SafeBreach Specialists discovered dangerous bug CVE-2019-3648, affecting McAfee Total Protection (MTP), McAfee Anti-Virus Plus (AVP) and McAfee Internet Security (MIS) security solutions.
The root of the problem is that McAfee products are trying to load the DLL file (wbemcomn.dll) using the wrong file path. As a result, the attacker gets the opportunity to create his own malicious version of wbemcomn.dll, place it in a directory where the antivirus is trying to detect the file, which will ultimately lead to the file downloading and its launch without any checks.
To exploit the vulnerability, you will need administrator rights. If this condition has been met, the bug allows you to bypass the protective mechanisms of McAfee antivirus products and load unsigned DLLs into various services working with NT AUTHORITY SYSTEM rights. This will provide the attacker with a stable presence in the system, because the malicious code from the DLL will be executed with every restart of the services.
Researchers told McAfee specialists about the problem back in August of this year, and by now the vulnerability is already has been eliminated. Users of vulnerable products are advised to upgrade to version 16.0.R22 Refresh 1.