Vulnerability Note VU#245327
McAfee VirusScan for Linux contains multiple vulnerabilities
Original Release date: 12 Dec 2016 | Last revised: 13 Dec 2016
McAfee VirusScan for Linux contains multiple vulnerabilities.
McAfee VirusScan for Linux version 2.0.3 and prior is vulnerable to the following:
CWE-200: Information Exposure – CVE-2016-8016
Multiple pages within the web interface utilize a tplt parameter.
An authenticated remote attacker can manipulate the value of the tlpt parameter to produce error messages that can reveal the existence of unauthorized files on the system, if the attacker can guess the filename.
CWE-75: Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) – CVE-2016-8017
An authenticated remote attacker may be able to place special text elements such as "__REPLACE_THIS__" or "[%" and "%]" with special meaning to the software parser into user input such that the special element may be injected into system processes such as log readers. When the log is read, the software will read these special elements as commands and take appropriate actions.
An attacker may be able to use this vulnerability to remotely read files on the webserver as the nails user.
CWE-352: Cross-Site Request Forgery (CSRF) – CVE-2016-8018
The web interface does not make use of anti-CSRF tokens and therefore may be vulnerable to CSRF.
CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) – CVE-2016-8019
Multiple pages within the web interface utilize a tplt parameter. When tplt is set to NailsConfig.html or MonitorHost.html, parameters info:7 and info:5 contain user input and are not properly verified.
CWE-94: Improper Control of Generation of Code (‘Code Injection’) – CVE-2016-8020
On the final page of the system scan form, the nailsd.profile.ODS_9.scannerPath variable contains the path that the system will execute to run the scan.
An authenticated remote user may manipulate this value in the HTTP request to execute an arbitrary binary as the root user.
CWE-347: Improper Verification of Cryptographic Signature – CVE-2016-8021
The web interface does not properly verify the cryptographic signature of the file, allowing a remote attacker to spoof the update server and execute arbitrary code.
CWE-290: Authentication Bypass by Spoofing – CVE-2016-8022
The web interface uses an authentication cookie that embeds the users’ IP address into the cookie.
A remote attacker may be able to manipulate the cookie in such a way that the service believes the cookie was sent from the victim’s IP address.
CWE-302: Authentication Bypass by Assumed-Immutable Data – CVE-2016-8023
The web interface uses an authentication cookie that embeds the server start time as the DATE parameter.
A remote attacker may be able to brute-force guess the server start time stored in DATE, which may lead to authentication bypass.
CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers (‘HTTP Response Splitting’) – CVE-2016-8024
A remote attacker may be able to spoof an HTTP GET request for a CSV export of the system logs with newlines encoded in the URL in such a manner that arbitrary HTTP headers may be spoofed in the server response.
CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) – CVE-2016-8025
The web interface’s CSV log export functionality encodes a SQL command into the URL.
A remote attacker may be able to include arbitrary SQL commands URL-encoded in an HTTP request, thereby executing SQL commands on the backend SQLite database.
This database does not contain authentication information, only data about settings and previously scanned files.
For more information, please see McAfee Security Bulletin SB10181 and the researcher’s blog post.
The CVSS score below is based on CVE-2016-8023.
For further CVSS scoring and analysis, please see McAfee Security Bulletin SB10181.
Previously this Vulnerability Note also contained one vulnerability for the Windows platform.
This issue was republished as its own VU#535111 to prevent product confusion.
Upgrade to a new product
McAfee has discontinued the VirusScan for Linux product in favor of the new McAfee Endpoint Security product, which addresses these vulnerabilities. McAfee recommends that affected users upgrade to Endpoint Security version 10.2 or later as soon as possible.
The upgrade is available free of charge to existing users with current licenses.
Vendor Information (Learn More)
VendorStatusDate NotifiedDate UpdatedMcAfeeAffected05 Dec 201612 Dec 2016If you are a vendor and your product is affected, let
CVSS Metrics (Learn More)
Thanks to Andrew Fasano for reporting these vulnerabilities to us.
This document was written by Garret Wassermann.
09 Dec 2016
Date First Published:
12 Dec 2016
Date Last Updated:
13 Dec 2016
FeedbackIf you have feedback, comments, or additional information about this vulnerability, please send us email.