 - Missing Encryption of Sensitive Data vulnerability in Mcafee Virusscan Enterprise 8.8.0

047910
CVSS 3.9 - LOW
Attack vector
PHYSICAL
Attack complexity
LOW
Privileges required
HIGH
Confidentiality impact
HIGH
Integrity impact
NONE
Availability impact
NONE
low complexity
mcafee
CWE-311
nessus
NVD
Published: 2018-05-25
Updated: 2023-11-07

Summary

Privilege Escalation vulnerability in Microsoft Windows client (McTray.exe) in McAfee VirusScan Enterprise (VSE) 8.8 prior to Patch 13 allows local users to spawn unrelated processes with elevated privileges via the system administrator granting McTray.exe elevated privileges (by default it runs with the current user's privileges).

Vulnerable Configurations

Part Description Count
Application
Mcafee
1
OS
Microsoft
1

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Interception
    An attacker monitors data streams to or from a target in order to gather information. This attack may be undertaken to gather information to support a later attack or the data collected may be the end goal of the attack. This attack usually involves sniffing network traffic, but may include observing other types of data streams, such as radio. In most varieties of this attack, the attacker is passive and simply observes regular communication, however in some variants the attacker may attempt to initiate the establishment of a data stream or influence the nature of the data transmitted. However, in all variants of this attack, and distinguishing this attack from other data collection methods, the attacker is not the intended recipient of the data stream. Unlike some other data leakage attacks, the attacker is observing explicit data channels (e.g. network traffic) and reading the content. This differs from attacks that collect more qualitative information, such as communication volume, or other information not explicitly communicated via a data stream.
  • Screen Temporary Files for Sensitive Information
    An attacker exploits the temporary, insecure storage of information by monitoring the content of files used to store temp data during an application's routine execution flow. Many applications use temporary files to accelerate processing or to provide records of state across multiple executions of the application. Sometimes, however, these temporary files may end up storing sensitive information. By screening an application's temporary files, an attacker might be able to discover such sensitive information. For example, web browsers often cache content to accelerate subsequent lookups. If the content contains sensitive information then the attacker could recover this from the web cache.
  • Sniffing Attacks
    An attacker monitors information transmitted between logical or physical nodes of a network. The attacker need not be able to prevent reception or change content but must simply be able to observe and read the traffic. The attacker might precipitate or indirectly influence the content of the observed transaction, but the attacker is never the intended recipient of the information. Any transmission medium can theoretically be sniffed if the attacker can listen to the contents between the sender and recipient.
  • Sniffing Network Traffic
    An attacker monitoring network traffic between nodes of a public or multicast network. The attacker need not be able to prevent reception or change content but must simply be able to observe and read the traffic. The attacker might precipitate or indirectly influence the content of the observed transaction, but the attacker is never the intended recipient of the information. This differs from other sniffing attacks in that it is over a public network rather via some other communications channel, such as radio.
  • Lifting Sensitive Data from the Client
    An attacker examines an available client application for the presence of sensitive information. This information may be stored in configuration files, embedded within the application itself, or stored in other ways. Sensitive information may include long-term keys, passwords, credit card or financial information, and other private material that the client uses in its interactions with the server. While servers are (hopefully) protected with professional security administrators, most users may be less skilled at protecting their clients. As a result, the user client may represent a weak link that an attacker can exploit. If an attacker can gain access to a client installation, they may be able to detect and lift sensitive information that could be used directly (such as financial information), or allow the attacker to subvert future communication between the client and the server. In some cases, it may not even be necessary to gain access to another user's installation - if all instances of the client software are embedded with the same sensitive information (for example, long term keys for communication with the server) then the attacker must simply find a way to gain their own copy of the client in order to perform this attack.

Nessus

NASL familyWindows
NASL idMCAFEE_VSE_SB10237.NASL
descriptionThe version of McAfee VirusScan Enterprise (VSE) installed on the remote Windows host is prior to 8.8 Patch 13. It is, therefore, affected by a privilege escalation vulnerability.
last seen2020-06-02
modified2018-06-01
plugin id110272
published2018-06-01
reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/110272
titleMcAfee VirusScan Enterprise < 8.8 Patch 13 Privilege Escalation Vulnerability (SB10237)
code
#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(110272);
  script_version("1.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/19");

  script_cve_id("CVE-2018-6674");
  script_bugtraq_id(104180);
  script_xref(name:"MCAFEE-SB", value:"SB10237");
  script_xref(name:"IAVA", value:"2018-A-0175-S");

  script_name(english:"McAfee VirusScan Enterprise < 8.8 Patch 13 Privilege Escalation Vulnerability (SB10237)");

  script_set_attribute(attribute:"synopsis", value:
"The antivirus application installed on the remote Windows host is
affected by a privilege escalation vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of McAfee VirusScan Enterprise (VSE) installed on the
remote Windows host is prior to 8.8 Patch 13. It is, therefore,
affected by a privilege escalation vulnerability.");
  script_set_attribute(attribute:"see_also", value:"https://kc.mcafee.com/corporate/index?page=content&id=SB10237");
  script_set_attribute(attribute:"solution", value:
"Upgrade to McAfee VirusScan Enterprise version 8.8 Patch 13.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:P/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-6674");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/05/09");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/05/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/06/01");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:mcafee:virusscan_enterprise");
  script_set_attribute(attribute:"stig_severity", value:"II");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("mcafee_installed.nasl");
  script_require_keys("Antivirus/McAfee/installed");
  script_require_ports(139, 445);

  exit(0);
}

include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_reg_query.inc");

get_kb_item_or_exit("Antivirus/McAfee/installed");
product_name = get_kb_item_or_exit("Antivirus/McAfee/product_name");
product_version = get_kb_item_or_exit("Antivirus/McAfee/product_version");

product_path = get_kb_item_or_exit("Antivirus/McAfee/product_path");
app = "McAfee VirusScan Enterprise";

if (app >!< product_name)
  audit(AUDIT_INST_VER_NOT_VULN, product_name);

if (product_version !~ "^8\.8\.")
  audit(AUDIT_INST_VER_NOT_VULN, product_name, product_version);

fix = '8.8.0.2114';

# Check coptcpl.dll version
dll = product_path+"coptcpl.dll";
ver = hotfix_get_fversion(path:dll);

hotfix_handle_error(error_code:ver['error'],
                    file:dll,
                    appname:app,
                    exit_on_fail:TRUE);

hotfix_check_fversion_end();

version = join(sep:".", ver["value"]);

if (ver_compare(ver:version, fix:fix, strict:FALSE) < 0)
{
  port = get_kb_item("SMB/transport");
  if (isnull(port)) port = 445;

  order  = make_list('File', 'Installed version', 'Fixed version');
  report = make_array(order[0],dll, order[1],version, order[2],fix);
  report = report_items_str(report_items:report, ordered_fields:order);
  security_report_v4(extra:report, port:port, severity:SECURITY_NOTE);
}
else audit(AUDIT_INST_VER_NOT_VULN, product_name, version);

References