McAfee Management of Native Encryption CVE-2018-6662 Local Command Injection

Authors:McAfee               Risk:High

CVE:CVE-2018-6662           0day:Local Command Injection

0day -id:0DAY-176117         Date:2018-04-29

Description

McAfee Management of Native Encryption is prone to a local command-injection vulnerability because it fails to properly sanitize user-supplied input.

An attacker may exploit this issue to inject and execute arbitrary commands within the context of the affected application; this may aid in further attacks.

Summary

Impact of Vulnerability: OS Command Injection (CWE-78)
 CVE ID: CVE-2018-6662
 Severity Rating: High
 CVSS v3 Base/Temporal Scores: 7.5 / 7.2
 Recommendations: Install or update to Management of Native Encryption (MNE) 4.1.4
 Security Bulletin Replacement: None
 Affected Software: MNE 4.1.3 and earlier. Mac versions only.
 Location of updated software: http://www.mcafee.com/us/downloads/downloads.aspx

Analysis

This vulnerability is present in MNE 4.1.3 and earlier when installed on a system running macOS.

During policy enforcement, a user may be asked to enter a password to activate FileVault full disk encryption. A malicious user could enter a specially crafted password that would allow them to gain root access to the system.

CVE-2018-6662

McAfee Management of Native Encryption 4.1.3 and earlier. Failure to sanitize user input, which allows local users to gain elevated privileges via crafted user input.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-6662
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6662

Remediation
To remediate this issue, ensure that MNE 4.1.4 or later is installed on all systems that use the macOS operating system.

Go to the Product Downloads site and download the applicable product patch files:

Product Versions Type Release Date
MNE 4.1.4 Patch April 24, 2018

Download and Installation Instructions
See KB56057 for instructions on how to download McAfee products, documentation, security updates, patches, and hotfixes. Review the Release Notes and the Installation Guide, which you can download from the Documentation tab, for instructions on how to install these updates.

Workaround
There is no workaround for this issue; McAfee strongly recommends that you install the available patch.

Mitigations
No vulnerability detection signatures are available.

Acknowledgements
This vulnerability was discovered internally by the McAfee development team.

 

 

 

Leave a Reply