Threat Intel Flash: Sisense Data Compromise: ARC Labs Intelligence Flash

Get the Latest


McAfee AV Bypass

Researchers from SafeBreach have discovered a vulnerability within all editions of McAfee Anti-Virus that allows loading any unsigned DLL with the highest level of privilege. Fortunately, the vulnerability (assigned CVE-2019-3648) requires that the attacker must already have administrative privilege on the computer they are attempting to exploit. The researchers noticed that the software was trying to load the DLL “wbemcomn.dll” from “C:WindowsSystem32wbem” when it is actually located one directory up in the “C:WindowsSystem32” directory. To test this, an unsigned DLL was placed at the location that McAfee searches for. The test DLL logs the name of any process that loads it, along with the username of that process, and the name of the DLL file. When the computer was rebooted, it was found that multiple processes, all signed by McAfee, had loaded the DLL with the highest level of privileges on a Windows computer.

Analyst Notes

Although an attacker would have to already have obtained administrator access to abuse this vulnerability, it is still significant because it could be used to disguise the method that malware uses to automatically run itself whenever the computer restarts. The vulnerability could potentially be abused to cause McAfee to fail to detect this and other malware files. For home and enterprise users, always keep anti-virus products up to date. McAfee has posted a security advisory on its website listing affected versions. If auto-update is enabled, no action should be required. Many enterprise businesses provide some level of role-based access to machines where employees don’t have administrative access unless required which can help mitigate many attacks like this which rely on administrative privileges. Home users can also emulate this by opening the Windows account settings to restrict which accounts full admin rights.