CVE-2016-3984 - OpenCVE

The McAfee VirusScan Console (mcconsol.exe) in McAfee Active Response (MAR) before 1.1.0.161, Agent (MA) 5.x before 5.0.2 Hotfix 1110392 (5.0.2.333), Data Exchange Layer 2.x (DXL) before 2.0.1.140.1, Data Loss Prevention Endpoint (DLPe) 9.3 before Patch 6 and 9.4 before Patch 1 HF3, Device Control (MDC) 9.3 before Patch 6 and 9.4 before Patch 1 HF3, Endpoint Security (ENS) 10.x before 10.1, Host Intrusion Prevention Service (IPS) 8.0 before 8.0.0.3624, and VirusScan Enterprise (VSE) 8.8 before P7 (8.8.0.1528) on Windows allows local administrators to bypass intended self-protection rules and disable the antivirus engine by modifying registry keys.

No CVSS v3.1

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact High

User Interaction None

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

AV:L/AC:L/Au:N/C:N/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Mcafee	Data Exchange Layer Agent Endpoint Security Active Response Data Loss Prevention Endpoint Host Intrusion Prevention Virusscan Enterprise

Configuration 1 [-]

OR	cpe:2.3:a:mcafee:active_response::::::::
	cpe:2.3:a:mcafee:agent::::::::
	cpe:2.3:a:mcafee:data_exchange_layer::::::::
	cpe:2.3:a:mcafee:data_loss_prevention_endpoint::p5::::::*
	cpe:2.3:a:mcafee:data_loss_prevention_endpoint::p1_hf2::::::*
	cpe:2.3:a:mcafee:endpoint_security::::::::
	cpe:2.3:a:mcafee:host_intrusion_prevention::p6::::::*
	cpe:2.3:a:mcafee:virusscan_enterprise::p6::::::*

References

Link	Resource
http://lab.mediaservice.net/advisory/2016-01-mcafee.txt	Exploit
http://seclists.org/fulldisclosure/2016/Mar/13
http://www.securitytracker.com/id/1035130
https://kc.mcafee.com/corporate/index?page=content&id=SB10151	Vendor Advisory
https://www.exploit-db.com/exploits/39531/	Exploit

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2016-04-08T15:00:00

Updated: 2016-04-14T13:57:01

Reserved: 2016-04-08T00:00:00

Link: CVE-2016-3984

JSON object: View

NVD Information

Status : Analyzed

Published: 2016-04-08T15:59:10.107

Modified: 2016-05-18T21:28:47.033

Link: CVE-2016-3984

JSON object: View

Redhat Information

No data.

CWE

CWE-284

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2016-02-29T00:00:00", "descriptions": [{"lang": "en", "value": "The McAfee VirusScan Console (mcconsol.exe) in McAfee Active Response (MAR) before 1.1.0.161, Agent (MA) 5.x before 5.0.2 Hotfix 1110392 (5.0.2.333), Data Exchange Layer 2.x (DXL) before 2.0.1.140.1, Data Loss Prevention Endpoint (DLPe) 9.3 before Patch 6 and 9.4 before Patch 1 HF3, Device Control (MDC) 9.3 before Patch 6 and 9.4 before Patch 1 HF3, Endpoint Security (ENS) 10.x before 10.1, Host Intrusion Prevention Service (IPS) 8.0 before 8.0.0.3624, and VirusScan Enterprise (VSE) 8.8 before P7 (8.8.0.1528) on Windows allows local administrators to bypass intended self-protection rules and disable the antivirus engine by modifying registry keys."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2016-04-14T13:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "20160304 McAfee VirusScan Enterprise security restrictions bypass", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2016/Mar/13"}, {"tags": ["x_refsource_MISC"], "url": "http://lab.mediaservice.net/advisory/2016-01-mcafee.txt"}, {"name": "39531", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "https://www.exploit-db.com/exploits/39531/"}, {"name": "1035130", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1035130"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10151"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2016-3984", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The McAfee VirusScan Console (mcconsol.exe) in McAfee Active Response (MAR) before 1.1.0.161, Agent (MA) 5.x before 5.0.2 Hotfix 1110392 (5.0.2.333), Data Exchange Layer 2.x (DXL) before 2.0.1.140.1, Data Loss Prevention Endpoint (DLPe) 9.3 before Patch 6 and 9.4 before Patch 1 HF3, Device Control (MDC) 9.3 before Patch 6 and 9.4 before Patch 1 HF3, Endpoint Security (ENS) 10.x before 10.1, Host Intrusion Prevention Service (IPS) 8.0 before 8.0.0.3624, and VirusScan Enterprise (VSE) 8.8 before P7 (8.8.0.1528) on Windows allows local administrators to bypass intended self-protection rules and disable the antivirus engine by modifying registry keys."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "20160304 McAfee VirusScan Enterprise security restrictions bypass", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2016/Mar/13"}, {"name": "http://lab.mediaservice.net/advisory/2016-01-mcafee.txt", "refsource": "MISC", "url": "http://lab.mediaservice.net/advisory/2016-01-mcafee.txt"}, {"name": "39531", "refsource": "EXPLOIT-DB", "url": "https://www.exploit-db.com/exploits/39531/"}, {"name": "1035130", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1035130"}, {"name": "https://kc.mcafee.com/corporate/index?page=content&id=SB10151", "refsource": "CONFIRM", "url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10151"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2016-3984", "datePublished": "2016-04-08T15:00:00", "dateReserved": "2016-04-08T00:00:00", "dateUpdated": "2016-04-14T13:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mcafee:active_response:*:*:*:*:*:*:*:*", "matchCriteriaId": "543B3BBE-A5D5-4EC9-BBDE-646EC654CB43", "versionEndIncluding": "1.1.0.158", "vulnerable": true}, {"criteria": "cpe:2.3:a:mcafee:agent:*:*:*:*:*:*:*:*", "matchCriteriaId": "988ACD16-D8B6-4934-9653-4E10857BFA83", "versionEndIncluding": "5.0.2.285", "vulnerable": true}, {"criteria": "cpe:2.3:a:mcafee:data_exchange_layer:*:*:*:*:*:*:*:*", "matchCriteriaId": "2CBBB9A7-B7D6-4A59-85CA-A4C840BB9B24", "versionEndIncluding": "2.0.0.430.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:mcafee:data_loss_prevention_endpoint:*:p5:*:*:*:*:*:*", "matchCriteriaId": "BC49C347-3C2B-4A2B-BA39-22E70ED3F835", "versionEndIncluding": "9.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mcafee:data_loss_prevention_endpoint:*:p1_hf2:*:*:*:*:*:*", "matchCriteriaId": "68E9052A-ACB0-4791-AFEB-98DBBF537A5B", "versionEndIncluding": "9.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mcafee:endpoint_security:*:*:*:*:*:*:*:*", "matchCriteriaId": "997552D0-C322-4E13-8944-C6E56428EE33", "versionEndIncluding": "10.0.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:mcafee:host_intrusion_prevention:*:p6:*:*:*:*:*:*", "matchCriteriaId": "EED9A958-538B-4B25-9696-6850508D8D54", "versionEndIncluding": "8.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mcafee:virusscan_enterprise:*:p6:*:*:*:*:*:*", "matchCriteriaId": "EDF04428-E664-4922-B950-DB61BE5AD13F", "versionEndIncluding": "8.8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The McAfee VirusScan Console (mcconsol.exe) in McAfee Active Response (MAR) before 1.1.0.161, Agent (MA) 5.x before 5.0.2 Hotfix 1110392 (5.0.2.333), Data Exchange Layer 2.x (DXL) before 2.0.1.140.1, Data Loss Prevention Endpoint (DLPe) 9.3 before Patch 6 and 9.4 before Patch 1 HF3, Device Control (MDC) 9.3 before Patch 6 and 9.4 before Patch 1 HF3, Endpoint Security (ENS) 10.x before 10.1, Host Intrusion Prevention Service (IPS) 8.0 before 8.0.0.3624, and VirusScan Enterprise (VSE) 8.8 before P7 (8.8.0.1528) on Windows allows local administrators to bypass intended self-protection rules and disable the antivirus engine by modifying registry keys."}, {"lang": "es", "value": "El McAfee VirusScan Console (mcconsol.exe) en McAfee Active Response (MAR) en versiones anteriores a 1.1.0.161, Agent (MA) 5.x en versiones anteriores a 5.0.2 Hotfix 1110392 (5.0.2.333), Data Exchange Layer 2.x (DXL) en versiones anteriores a 2.0.1.140.1, Data Loss Prevention Endpoint (DLPe) 9.3 en versiones anteriores a Patch 6 y 9.4 en versiones anteriores a Patch 1 HF3, Device Control (MDC) 9.3 en versiones anteriores a Patch 6 y 9.4 en versiones anteriores a Patch 1 HF3, Endpoint Security (ENS) 10.x en versiones anteriores a 10.1, Host Intrusion Prevention Service (IPS) 8.0 en versiones anteriores a 8.0.0.3624 y VirusScan Enterprise (VSE) 8.8 en versiones anteriores a P7 (8.8.0.1528) en Windows permite a administradores locales eludir las reglas destinadas a la autoprotecci\u00f3n y desactivar el motor del antivirus modificando claves de registro."}], "id": "CVE-2016-3984", "lastModified": "2016-05-18T21:28:47.033", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 3.6, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H", "version": "3.0"}, "exploitabilityScore": 0.8, "impactScore": 4.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2016-04-08T15:59:10.107", "references": [{"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://lab.mediaservice.net/advisory/2016-01-mcafee.txt"}, {"source": "cve@mitre.org", "url": "http://seclists.org/fulldisclosure/2016/Mar/13"}, {"source": "cve@mitre.org", "url": "http://www.securitytracker.com/id/1035130"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10151"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "https://www.exploit-db.com/exploits/39531/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "nvd@nist.gov", "type": "Primary"}]}