CVE-2020-7346
📋 TL;DR
A local privilege escalation vulnerability in McAfee Data Loss Prevention (DLP) for Windows allows low-privileged attackers to load arbitrary DLLs via junction manipulation and specific IOTL commands. This enables attackers to execute code with higher privileges on affected systems. Only Windows systems running vulnerable McAfee DLP versions are affected.
💻 Affected Systems
- McAfee Data Loss Prevention (DLP) for Windows
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM/administrator privileges, enabling persistent backdoors, credential theft, and lateral movement across the network.
Likely Case
Local privilege escalation to SYSTEM/administrator level, allowing installation of malware, disabling security controls, and accessing sensitive data.
If Mitigated
Limited impact with proper endpoint protection, least privilege enforcement, and network segmentation preventing lateral movement.
🎯 Exploit Status
Requires local access, junction manipulation, and precise timing of IOTL commands. Not trivial but feasible for determined attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 11.6.100 or later
Vendor Advisory: https://kc.mcafee.com/corporate/index?page=content&id=SB10344
Restart Required: Yes
Instructions:
1. Download McAfee DLP 11.6.100 or later from official sources. 2. Run installer with administrative privileges. 3. Restart system as prompted. 4. Verify successful update through DLP console.
🔧 Temporary Workarounds
Restrict junction creation
windowsPrevent low-privileged users from creating NTFS junctions via Group Policy or registry settings
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer" /v "DisableBrowse" /t REG_DWORD /d 1 /f
Remove unnecessary local accounts
windowsReduce attack surface by removing non-essential local user accounts
net user [username] /delete
🧯 If You Can't Patch
- Implement strict least privilege - ensure no users have unnecessary local administrative rights
- Deploy application control/whitelisting to prevent unauthorized DLL loading and execution
🔍 How to Verify
Check if Vulnerable:
Check McAfee DLP version in Control Panel > Programs and Features or via DLP management consoleCheck Version:
wmic product where "name like 'McAfee Data Loss Prevention%'" get versionVerify Fix Applied:
Confirm version is 11.6.100 or higher in DLP console or program properties📡 Detection & Monitoring
Log Indicators:
- Unusual junction creation/deletion events in Windows Security logs
- Suspicious DLL loading by DLP processes
- Failed privilege escalation attempts
Network Indicators:
- Unusual outbound connections from DLP processes post-exploitation
SIEM Query:
EventID=4656 OR EventID=4663 AND ObjectType="File" AND ProcessName="*dlp*" AND AccessMask="0x100"