Urgent Tech Update – Vulnerability on McAfee ENS that could allow a malware to delete files
by Secutec
McAfee has detected a vulnerability on ENS that could allow a malware or malicious user to delete files that he should not have any access to. McAfee has already created expert rules and a DAT update should be published today to reduce the risk. Patches are not available yet.
This vulnerability does not provide the ability to remotely exploit a system, but rather enables malware or a malicious actor to delete files that they otherwise would not have access to. Exploitation of the vulnerability requires running code (or a script) on a victim system that maliciously manipulates symbolic links to redirect a delete action of a privileged process to an unintended file.
Product Vulnerability Status
Investigation into McAfee products is ongoing. This Security Bulletin will be updated as additional information is available.
| Product | Version | Notes |
|
Vulnerable and Update Planned |
||
| Endpoint Security (ENS) for Mac | All | N/A |
| ENS for Windows | 10.7.x 10.6.x 10.5.x |
N/A |
| VirusScan Enterprise (VSE) for Linux | All | N/A |
| VSE for Windows | All | N/A |
Investigation of impacted McAfee products is ongoing. McAfee’s Security Bulletin will be updated as additional information is available.
Mitigations
ENS for Windows (10.7.x, 10.6.x, 10.5.x)
An interim mitigation is available through an Expert Rule (KB92752). You can deploy the mitigation in your environment to provide protection against attempted exploit of this vulnerability. Due to the aggressive nature of this rule, McAfee recommends the standard best practice of testing the rule as “report only” in your environment to rule out unintended behavior.
A v3 DAT release that prevents exploitation of this vulnerability in ENS 10.5, 10.6 and 10.7 is planned for release on April 24, 2020 (Today). This update will address the issue for the products listed above.
How do I know if my McAfee product is vulnerable or not?
For Endpoint products:
Use the following instructions for endpoint or client-based products:
- Right-click on the McAfee tray shield icon on the Windows taskbar.
- Select Open Console.
- In the console, select Action Menu.
- In the Action Menu, select Product Details. The product version displays.
For Appliances:
Use the following instructions for Appliance-based products:
- Open the Administrator’s User Interface (UI).
- Click the About link. The product version displays.