CVE-2021-31837 – A memory corruption vulnerability in McAfee Get... (How to Fix)

Q: What is the severity of CVE-2021-31837?

CVE-2021-31837 has a CVSS score of 8.8 (HIGH). A memory corruption vulnerability in McAfee GetSusp's driver file component allows local programs to trigger a buffer overflow, potentially executing arbitrary code or causing a system crash (BSOD). This affects users running GetSusp versions prior to 4.0.0 on their local machines.

📋 TL;DR

A memory corruption vulnerability in McAfee GetSusp's driver file component allows local programs to trigger a buffer overflow, potentially executing arbitrary code or causing a system crash (BSOD). This affects users running GetSusp versions prior to 4.0.0 on their local machines.

💻 Affected Systems

Products:

McAfee GetSusp

Versions: All versions prior to 4.0.0

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems where GetSusp is installed and running. GetSusp is a free diagnostic tool for investigating suspicious files.

📦 What is this software?

Getsusp by Mcafee

View all CVEs affecting Getsusp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local privilege escalation leading to full system compromise, arbitrary code execution with SYSTEM privileges, or persistent malware installation.

🟠

Likely Case

Local denial of service (BSOD/crash) or limited code execution in the context of the GetSusp process.

🟢

If Mitigated

No impact if GetSusp is not installed or has been updated to version 4.0.0+.

🌐 Internet-Facing: LOW - This is a local vulnerability requiring execution on the target machine.

🏢 Internal Only: HIGH - Any user or malware with local execution capability could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local program execution and knowledge of the buffer overflow trigger. No public exploits have been reported.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.0.0

Vendor Advisory: https://kc.mcafee.com/corporate/index?page=content&id=SB10363

Restart Required: Yes

Instructions:

1. Download GetSusp 4.0.0+ from official McAfee sources. 2. Uninstall previous GetSusp versions. 3. Install the updated version. 4. Restart the system.

🔧 Temporary Workarounds

Uninstall GetSusp

windows

Remove the vulnerable software entirely if not needed

Control Panel > Programs > Uninstall a program > Select McAfee GetSusp > Uninstall

Restrict local execution

windows

Implement application whitelisting to prevent unauthorized local program execution

🧯 If You Can't Patch

Remove GetSusp from all systems if not essential for operations
Implement strict endpoint security controls and monitor for suspicious local process behavior

🔍 How to Verify

Check if Vulnerable:

Check GetSusp version: Right-click GetSusp executable > Properties > Details tab > File version

Check Version:

wmic datafile where name="C:\\Program Files\\McAfee\\GetSusp\\GetSusp.exe" get version

Verify Fix Applied:

Verify version is 4.0.0 or higher using the same method

📡 Detection & Monitoring

Log Indicators:

GetSusp process crashes, unexpected system reboots, GetSusp driver errors in Windows Event Logs

Network Indicators:

None - this is a local vulnerability

SIEM Query:

EventID=1000 OR EventID=1001 OR EventID=41 AND ProcessName="GetSusp.exe"

📊 Metadata

CVE ID: CVE-2021-31837

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-787

Published: June 9, 2021

Last Updated: November 21, 2024

🔗 References

https://kc.mcafee.com/corporate/index?page=content&id=SB10363 Broken Link
https://kc.mcafee.com/corporate/index?page=content&id=SB10363 Broken Link

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-31837, you might also want to check these: