CVE-2021-23872
📋 TL;DR
This CVE describes a local privilege escalation vulnerability in McAfee Total Protection's File Lock component. A local user can manipulate symbolic links through the IOCTL interface to gain elevated system privileges. Only users with local access to systems running vulnerable McAfee Total Protection versions are affected.
💻 Affected Systems
- McAfee Total Protection (MTP)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains SYSTEM/administrator privileges, enabling complete system compromise, data theft, malware persistence, and lateral movement.
Likely Case
Local user or malware with initial foothold escalates privileges to install additional malware, disable security controls, or access sensitive data.
If Mitigated
With proper patch management and least privilege principles, impact limited to isolated systems with no administrative access paths.
🎯 Exploit Status
Requires local access and knowledge of symbolic link manipulation techniques. No public exploit code identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 16.0.32 or later
Vendor Advisory: http://service.mcafee.com/FAQDocument.aspx?&id=TS103146
Restart Required: Yes
Instructions:
1. Open McAfee Total Protection. 2. Navigate to Settings > General > Updates. 3. Click 'Check for Updates'. 4. Install all available updates. 5. Restart the computer when prompted.
🔧 Temporary Workarounds
Disable File Lock component
windowsTemporarily disable the vulnerable File Lock feature until patching is possible
Open McAfee console > Navigate to PC Security > File Lock > Turn Off
Restrict local user privileges
windowsImplement least privilege by removing local administrative rights from standard users
🧯 If You Can't Patch
- Implement application whitelisting to prevent unauthorized process execution
- Deploy endpoint detection and response (EDR) solutions to monitor for privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check McAfee Total Protection version in the application interface or via 'Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like '*McAfee Total Protection*'} | Select-Object Name, Version' in PowerShellCheck Version:
Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like '*McAfee Total Protection*'} | Select-Object VersionVerify Fix Applied:
Confirm version is 16.0.32 or higher using the same version check command📡 Detection & Monitoring
Log Indicators:
- Unusual process creation with SYSTEM privileges from non-admin users
- File Lock component access patterns from non-trusted users
- Symbolic link creation in protected directories
Network Indicators:
- None - this is a local exploit
SIEM Query:
EventID=4688 AND NewProcessName LIKE '%cmd.exe%' OR '%powershell.exe%' AND SubjectUserName NOT IN (admin_users) AND TokenElevationType=%%1938