Summary
Who should read this document:
Technical and Security Personnel
Impact of Vulnerability:
Security Bypass Remote Code Execution
CVE Number:
None
US CERT Number:
None
Severity Rating:
Critical
Overall CVSS Rating:
7
Recommendations:
Uninstall McAfee Virtual Technician v6.3 or earlier, or re-download and re-install McAfee Virtual Technician v6.4 or later
Security Bulletin Replacement:
None
Caveats:
Internet Explorer must be running for this vulnerability to be exploited
Affected Software:
McAfee Virtual Technician 6.3.0.1911 and earlier
Location of updated software:
http://mvt.mcafee.com/mvt
Description
McAfee Virtual Technician (MVT) and McAfee ePO-MVT are free tools that will scan a system to ensure that the McAfee products are installed correctly. This tool will identify possible problems and help resolve problems detected during a check-up process.
MVT can be downloaded from multiple locations. The primary download location is: http://mvt.mcafee.com/mvt
McAfee Virtual Technician v6.3 and earlier installed an ActiveX control that contained a vulnerability. This vulnerability allows an attacker to bypass Internet Explorer browser security settings to remotely execute operating system commands. An Internet Explorer script can also be created to remotely crash the browser by specifying an arbitrary memory address. It is possible for a malicious website to exploit the MVT vulnerability and run malicious code.
This issue mainly affects consumer users, however it also affects enterprise users who have MVT or have deployed ePO-MVT onto their machines.
In order for this attack to be effective, users would need to have installed MVT on their machine and that machine would need to have Internet Explorer, or other browser that supports ActiveX controls, up and running. The attacker would only be granted the same privileges as the currently logged in user, which may or may not have administrator privileges. With a cleverly crafted set of operating system commands on a computer run by a user with administrator rights, full access could be granted to the attacker. This could cause a significant disruption starting with a single computer, which may be trusted by other computers on the network.
MVT is not tied to a particular McAfee product. Any system could have MVT installed; potentially even those systems which have uninstalled their McAfee products.
Remediation
For MVT Users
Customers can access MVT in their Programs menu to run MVT and be automatically updated to the latest version. If MVT was previously uninstalled, access the McAfee website at http://mvt.mcafee.com/mvt to run MVT and recover install the updated tool.
McAfee Virtual Technician download Instructions.
- Launch Internet Explorer.
- Navigate to: http://mvt.mcafee.com/mvt.
- Click Scan your system now.
- Follow the onscreen directions.
- Download and run the MVTInstaller.
Users with MVT can choose to remediate by uninstalling the MVT tool. To uninstall MVT, go to the Microsoft Windows Control Panel, access Add and Remove Programs and uninstall the program.
For ePO-MVT Users
McAfee ePO-MVT 1.0.8 is now available for download. This version resolves the vulnerability in this McAfee tool.
To download ePO-MVT 1.0.8, go to the ePO-MVT download site at: http://mer.mcafee.com/enduser/downloadepomvt.aspx?lang=English.
Acknowledgements
This vulnerability was first disclosed by BugTraq.
Support
Corporate Technical Support:
1-800-338-8754
http://www.mcafee.com/us/support/default.asp
Frequently Asked Questions (FAQs)
Who is affected by this security vulnerability?
All McAfee customers using McAfee Virtual Technician 6.3.0.1911 and earlier.
McAfee recommends that all customers verify that they have applied the latest updates.
Does this vulnerability affect McAfee enterprise products?
Yes, McAfee Virtual Technician is used by both consumer and enterprise users. A version of MVT called ePO-MVT is used by ePO with a different UI.
How do I know if my McAfee Virtual Technician is vulnerable or not?
- Go to your Microsoft Windows Control Panel, then access Add and Remove Programs.
- The product version is displayed in the far right column.
- Versions 6.3.0.1911 and earlier are vulnerable.
What is CVSS?
CVSS, or Common Vulnerability Scoring System, is the result of the National Infrastructure Advisory Council’s effort to standardize a system of assessing the criticality of a vulnerability. This system offers an unbiased criticality score that customers can use to judge how critical a vulnerability is and plan accordingly. For more information, please visit the CVSS website at: http://www.first.org/cvss/
What are the CVSS scoring metrics that have been used?
Base Score
9
Access Vector
Network
Access Complexity
Medium
Authentication
None
Confidentiality Impact
Complete
Integrity Impact
Complete
Availability Impact
Partial
Adjusted Temporal Score
7
Exploitability
Proof of concept code
Remediation Level
Official fix
Report Confidence
Confirmed
NOTE: CVSS version 2.0 was used to generate this score. http://nvd.nist.gov/cvss.cfm?calculator&version=2
What has McAfee done to resolve the issue?
McAfee has released an update to address this security flaw.
Where do I download the fix?
The fix can be downloaded from:
• http://mvt.mcafee.com/mvt
• http://mvt.mcafee.com/mvt/en-us/default.html?en-us (English)
• http://www.mcafee.com/us/downloads/free-tools/virtual-technician.aspx (English)
• http://www.mcafee.com/it/downloads/free-tools/virtual-technician.aspx (Italian)
How does McAfee respond to this and any other security flaws?
McAfee’s key priority is the security of our customers. In the event that a vulnerability is found within any of McAfee’s software, we work closely with the relevant security research group to ensure rapid and effective development of a fix and communication plan. McAfee is an active member of the Organization for Internet Safety (OIS), which is dedicated to developing guidelines and best practices for the reporting and fixing of software vulnerabilities.
Disclaimer
The information provided in this security bulletin is provided as is without warranty of any kind. McAfee disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall McAfee or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if McAfee or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
You can read the original post here on the McAfee support website.