CERT/CC Vulnerability Note VU#345233

Overview

McAfee Virex automatic updates may not properly authenticate the source of updates. This may allow a remote attacker to execute arbitrary commands on a vulnerable system.

Description

McAfee Virex is anti-virus software for the Mac OS X platform. McAfee Virex 7 for Mac OS X connects to a remote FTP server to retrieve updates. However, Virex fails to properly authenticate the server or the contents of the retrieved updates. This may allow a remote attacker to spoof the update server and its contents, allowing that attacker to download and execute arbitrary commands on a Virex client system.

Impact

A remote attacker can execute arbitrary commands.

Solution

Apply a patch from McAfee Virex

A patch to address this issue is available by visiting the McAfee SecurityCenter and clicking the update button.

Vendor Information

345233

Filter by status:

Filter by content: Additional information available

Sort by:

Expand all

McAfee Affected

Notified: December 01, 2005 Updated: August 28, 2006

Status

Affected

Vendor Statement

McAfee Security Bulletin

Virex 7.7 Update fixes potential arbitrary command execution

Published: February 20, 2006
Version: 1.0

1. SUMMARY

Who should read this document: Technical and Security Personnel
Impact of Vulnerability: Arbitrary file execution
Severity Rating: important
Recommendations: Run product update
Security Bulletin Replacement: None
Caveats: None
Affected Software:

i. McAfee Virex 7.7 (build 163)

ii. McAfee VirusScanâ 10 (not patched since February 02, 2005)

Patch Release: HotFix 255495
Patch File: HF255495.zip
Patch File Checksum: N/A

2. Description

This update fixes a security flaw which has been privately researched and reported. The update has been shown to fix this security flaw, specifically with the list of affected software above. McAfee believes in providing the most secure software to customers and worked closely with the private research team to validate that this update solves the security flaw. A successful exploit of the security flaw would allow an attacker to place arbitrary files on the machine running the indicated software. These files would not be limited to a specific location on the machine, and an attacker would be able to place a file in an arbitrary location. The update has been pushed to all live update servers and available for download at the time of this publishing. This update will remedy the risk
associated with this security flaw.

3. Vulnerability Details

A security vulnerability exists in McAfee Virex. A successful exploit of the security flaw would allow an attacker to place arbitrary files on the machine running the indicated software. These files would not be limited to a specific location on the machine, and an attacker would be able to place a file in an arbitrary location. In order to accomplish this exploit, an attacker would have to have control over all communication between the victim’s computer and the internet. The attack is quite complicated and requires several steps of reverse engineering of the software as well as the communication.
The flaw will allow for substitution of the update package with arbitrary files. The update mentioned provides validation of the update server, downloaded packages, and individual files. The update also provides for secure communication between the update server and the installed software performing the update.

4. Remediation

Prerequisites:
To install this patch, you must have McAfee Virex version 7.7 (build 163) installed on the computer you intend to update. This patch will not work with any earlier versions of the software.

Installation Steps:

iii. Close the Virex application if it is running.

iv. Extract the following files from the HotFix package (HF255495.ZIP) into a folder: VShieldeUpdate digest.plist Install.sh README.TXT

v. Open the Terminal application located under /Applications/Utilities folder.

vi. From the Terminal, go to the folder where you have extracted the HotFix files.

vii. Execute the "Install.sh" script file from the folder by typing the following command at the command line. ./Install.sh

NOTE: You will need to supply your administrator password to execute this script when prompted.

viii. Close the Terminal application, once you see the message "Installation completed successfully" at the command line.

Validating Installation:
You can check that the HotFix is applied correctly by verifying
the product version information of VShieldUpdate:

i. Go to the folder /usr/local/vscanx/

ii. Execute the following command: ./VShieldUpdate –v

iii. The result should be as follows:

VShieldUpdate, Virex 7.7 (build 175) Copyright
(c) 2006 McAfee, Inc. All Rights Reserved.

Removing the Patch:

We recommend that you do NOT remove this HotFix file from your McAfee Virex version 7.7. If you reinstall your Virex, we recommend that you also reinstall this HotFix.

5. Work Around
None

6. Acknowledgements
The following individuals belonging to the University of Massachusetts at Amherst department of Computer Science in the Privacy, Internetworking, Security, and Mobile Systems Laboratory: Assistant Professor Kevin Fu, Graduate Researchers Anthony Bellissimo and John Burgess.

7. Support

Home and Home Office: http://www.mcafeehelp.com/

Small and Medium Business: http://www.mcafee.com/us/support/default.asp

Enterprise: http://www.mcafee.com/us/support/default.asp

Corporate Technical Support: 1-800-338-8754

8. Frequently Asked Questions (FAQ) related to this security bulletin

Who is affected by this security vulnerability? McAfee Virex 7 users could be affected by this vulnerability. McAfee urges all customers to verify that they have received the latest updates by going to the SecurityCenter and clicking the update button. The automatic downloading and installation of updates and upgrades assures the delivery of the latest product version to our customers.

Does this vulnerability affect McAfee enterprise products?

No. Only local installations of Virex 7.x can be affected by this security flaw.

What has McAfee done to resolve the issue? McAfee believes in providing the most secure software to customers and has provided an update to this security flaw.

How does McAfee respond to this and any other security flaw? McAfee’s key priority is the security of its customers. In the event that a vulnerability is found within any of McAfee’s software, a strong process is in place to work closely with the relevant security research group to ensure the rapid and effective development of a fix and communication plan. McAfee is an active member of the Organization for Internet Safety (OIS) which is dedicated to developing guidelines and best practices for the reporting and fixing of software vulnerabilities.

9. Resources

To download new beta software or to read about the latest beta information, visit the beta website:

http://www.mcafeesecurity.com/us/downloads/beta/mcafeebetahome.htm

To submit beta feedback on any McAfee product, send email to:

mcafee_beta@mcafee.com

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

http://prisms.cs.umass.edu/~kevinfu/papers/secureupdates-hotsec06.pdf

Acknowledgements

Thanks to Anthony Bellissimo, John Burgess, and Kevin Fu for reporting this vulnerability.

This document was written by Jeff Gennari.

Other Information

CVE IDs:	None
Severity Metric:	0.11
Date Public:	2006-07-31
Date First Published:	2007-02-15
Date Last Updated:	2007-02-16 12:32 UTC
Document Revision:	27

Software Engineering Institute

CERT Coordination Center

McAfee Virex fails to properly authenticate the source of updates

Vulnerability Note VU#345233

Overview

Description

Impact

Solution

Vendor Information

McAfee Affected

Status

Vendor Statement

Vendor Information

CVSS Metrics

References

Acknowledgements

Other Information

Contact CERT/CC