Advisories
Research
Forums
Create Profile
Our Commitment
Database
Search
Advisories by Product
Advisories by Vendor
Terminology
Report Vulnerability
Insecure Library Loading
Highly critical

McAfee VirusScan Enterprise Insecure Library Loading Vulnerability

-

Release Date:  2010-11-29    Last Update:  2012-08-24    Views:  12,704

Secunia Advisory SA41482

Where:

You need to log in to view this

Impact:

You need to log in to view this

Solution Status:

You need to log in to view this

Software:

You need to log in to view this

CVE Reference(s):

You need to log in to view this

Description


Parvez Anwar has discovered a vulnerability in McAfee VirusScan Enterprise, which can be exploited by malicious people to compromise a user's system


You need to log in to the Secunia Community to view the full description of this advisory

If you are not a member of the Secunia community, you can sign up here for free.

Do you have additional information related to this advisory?

Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this information to vuln@secunia.com

Subject: McAfee VirusScan Enterprise Insecure Library Loading Vulnerability

User Message
vinod_r2 RE: McAfee VirusScan Enterprise Insecure Library Loading Vulnerability
Member 30th Nov, 2010 17:52
Score: 0
Posts: 1
User Since: 15th Feb 2009
System Score: N/A
Location: N/A
Last edited on 30th Nov, 2010 17:52
found that : McAfee Corporate Knowledgebase ID: KB70559 has the updated information.
https://kc.mcafee.com/corporate/index?page=content...
Was this reply relevant?
+0
-0
floyd413 RE: McAfee VirusScan Enterprise Insecure Library Loading Vulnerability
Member 10th Nov, 2011 21:27
Score: 3
Posts: 11
User Since: 10th Nov 2011
System Score: N/A
Location: US
Correct me if I am wrong, but it looks like there is a false positive for Virusscan v.8.7.x
I have version 8.7.0.973 and the advisory says to upgrade to 8.7.i (now doesn't this mean that this version is covered) . Thanks.
Was this reply relevant?
+1
-0
This user no longer exists RE: McAfee VirusScan Enterprise Insecure Library Loading Vulnerability
Member 11th Nov, 2011 09:21
Hey,

8.7.i should be more recent than what you have. This is the version number as has been provided by McAfee, and they are indicating that this is the more recent version.

If you are a customer, isn't this download available to you? Do you have the latest version?
Was this reply relevant?
+0
-0
davis157 RE: McAfee VirusScan Enterprise Insecure Library Loading Vulnerability
Member 13th Nov, 2011 19:59
Score: 3
Posts: 2
User Since: 13th Nov 2011
System Score: N/A
Location: US
The string "8.7i" (not "8.7.i") is a part of the software's name. It is a release version, not a software version number. Whatever Secunia has done to result in its software reporting VisurScan Enterprise 8.7i as insecure based on "8.7i" or "8.7.i" as the software version number is likely resulting in all versions of this particular software release being labelled as insecure, even when they're not. As such, this would be a false positive, as suggested by floyd413. I have personally experienced the same behavior with PSI, and I believe it will quickly become a concern at work, where CSI is being deployed and VirusScan is the de facto anti-virus solution.
Was this reply relevant?
+1
-0
kat123 RE: McAfee VirusScan Enterprise Insecure Library Loading Vulnerability
Member 13th Nov, 2011 20:18
Score: 4
Posts: 5
User Since: 13th Nov 2011
System Score: N/A
Location: US
Last edited on 13th Nov, 2011 20:18
I echo what davis157 and floyd413 said! My VirusScan is current, and I even tried to update it just to see what it would do. Predictably, it says I already have the current version. Secunia's reporting is indeed a false positive here.
Was this reply relevant?
+1
-0
This user no longer exists RE: McAfee VirusScan Enterprise Insecure Library Loading Vulnerability
Member 14th Nov, 2011 10:17
Hi,

For those experiencing this issue, can you pleaes confirm that, although 8.7.0.i is shown in the 'About' tab, or where the program displays the version information, the version is detected as 8.7.0.973, and that this is not the version number that was detected before running the update?

If so, we can update our version rules accordingly.

Hope this helps.
Was this reply relevant?
+0
-0
floyd413 RE: McAfee VirusScan Enterprise Insecure Library Loading Vulnerability
Member 14th Nov, 2011 14:54
Score: 3
Posts: 11
User Since: 10th Nov 2011
System Score: N/A
Location: US
Hi,
I can confirm. When you right click virus scan icon and click about it gives a window with bold print at the top "VirusScan Enterprise + AntiSpyware Enterprise 8.7.0i"
When I scan with Secunia PSI it says next to detected instances "8.7.0.973" and underneath says "Latest Version patching one or more vulnerabilities: 8.7i"

If anyone else sees this please chime in. It looks like we might be able to change the detection rules to reflect that this is indeed an updated version.

Thanks,
Floyd
Was this reply relevant?
+1
-0
davis157 RE: McAfee VirusScan Enterprise Insecure Library Loading Vulnerability
Member 14th Nov, 2011 18:58
Score: 3
Posts: 2
User Since: 13th Nov 2011
System Score: N/A
Location: US
"8.7i" and "8.7.0i" are both displayed in VirusScan's About window (not tab) as part of the product's name. There is no reference to 8.7.0.973 in this window.

PSI is reporting this path as the determining factor:

C:\Program Files\McAfee\VirusScan Enterprise\scan32.exe

Next to this, it reports 8.7.0.973. What's confusing is that, at least on my system, the file version of scan32.exe is actually 8.7.0.893; there are only three files in the same folder with file version 8.7.0.973:

bbcpl.dll
shstat.exe
vsplugin.dll

So where is PSI obtaining the file version and if it's not scan32.exe, why is this displayed as the problematic file?

The file version is typically incremented for a particular release of VirusScan when a patch is applied. 8.7.0.973 seems to correspond to Patch 5. Are we to infer that if we're running the 8.7i release, any installation which does not have Patch 5 applied is vulnerable?

To add even more confusion to the situation, I just heard from someone at work running CSI. Among the releases of VirusScan Enterprise they have installed is 8.7i, and CSI reports the version as 8.7.0.747 (which I believe even pre-dates patch 2, the earliest version to which I have access). CSI does not report any problems with this installation.

Cheers
Was this reply relevant?
+2
-0
floyd413 RE: McAfee VirusScan Enterprise Insecure Library Loading Vulnerability
Member 14th Nov, 2011 19:05
Score: 3
Posts: 11
User Since: 10th Nov 2011
System Score: N/A
Location: US
Either way, according to Mcafee's web site it only affects 8.5 and earlier. All of these versions mentioned by previous posters are 8.7 and greater which shouldn't be affected.
https://kc.mcafee.com/corporate/index?page=content...
Was this reply relevant?
+0
-0
kat123 RE: McAfee VirusScan Enterprise Insecure Library Loading Vulnerability
Member 15th Nov, 2011 18:12
Score: 4
Posts: 5
User Since: 13th Nov 2011
System Score: N/A
Location: US
Floyd - I am seeing exactly what you see. Just adding my confirmation.
Cheers!
Was this reply relevant?
+1
-0
TEDMT RE: McAfee VirusScan Enterprise Insecure Library Loading Vulnerability
Member 17th Nov, 2011 14:39
Score: 1
Posts: 1
User Since: 17th Nov 2011
System Score: N/A
Location: CA
I can confirm the false positive also. I am at 8.7i patch 5.
Under the About .... menu, the VirusScan Enterprise + AntiSpyware Enterprise report the following for the Version number: 8.7i (8.7.0.570)

--
TEDMT
Was this reply relevant?
+1
-0
floyd413 RE: McAfee VirusScan Enterprise Insecure Library Loading Vulnerability
Member 17th Nov, 2011 16:22
Score: 3
Posts: 11
User Since: 10th Nov 2011
System Score: N/A
Location: US
So it's not just me. It seems anyone who uses Mcafee Enterprise 8.7i gets this false positive. There is no way of getting rid of it other than to upgrade to the next Mcafee version 8.8, although this is in no way a security patch, but rather a feature version from Mcafee. Secunia, please look into this and get the rules change to reflect the accuracy, or if there is a reason for 8.7 to be marked as insecure, please let us know.
Thanks,
Floyd
Was this reply relevant?
+0
-0
This user no longer exists RE: McAfee VirusScan Enterprise Insecure Library Loading Vulnerability
Member 18th Nov, 2011 12:16
Hi,

Since this seems to be confirmed, I have altered the version number to match what you have suggested.

If you scan again, the product should be flagged as Secure.

Hope this helps.
Was this reply relevant?
+0
-0
floyd413 RE: McAfee VirusScan Enterprise Insecure Library Loading Vulnerability
Member 21st Nov, 2011 22:28
Score: 3
Posts: 11
User Since: 10th Nov 2011
System Score: N/A
Location: US
Thanks guys! It is reporting patched versions of Virusscan 8.7i as secure now.
Was this reply relevant?
+0
-0
kat123 RE: McAfee VirusScan Enterprise Insecure Library Loading Vulnerability
Member 23rd Nov, 2011 03:50
Score: 4
Posts: 5
User Since: 13th Nov 2011
System Score: N/A
Location: US
OK, I'm still having the same issue. I have tried recanning, rebooting and rescanning again - not just the program but the PC. I also downloaded the latest Superdat file, containing the latest engine and updates. The update said I'm already running the latest engine and dats. Now what?
Was this reply relevant?
+1
-0
floyd413 RE: McAfee VirusScan Enterprise Insecure Library Loading Vulnerability
Member 23rd Nov, 2011 14:51
Score: 3
Posts: 11
User Since: 10th Nov 2011
System Score: N/A
Location: US
Secunia detected my version as 8.7.0.973, what does it detect your version as? I am assuming different. Also what is your scan engine version (under about mcafee), mine is 5400.1158. I guess Secunia can see if it differs and whether that is a secure version or if it is another false positive. I'm guessing Secunia might have just added my exact version instead of 8.7.x.x as secure, it is saying 8.7.0.973 is secure, but I could be wrong.
Was this reply relevant?
+1
-0
J.Vemmer RE: McAfee VirusScan Enterprise Insecure Library Loading Vulnerability
Secunia Official 23rd Nov, 2011 16:00
Score: 5
Posts: 20
User Since: 5th Oct 2011
System Score: N/A
Location: Copenhagen, DK
According to our database the latest "McAfee VirusScan Enterprise 8.7i" secure version has the detected version number of 8.7.0.973.

If you have any issues with your version being detected wrong, please do not hesitate to contact Secunia Support, preferably with attached screenshots of both the scan result and the file details of the detected file (to get these, navigate to the folder where the insecure file is located, right-click on the file, select properties, and go into the details tab). Please also make sure that the detected version is not in fact files lingering from a previous installation.

--
Kind regards,

Jais Vemmer
xSI Signatures Specialist
kat123 RE: McAfee VirusScan Enterprise Insecure Library Loading Vulnerability
Member 23rd Nov, 2011 17:59
Score: 4
Posts: 5
User Since: 13th Nov 2011
System Score: N/A
Location: US
Thank you, Floyd and Jais for your responses!

My scan engine version is 5400.1158. Secunia detected version 8.7.0.893, so Floyd, it looks like you are correct. Our detected versions are slightly different, and evidently Secunia used your exact version as secure instead of 8.7.x.x. Thank you for shedding this bright light on the issue!!

Jais, can you correct the rules given this information, or do you still need me to send you screenshots? What email address would you need me to send them to if that is the case?

Kat
Was this reply relevant?
+1
-0
J.Vemmer RE: McAfee VirusScan Enterprise Insecure Library Loading Vulnerability
Secunia Official 24th Nov, 2011 08:34
Score: 5
Posts: 20
User Since: 5th Oct 2011
System Score: N/A
Location: Copenhagen, DK
For instructions on how to contact Secunia Support, please see this part of our FAQ: http://secunia.com/vulnerability_scanning/personal...

Our advisories state that any version prior to 8.7.0.973 is affected by the vulnerability, meaning that 8.7.0.893 is still considered insecure.

--
Kind regards,

Jais Vemmer
xSI Signatures Specialist
ColchesterRGS McAfee VirusScan Enterprise Insecure Library Loading Vulnerability
Member 24th Nov, 2011 18:41
Last edited on 24th Nov, 2011 18:41 Hi,

According to the official McAfee advisory, all versions of VirusScan Enterprise 8.7i are unaffected by the vulnerability, regardless of patch level.

The version 8.7.0.973 for scan32.exe looks like the version included with VSE 8.7i Patch 5 according to https://kc.mcafee.com/resources/sites/MCAFEE/conte...

However not everyone has Patch 5 installed, and *any* VirusScan 8.7 patch level should fix the issue.

It seems to me as if the rule should be updated to accept any version of scan32.exe which is 8.7.0.570 or above - since this is the \'lowest\' version number that VSE 8.7i could conceivably install, based on https://kc.mcafee.com/corporate/index?page=content...

At the very least it should be updated to accept any version of scan32.exe which is later than 8.7.0.659, which is the version supplied with VirusScan 8.7i Patch 1 according to these release notes: https://kc.mcafee.com/resources/sites/MCAFEE/conte...(readme).pdf
Was this reply relevant?
+1
-0
E.Jeppesen RE: McAfee VirusScan Enterprise Insecure Library Loading Vulnerability
Secunia Official 25th Nov, 2011 09:39
Score: 220
Posts: 618
User Since: 24th Nov 2008
System Score: N/A
Location: Copenhagen, DK
Thank you for your comments. To change our version rules for a product we need documentation of the changes we perform. In this case we have not yet been able to find such documentation.
ColchesterRGS RE: McAfee VirusScan Enterprise Insecure Library Loading Vulnerability
Member 8th Dec, 2011 14:57
Have been in touch with Secunia privately & the rule should now be fixed - exactly or above "8.7.0.570".
Was this reply relevant?
+1
-0
floyd413 RE: McAfee VirusScan Enterprise Insecure Library Loading Vulnerability
Member 8th Dec, 2011 15:11
Score: 3
Posts: 11
User Since: 10th Nov 2011
System Score: N/A
Location: US
Thanks for your diligence. They now for some reason require you to contact them directly, where they changed mine by simply posting on the forum. But whatever works to get this thing sorted. A few of my installations aren't at patch 5 so this helps with the false positives.
Was this reply relevant?
+0
-0

floyd413

RE: McAfee VirusScan Enterprise Insecure Library Loading Vulnerability
[+]
This reply has been deleted

-

You must be logged in to post a comment.



 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability