Connect with us

Hi, what are you looking for?



McAfee Application Control Flaws Expose Critical Infrastructure: Researchers

Researchers reported finding several serious vulnerabilities in Intel Security’s McAfee Application Control product, but the vendor has not released patches claiming they are low risk issues.

Researchers reported finding several serious vulnerabilities in Intel Security’s McAfee Application Control product, but the vendor has not released patches claiming they are low risk issues.

IT security services and consulting company SEC Consult analyzed McAfee Application Control last year as part of its extensive research into critical infrastructure environments, particularly smart grids.

McAfee Application Control is an application whitelisting solution designed to block unauthorized files from being executed on servers, corporate desktops and other devices. The product has been advertised by the vendor as a solution for critical infrastructure protection.

McAfee Application Control Vulnerabilities

During his analysis of McAfee Application Control, SEC Consult’s René Freingruber uncovered a series of vulnerabilities that can allegedly be exploited to bypass the application whitelisting protection.

According to Freingruber, the security holes he found can be exploited to bypass whitelisting protection and achieve arbitrary code execution through various techniques. The expert also reported identifying multiple kernel driver vulnerabilities that can be leveraged to cause denial-of-service (DoS) conditions and possibly for privilege escalation, and insufficient file system read/write protections that can be exploited to overwrite whitelisted applications once code execution is achieved.

The researcher also discovered that McAfee Application Control is shipped with a ZIP application from 1999 that is known to contain vulnerabilities, including a buffer overflow that can be leveraged to bypass application whitelisting. However, the expert noted that exploiting the flaw is not easy and there are no public exploits available for it.

Advertisement. Scroll to continue reading.

The vulnerabilities were reported to Intel Security in early June 2015. Following an analysis of the issues, the vendor determined that they are either not vulnerabilities or low risk bugs.

SEC Consult, which usually gives vendors 50 days to provide a fix, published an advisory disclosing the existence of the vulnerabilities in late July, but proof-of-concept (PoC) exploit code was not released at the time.

Earlier this week, the company released a whitepaper detailing the flaws and how they can be used to bypass McAfee’s application whitelisting product. The security consultancy also provided a list of configuration settings and hardening guidelines that can be used to secure a system against possible attacks.

“We did not release any out-of-the-box exploit code (especially on the more complex stuff such as the buffer overflows) but only simple proof of concepts for the bypass vulnerabilities. Those are simple enough that they could even be deduced from the information within the workaround section alone,” SEC Consult team lead Johannes Greil told SecurityWeek.

Intel Security Disagrees

SEC Consult said Intel Security initially planned to release a fix for the confirmed vulnerabilities in the third quarter of 2015, but the promised update has not been made available.

Intel Security published an advisory this week to explain why the issues reported by SEC Consult are either not vulnerabilities or are considered low risk flaws.

“Upon learning of the researchers’ concerns last summer, we promptly investigated the scenarios posed. We found that customers following our standard deployment configuration guidance are not subject to these scenarios,” Intel Security representatives told SecurityWeek.

Intel Security believes the issues only impact McAfee Application Control, and that no other McAfee products are affected. The company has pointed customers to a document describing security best practices for McAfee Application Control.

The vendor has released a McAfee Application Control update this week to address DoS, input validation and privilege escalation vulnerabilities reported by Shannon Sabens from HP TippingPoint.

SEC Consult says it hasn’t been able to verify if the update addresses any of the flaws they have reported. One of the patched kernel driver bugs is similar to one reported by SEC Consult, but it doesn’t appear to be the same, the company said.

SEC Consult does not agree with Intel Security’s assessment and claims to have provided the company with information and proof-of-concept code that should demonstrate the weaknesses are exploitable.

Use of Whitelisting to Protect Critical Infrastructure

SEC Consult says application whitelisting can be highly useful in critical infrastructure (ICS/SCADA) environments where reliability and availability are crucial, and software updates often cannot be installed due to the negative impact a buggy update could have.

However, researchers believe it’s important to ensure that the solutions deployed for protecting critical infrastructure don’t increase the attack surface.

“Out of our experience we at SEC Consult consider it necessary for critical infrastructures to regularly install new updates, use only software reviewed by security professionals and further increase the awareness of end users with security trainings,” Freingruber said in his whitepaper. “For such systems it’s not enough to solely rely on a security layer such as application whitelisting. Rather, the underlying security of the system itself must be increased. We do not see a reason for not using application whitelisting if the software is secure and doesn’t tear holes in the overall system security but it’s important to understand that it doesn’t replace robust security measures.”

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.


Cybersecurity firm Forescout shows how various ICS vulnerabilities can be chained for an exploit that allows hackers to cause damage to a bridge.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...


More than 1,300 ICS vulnerabilities were discovered in 2022, including nearly 1,000 that have a high or critical severity rating.