A security researcher has discovered a vulnerability in McAfee's VirusScan Command Line Scanner antivirus software that could enable remote attackers to execute malicious code.
The flaw affects VirusScan versions 4510e and older and is caused by a glitch in an embedded DT_RPATH tag, which instructs the software to search the working directory for shared library files in Linux.
An attacker could exploit the flaw by getting a user to run a scan on a rigged file in the directory where they saved it, which would allow the execution of malicious code on the system with user privileges, according to Jakub Moc, a security researcher with Gentoo Linux, who was credited with discovering the vulnerability.
"This is very easy to exploit, and if VirusScan is used in a mail scanner on a mail server, just sending someone an e-mail with an attachment with the right name would execute it," Moc said.
Gentoo Linux rated the severity of the threat as "high," or 3 on a 3-point scale, and Symantec Deepsight gave it an aggregate threat score of 7.8 out of 10. However, the French Security Incident Research Team rated the flaw as "moderate," or 2 on a 4-point scale.
McAfee said it's working around the clock to patch the vulnerability but doesn't consider it to be serious.
In a Thursday post to the Full Disclosure security mailing list, David Coffey, manager of product security at Santa Clara, Calif.-based McAfee, said the privilege of the executed code isn't raised from the privileges of the executing user, which means an attacker would have to compromise the machine through another mechanism to place the malicious library on the system.
Coffey also chided Gentoo Linux for posting detailed information on the VirusScan flaw less than nine hours after it alerted McAfee.
"It is disappointing that the finder did not follow responsible disclosure processes so that we could alert our customers and make sure they were protected accordingly," he said. "Instead, the finder published the vulnerability before we could issue a fix to secure our users."
Source: CRN