Authors:McAfee Risk：High CVE：CVE-2018-6662 0day:Local Command Injection 0day -id:0DAY-176117 Date：2018-04-29
McAfee Management of Native Encryption is prone to a local command-injection vulnerability because it fails to properly sanitize user-supplied input.
An attacker may exploit this issue to inject and execute arbitrary commands within the context of the affected application; this may aid in further attacks.
|Impact of Vulnerability:||OS Command Injection (CWE-78)|
|CVSS v3 Base/Temporal Scores:||7.5 / 7.2|
|Recommendations:||Install or update to Management of Native Encryption (MNE) 4.1.4|
|Security Bulletin Replacement:||None|
|Affected Software:||MNE 4.1.3 and earlier. Mac versions only.|
|Location of updated software:||http://www.mcafee.com/us/downloads/downloads.aspx|
This vulnerability is present in MNE 4.1.3 and earlier when installed on a system running macOS.
During policy enforcement, a user may be asked to enter a password to activate FileVault full disk encryption. A malicious user could enter a specially crafted password that would allow them to gain root access to the system.
McAfee Management of Native Encryption 4.1.3 and earlier. Failure to sanitize user input, which allows local users to gain elevated privileges via crafted user input.
To remediate this issue, ensure that MNE 4.1.4 or later is installed on all systems that use the macOS operating system.
Go to the Product Downloads site and download the applicable product patch files:
|MNE||4.1.4||Patch||April 24, 2018|
Download and Installation Instructions
See KB56057 for instructions on how to download McAfee products, documentation, security updates, patches, and hotfixes. Review the Release Notes and the Installation Guide, which you can download from the Documentation tab, for instructions on how to install these updates.
There is no workaround for this issue; McAfee strongly recommends that you install the available patch.
No vulnerability detection signatures are available.
This vulnerability was discovered internally by the McAfee development team.