A whitepaper about McAfee’s Application Whitelisting function and bypassing methods on Critical Infrastructure Systems has just been released by Vulnerability Lab of SEC Consult. The author René Freingruber clearly explains possible weaknesses of McAfee’s Application Whitelisting function.

We are shortly summarizing the scope and the headlines of the whitepaper. The study controls the possible ways of bypassing the whitelisting functions which are being used to protect critical infrastructures. Reliability is the primary property for Critical Infrastructure Systems (eg. SCADA  systems) and similar topologies. So updating these systems may cause unwanted failures due to the new patches. Showing an hesitation to update systems could be seen normal but the result may more expensive.

René Freingruber summarizing his study in the abstraxt section of the whitepaper like this; “ During the research the Windows version (version 6.1.3.353) of the product was checked against weaknesses and flaws in the design and implementation. Several methods were identified which can be used to bypass the main feature of McAfee Application Control to start execution of not whitelisted and therefore unauthorized code. During the audit different methods were developed for the most common attack vectors nowadays. In most cases the initial attack was prevented by the application, however, by only applying minimal changes it was possible to bypass the protections and infect the system. These scenarios consisted of different social engineering attacks and memory corruption exploitation. McAfee Application Control claims to implement protections against memory corruption attacks (e.g. buffer overflows). In fact, these protections only correspond to the typical operating system protections such as ASLR and DEP. Therefore exploits developed for newer systems run without any modification because they already include a DEP and ASLR bypass. Additional design flaws and weaknesses were identified which can be used to bypass the read and write protection. Moreover several vulnerabilities exist in the kernel driver which can be abused to crash the system. Bearing in mind that the main field of application is the security of critical infrastructure systems (for example servers which regularly inspect the temperature of reactors from power plants) such an attack on the reliability can cause serious problems. On a final note, McAfee Application Control ships with very outdated components from 1999 that can be exploited as well.

The whitepaper contains three main sections as listed below. The first, “Bypassing Code Execution Protection” section is separated to three subsections in which it is clearly proved that bypassing is possible.

Critical Infrastructure Systems Study Sections

  • Bypassing code execution protection
    • Basic code execution
    • Full code execution
    • Bypassing User Account Control (UAC)
  • Bypassing write and read protection
  • Kernel driver vulnerabilities

You can read or download the full report from this link. The conclusion section has several results and advices to increase the security awareness of the end users.