Researchers reported finding several serious vulnerabilities in Intel Security’s McAfee Application Control product, but the vendor has not released patches claiming they are low risk issues.
IT security services and consulting company SEC Consult analyzed McAfee Application Control last year as part of its extensive research into critical infrastructure environments, particularly smart grids.
McAfee Application Control is an application whitelisting solution designed to block unauthorized files from being executed on servers, corporate desktops and other devices. The product has been advertised by the vendor as a solution for critical infrastructure protection.
McAfee Application Control Vulnerabilities
During his analysis of McAfee Application Control, SEC Consult’s René Freingruber uncovered a series of vulnerabilities that can allegedly be exploited to bypass the application whitelisting protection.
According to Freingruber, the security holes he found can be exploited to bypass whitelisting protection and achieve arbitrary code execution through various techniques. The expert also reported identifying multiple kernel driver vulnerabilities that can be leveraged to cause denial-of-service (DoS) conditions and possibly for privilege escalation, and insufficient file system read/write protections that can be exploited to overwrite whitelisted applications once code execution is achieved.
The researcher also discovered that McAfee Application Control is shipped with a ZIP application from 1999 that is known to contain vulnerabilities, including a buffer overflow that can be leveraged to bypass application whitelisting. However, the expert noted that exploiting the flaw is not easy and there are no public exploits available for it.
The vulnerabilities were reported to Intel Security in early June 2015. Following an analysis of the issues, the vendor determined that they are either not vulnerabilities or low risk bugs.
SEC Consult, which usually gives vendors 50 days to provide a fix, published an advisory disclosing the existence of the vulnerabilities in late July, but proof-of-concept (PoC) exploit code was not released at the time.
Earlier this week, the company released a whitepaper detailing the flaws and how they can be used to bypass McAfee’s application whitelisting product. The security consultancy also provided a list of configuration settings and hardening guidelines that can be used to secure a system against possible attacks.
“We did not release any out-of-the-box exploit code (especially on the more complex stuff such as the buffer overflows) but only simple proof of concepts for the bypass vulnerabilities. Those are simple enough that they could even be deduced from the information within the workaround section alone,” SEC Consult team lead Johannes Greil told SecurityWeek.
Intel Security Disagrees
SEC Consult said Intel Security initially planned to release a fix for the confirmed vulnerabilities in the third quarter of 2015, but the promised update has not been made available.
Intel Security published an advisory this week to explain why the issues reported by SEC Consult are either not vulnerabilities or are considered low risk flaws.
"Upon learning of the researchers' concerns last summer, we promptly investigated the scenarios posed. We found that customers following our standard deployment configuration guidance are not subject to these scenarios,” Intel Security representatives told SecurityWeek.
Intel Security believes the issues only impact McAfee Application Control 220.127.116.113, and that no other McAfee products are affected. The company has pointed customers to a document describing security best practices for McAfee Application Control.
The vendor has released a McAfee Application Control update this week to address DoS, input validation and privilege escalation vulnerabilities reported by Shannon Sabens from HP TippingPoint.
SEC Consult says it hasn’t been able to verify if the update addresses any of the flaws they have reported. One of the patched kernel driver bugs is similar to one reported by SEC Consult, but it doesn’t appear to be the same, the company said.
SEC Consult does not agree with Intel Security’s assessment and claims to have provided the company with information and proof-of-concept code that should demonstrate the weaknesses are exploitable.
Use of Whitelisting to Protect Critical Infrastructure
SEC Consult says application whitelisting can be highly useful in critical infrastructure (ICS/SCADA) environments where reliability and availability are crucial, and software updates often cannot be installed due to the negative impact a buggy update could have.
However, researchers believe it’s important to ensure that the solutions deployed for protecting critical infrastructure don’t increase the attack surface.
“Out of our experience we at SEC Consult consider it necessary for critical infrastructures to regularly install new updates, use only software reviewed by security professionals and further increase the awareness of end users with security trainings,” Freingruber said in his whitepaper. “For such systems it’s not enough to solely rely on a security layer such as application whitelisting. Rather, the underlying security of the system itself must be increased. We do not see a reason for not using application whitelisting if the software is secure and doesn’t tear holes in the overall system security but it’s important to understand that it doesn’t replace robust security measures.”