There are serious vulnerabilities in Intel Security’s McAfee Application Control product, researchers said.
Intel is still working on patches and saying the vulnerabilities are low risk issues.
IT security services and consulting company SEC Consult analyzed McAfee Application Control last year as part of its extensive research into critical infrastructure environments, particularly smart grids.
McAfee Application Control is an application whitelisting solution designed to block unauthorized files from executing on servers, corporate desktops and other devices. Intel said the product is a solution for critical infrastructure protection.
During his analysis of McAfee Application Control, SEC Consult’s René Freingruber uncovered a series of vulnerabilities he said can end up exploited to bypass the application whitelisting protection. Whitelisting is a solid solution for the industrial control environment because it only allows approved applications to enter the network, which usually remains fairly consistent with its programming.
Freingruber said the security holes he found can end up exploited to bypass whitelisting protection and achieve arbitrary code execution through various techniques.
He also identified multiple kernel driver vulnerabilities that can end up leveraged to cause denial-of-service (DoS) conditions and possibly for privilege escalation, and insufficient file system read/write protections that can end up exploited to overwrite whitelisted applications once code execution occurs.
The researcher also discovered that McAfee Application Control ships with a ZIP application from 1999 that contains vulnerabilities, including a buffer overflow that can end up leveraged to bypass application whitelisting. However, he said exploiting the flaw is not easy and there are no public exploits available for it.
The vulnerabilities ended up reported to Intel Security this past June. Following an analysis of the issues, the vendor determined they are either not vulnerabilities or low risk bugs.
SEC Consult, which usually gives vendors 50 days to provide a fix, published an advisory disclosing the existence of the vulnerabilities in late July, but proof-of-concept (PoC) exploit code did not release at the time.