CVE-2020-7264
📋 TL;DR
A privilege escalation vulnerability in McAfee Endpoint Security for Windows allows local users to delete files they shouldn't have access to by manipulating symbolic links. This affects users running ENS for Windows versions prior to 10.7.0 Hotfix 199847.
💻 Affected Systems
- McAfee Endpoint Security (ENS) for Windows
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Malicious local user could delete critical system files, configuration files, or security logs, potentially causing system instability, data loss, or disabling security controls.
Likely Case
Local attacker with limited privileges could delete important user or application files, potentially disrupting operations or covering tracks of other malicious activities.
If Mitigated
With proper access controls and monitoring, impact is limited to files the user already has some access to, with detection of suspicious file deletion patterns.
🎯 Exploit Status
Requires local access and ability to run malicious script/program. Symbolic link manipulation requires understanding of file system operations.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.7.0 Hotfix 199847 or later
Vendor Advisory: https://kc.mcafee.com/corporate/index?page=content&id=SB10316
Restart Required: Yes
Instructions:
1. Download Hotfix 199847 from McAfee support portal. 2. Install the hotfix on affected systems. 3. Restart the system to complete installation.
🔧 Temporary Workarounds
Restrict local user privileges
windowsLimit local user accounts to only necessary privileges to reduce attack surface.
Monitor symbolic link creation
windowsImplement monitoring for suspicious symbolic link creation and file deletion patterns.
🧯 If You Can't Patch
- Implement strict least privilege access controls for local users
- Enable detailed auditing of file deletion events and symbolic link operations
🔍 How to Verify
Check if Vulnerable:
Check ENS version in McAfee console or via 'Get-MpComputerStatus' PowerShell command and compare to vulnerable versions.Check Version:
Get-MpComputerStatus | Select-Object AMProductVersionVerify Fix Applied:
Verify ENS version is 10.7.0 Hotfix 199847 or later and check that hotfix installation completed successfully.📡 Detection & Monitoring
Log Indicators:
- Unexpected file deletions by McAfee processes
- Suspicious symbolic link creation events
- Failed file access attempts followed by successful deletions
Network Indicators:
- None - this is a local file system attack
SIEM Query:
EventID=4663 AND ProcessName LIKE '%McAfee%' AND AccessMask='0x10000' (Delete access)