McAfee Virtual Technician ActiveX Control Insecure Method version 6.5.0.2101 suffers from Exposed Unsafe ActiveX Method [CWE-618]. This vulnerability can be exploited by remote malicious person to overwrite arbitrary files with garbage data on a vulnerable system.
The vulnerability exists due to the ActiveX control including the insecure "Save()" method in "McHealthCheck.dll" DLL. This can be exploited to corrupt or create arbitrary files in the context of the current user. Proof-of-Concept (PoC) code available on security advisory page.
Solution: upgrade to McAfee Virtual Technician (MVT) 7.1
Related links:
McAfee Security Bulletin - McAfee MVT & ePO-MVT update fixes an "Escalation of Privileges" vulnerability
High-Tech Bridge Advisory HTB23128 - McAfee Virtual Technician ActiveX control Insecure Method.
No comments:
Post a Comment