Symantec, McAfee Patch Privilege Escalation Bugs

All versions of endpoint protection software from both vendors were susceptible to near identical issue, SafeBreach says.

Symantec and McAfee have patched a near identical vulnerability in their respective endpoint protection software that would have made it easier for attackers with prior admin access to a system to create more damage.
In both instances, the flaws were reported by security vendor SafeBreach and stemmed from a lack of signature validation when code was being loaded into certain processes of the respective vendor software.
SafeBreachs analysis shows multiple signed processes in McAfees endpoint protection software and one service in Symantecs equivalent products attempting to load a dynamic-link library (DLL) from a path that didnt exist.
SafeBreach researchers developed a proof-of-concept exploit showing how an attacker could have exploited that issue to bypass self-defense mechanisms and load an arbitrary, unsigned DLL into processes running in each vendors products.
All versions of Symantec Endpoint Protection prior to the just-patched 14.2 RU2 were vulnerable. All versions of McAfees Total Protection (MTP), Anti-Virus Plus (AVP), and Internet Security (MIS) up to and including version 16.0.R22 were vulnerable. Both vendors have patched the issue.
Peleg Hadar, security researcher at SafeBreach, says the now-patched vulnerability in the McAfee and Symantec products provided attackers with a persistence mechanism for deploying malware on endpoint systems.
An attacker also would have been able to operate under the context and behalf of the antivirus process on compromised endpoint systems, he says. Multiple parts of both
Symantecs
and
McAfees
vulnerable endpoint protection software run as a Windows service with the highest-level privileges on the system.
By exploiting the flaw, an attacker could have potentially bypassed each vendors security controls and that of any other endpoint protection software that might be installed on the same system. Normally, even an attacker with admin access on a system wouldnt be able to implant malware in the antivirus directory.
But this vulnerability will bypass it, Hadar says.
Post-Exploitation Issue
During the post-exploitation phase, after the attacker has initial access to the victims computer, he can use the vulnerabilities in order to run malicious code within the context of the antivirus itself, Hadar notes. Any malicious operation could be made to appear like a legitimate, signed antivirus process, giving attackers enormous leeway. For example, an attacker could have used the flaws to bypass application whitelisting controls.
The flaw in Symantecs product is tracked as
CVE-2019-12758
and in McAfees as
CVE-2019-3648
.
In a
security bulletin
Tuesday, McAfee acknowledged the issue and said McAfee MTP, AVP, and MIS use certain Windows files and files from other trusted software companies. This practice is common across software vendors because it reduces duplication of functionality, the vendor said.
The problem had to do with the fact that MTP, AVP, and MIS did not check that these third-party files were properly signed and loaded from the correct location. McAfee is not aware of this issue being actively exploited, it said. The vendor rated the issue as being of medium severity.
Symantecs
alert
did not identify what the problem was but merely noted that updates have been issued to address it in the companys Symantec Endpoint Protection (SEP), Symantec Endpoint Protection Manager (SEPM), and for the small business edition of the software (SEP SBE).
Flaws in security products can be especially problematic for organizations that use them. Not only are such products trusted, they also typically run with very high privileges on installed systems. They give attackers an opportunity to mask malicious activity and make it appear legitimate.
Data maintained by
CVE Details
shows that at least 17 flaws have been reported in Symantecs products, 13 of which enabled some sort of bypass or privilege escalation or information leak. The database shows that a total of 34 bugs have been reported in various
McAfee
products, including those that enabled privilege escalation, bypass, code execution, and denial-of-service.
I think that the broad takeaway for organizations here is mainly to stay updated, Hadar notes. There are a lot of security researchers out there that report these kinds of issues to the vendors, and vulnerabilities [are] getting patched every day. Keep your systems up to date.
Related Content:
The Increasingly Vulnerable Software Supply Chain
Researchers Disclose New Vulnerabilities in Windows Drivers
The Flaw in Vulnerability Management: Its Time to Get Real
8 Trends in Vulnerability and Patch Management

Check out
The Edge
, Dark Readings new section for features, threat data, and in-depth perspectives. Todays top story:
8 Backup & Recovery Questions to Ask Yourself
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Symantec, McAfee Patch Privilege Escalation Bugs