Source: trellixpsirt@trellix.com
A whitelist bypass vulnerability in McAfee Application Control / Change Control 7.0.1 and before allows execution bypass, for example, with simple DLL through interpreters such as PowerShell.
McAfee Application Control/Change Control 7.0.1 and prior are vulnerable to a whitelist bypass, allowing attackers to execute arbitrary code. This vulnerability permits attackers to circumvent security controls by leveraging interpreters like PowerShell to load and execute malicious DLLs, potentially leading to system compromise and data exfiltration.
Step 1: Payload Preparation: An attacker crafts a malicious DLL containing the desired payload (e.g., a reverse shell, malware installation, or data exfiltration routine).
Step 2: Interpreter Selection: The attacker identifies a whitelisted interpreter, such as PowerShell, that is permitted to execute code.
Step 3: Payload Delivery: The attacker places the malicious DLL on the target system, either through direct upload, network share access, or social engineering (e.g., phishing).
Step 4: Execution Trigger: The attacker uses the whitelisted interpreter (e.g., PowerShell) to load and execute the malicious DLL. This can be achieved through various PowerShell commands, such as Add-Type or rundll32.exe.
Step 5: Bypass Execution: Because of the whitelist bypass vulnerability, the McAfee Application Control/Change Control software fails to properly block the execution of the malicious DLL through the whitelisted interpreter.
Step 6: Payload Execution: The malicious DLL executes, allowing the attacker to gain control of the system, execute arbitrary commands, and potentially escalate privileges.
The vulnerability stems from a flaw in McAfee Application Control's whitelist implementation. The software fails to adequately validate the execution of code through interpreters such as PowerShell. Specifically, the application allows the execution of DLLs that are not explicitly whitelisted, if launched through a whitelisted interpreter. The root cause is likely an insufficient check on the origin or context of the DLL execution, allowing an attacker to bypass the intended security restrictions. The lack of proper input validation and insufficient checks on the execution path allows for the loading and execution of malicious code, effectively bypassing the intended security controls. This is a classic example of a whitelist bypass vulnerability.
While no specific APT groups are directly linked to this CVE, the nature of the vulnerability makes it attractive to various threat actors. The ability to bypass application control is a common tactic used by ransomware gangs and other malicious actors. CISA KEV status is unknown, but given the severity and ease of exploitation, it is possible that it is listed.
Monitor process creation events, specifically for the execution of DLLs by whitelisted interpreters (e.g., PowerShell, cmd.exe).
Analyze PowerShell command-line arguments for suspicious activity, such as the loading of untrusted DLLs.
Review security logs for unusual network connections originating from the affected systems.
Implement file integrity monitoring to detect unauthorized changes to critical system files and DLLs.
Use endpoint detection and response (EDR) solutions to identify and block malicious DLL execution attempts.
Monitor for the creation of suspicious files in temporary directories or other locations commonly used by attackers.
Upgrade McAfee Application Control/Change Control to a patched version (7.0.2 or later).
Implement a more robust whitelist implementation that validates DLL execution paths and origins.
Review and harden the existing whitelist to ensure that only necessary applications and processes are allowed.
Implement application control policies that restrict the execution of DLLs from untrusted sources.
Regularly update the application control rules to address new attack vectors.
Employ a defense-in-depth strategy, including endpoint detection and response (EDR) and intrusion detection systems (IDS).
Implement network segmentation to limit the impact of a successful compromise.