CVE-2021-23873 – This vulnerability allows a local user on a Win... (How to Fix)

Q: What is the severity of CVE-2021-23873?

CVE-2021-23873 has a CVSS score of 7.8 (HIGH). This vulnerability allows a local user on a Windows system to escalate privileges to SYSTEM level and delete arbitrary files, potentially causing denial of service. It affects McAfee Total Protection (MTP) users with versions before 16.0.30. Attackers can exploit this by manipulating junction links at specific times after enumerating certain files.

📋 TL;DR

This vulnerability allows a local user on a Windows system to escalate privileges to SYSTEM level and delete arbitrary files, potentially causing denial of service. It affects McAfee Total Protection (MTP) users with versions before 16.0.30. Attackers can exploit this by manipulating junction links at specific times after enumerating certain files.

💻 Affected Systems

Products:

McAfee Total Protection (MTP)

Versions: All versions prior to 16.0.30

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires local user access to the Windows system. The vulnerability involves manipulating junction links at specific timing conditions.

📦 What is this software?

Total Protection by Mcafee

View all CVEs affecting Total Protection →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via SYSTEM privilege escalation leading to arbitrary file deletion, service disruption, and potential persistence mechanisms installation.

🟠

Likely Case

Local privilege escalation allowing attackers to delete critical system files, causing denial of service and potentially enabling further attacks.

🟢

If Mitigated

Limited impact with proper access controls and monitoring, though local users could still cause service disruption.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring local access to the system.

🏢 Internal Only: HIGH - Internal attackers or compromised accounts can exploit this to gain SYSTEM privileges and cause significant damage.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local access and specific timing conditions with junction link manipulation. The vulnerability has been publicly disclosed with technical details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 16.0.30 or later

Vendor Advisory: http://service.mcafee.com/FAQDocument.aspx?&id=TS103114

Restart Required: Yes

Instructions:

1. Open McAfee Total Protection. 2. Check for updates in the application. 3. Update to version 16.0.30 or later. 4. Restart the system to complete the update.

🔧 Temporary Workarounds

Restrict local user access

windows

Limit local user accounts and implement least privilege principles to reduce attack surface.

Monitor junction link creation

windows

Implement monitoring for junction link creation and manipulation in McAfee directories.

🧯 If You Can't Patch

Implement strict access controls to limit local user privileges
Monitor for suspicious file deletion activities and junction link manipulation

🔍 How to Verify

Check if Vulnerable:

Check McAfee Total Protection version in the application interface or via Windows Programs and Features. If version is below 16.0.30, the system is vulnerable.

Check Version:

Check via McAfee interface or Windows registry: HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\DesktopProtection

Verify Fix Applied:

Verify McAfee Total Protection version is 16.0.30 or higher after update and restart.

📡 Detection & Monitoring

Log Indicators:

Unusual file deletion events in SYSTEM context
Junction link creation/modification in McAfee directories
Privilege escalation attempts

Network Indicators:

Local system activity only - no network indicators

SIEM Query:

EventID=4663 AND ObjectName LIKE '%McAfee%' AND AccessMask=0x10000 AND SubjectUserName!=SYSTEM

📊 Metadata

CVE ID: CVE-2021-23873

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-59

Published: February 10, 2021

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-23873, you might also want to check these: