McAfee VirusScan for Linux version 2.0.3 and prior is vulnerable to the following:
CWE-200: Information Exposure – CVE-2016-8016
Multiple pages within the web interface utilize a tplt parameter. An authenticated remote attacker can manipulate the value of the tlpt parameter to produce error messages that can reveal the existence of unauthorized files on the system, if the attacker can guess the filename.
CWE-75: Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) – CVE-2016-8017
An authenticated remote attacker may be able to place special text elements such as "__REPLACE_THIS__" or "[%" and "%]" with special meaning to the software parser into user input such that the special element may be injected into system processes such as log readers. When the log is read, the software will read these special elements as commands and take appropriate actions. An attacker may be able to use this vulnerability to remotely read files on the webserver as the nails user.
CWE-352: Cross-Site Request Forgery (CSRF) – CVE-2016-8018
The web interface does not make use of anti-CSRF tokens and therefore may be vulnerable to CSRF.
CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) – CVE-2016-8019
CWE-94: Improper Control of Generation of Code (‘Code Injection’) – CVE-2016-8020
On the final page of the system scan form, the nailsd.profile.ODS_9.scannerPath variable contains the path that the system will execute to run the scan. An authenticated remote user may manipulate this value in the HTTP request to execute an arbitrary binary as the root user.
CWE-347: Improper Verification of Cryptographic Signature – CVE-2016-8021
The web interface does not properly verify the cryptographic signature of the file, allowing a remote attacker to spoof the update server and execute arbitrary code.
CWE-290: Authentication Bypass by Spoofing – CVE-2016-8022
The web interface uses an authentication cookie that embeds the users’ IP address into the cookie. A remote attacker may be able to manipulate the cookie in such a way that the service believes the cookie was sent from the victim’s IP address.
CWE-302: Authentication Bypass by Assumed-Immutable Data – CVE-2016-8023
The web interface uses an authentication cookie that embeds the server start time as the DATE parameter. A remote attacker may be able to brute-force guess the server start time stored in DATE, which may lead to authentication bypass.
CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers (‘HTTP Response Splitting’) – CVE-2016-8024
A remote attacker may be able to spoof an HTTP GET request for a CSV export of the system logs with newlines encoded in the URL in such a manner that arbitrary HTTP headers may be spoofed in the server response.
CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) – CVE-2016-8025
The web interface’s CSV log export functionality encodes a SQL command into the URL. A remote attacker may be able to include arbitrary SQL commands URL-encoded in an HTTP request, thereby executing SQL commands on the backend SQLite database. This database does not contain authentication information, only data about settings and previously scanned files.
For more information, please see McAfee Security Bulletin SB10181 and the researcher’s blog post.
The CVSS score below is based on CVE-2016-8023. For further CVSS scoring and analysis, please see McAfee Security Bulletin SB10181.
Previously this Vulnerability Note also contained one vulnerability for the Windows platform. This issue was republished as its own VU#535111 to prevent product confusion.