search menu icon-carat-right cmu-wordmark

CERT Coordination Center

McAfee VirusScan for Linux contains multiple vulnerabilities

Vulnerability Note VU#245327

Original Release Date: 2016-12-12 | Last Revised: 2016-12-13


McAfee VirusScan for Linux contains multiple vulnerabilities.


McAfee VirusScan for Linux version 2.0.3 and prior is vulnerable to the following:

CWE-200: Information Exposure - CVE-2016-8016

Multiple pages within the web interface utilize a tplt parameter. An authenticated remote attacker can manipulate the value of the tlpt parameter to produce error messages that can reveal the existence of unauthorized files on the system, if the attacker can guess the filename.

CWE-75: Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) - CVE-2016-8017

An authenticated remote attacker may be able to place special text elements such as "__REPLACE_THIS__" or "[%" and "%]" with special meaning to the software parser into user input such that the special element may be injected into system processes such as log readers. When the log is read, the software will read these special elements as commands and take appropriate actions. An attacker may be able to use this vulnerability to remotely read files on the webserver as the nails user.

CWE-352: Cross-Site Request Forgery (CSRF) - CVE-2016-8018

The web interface does not make use of anti-CSRF tokens and therefore may be vulnerable to CSRF.

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CVE-2016-8019

Multiple pages within the web interface utilize a tplt parameter. When tplt is set to NailsConfig.html or MonitorHost.html, parameters info:7 and info:5 contain user input and are not properly verified. An unauthenticated remote attacker may spoof the values of info:7 and info:5 to execute arbitrary JavaScript code.

CWE-94: Improper Control of Generation of Code ('Code Injection') - CVE-2016-8020

On the final page of the system scan form, the nailsd.profile.ODS_9.scannerPath variable contains the path that the system will execute to run the scan. An authenticated remote user may manipulate this value in the HTTP request to execute an arbitrary binary as the root user.

CWE-347: Improper Verification of Cryptographic Signature - CVE-2016-8021

The web interface does not properly verify the cryptographic signature of the file, allowing a remote attacker to spoof the update server and execute arbitrary code.

CWE-290: Authentication Bypass by Spoofing - CVE-2016-8022

The web interface uses an authentication cookie that embeds the users' IP address into the cookie. A remote attacker may be able to manipulate the cookie in such a way that the service believes the cookie was sent from the victim's IP address.

CWE-302: Authentication Bypass by Assumed-Immutable Data - CVE-2016-8023

The web interface uses an authentication cookie that embeds the server start time as the DATE parameter. A remote attacker may be able to brute-force guess the server start time stored in DATE, which may lead to authentication bypass.

CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') - CVE-2016-8024

A remote attacker may be able to spoof an HTTP GET request for a CSV export of the system logs with newlines encoded in the URL in such a manner that arbitrary HTTP headers may be spoofed in the server response.

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - CVE-2016-8025

The web interface's CSV log export functionality encodes a SQL command into the URL. A remote attacker may be able to include arbitrary SQL commands URL-encoded in an HTTP request, thereby executing SQL commands on the backend SQLite database. This database does not contain authentication information, only data about settings and previously scanned files.

For more information, please see McAfee Security Bulletin SB10181 and the researcher's blog post.

The CVSS score below is based on CVE-2016-8023. For further CVSS scoring and analysis, please see McAfee Security Bulletin SB10181.

Previously this Vulnerability Note also contained one vulnerability for the Windows platform. This issue was republished as its own VU#535111 to prevent product confusion.


A remote unauthenticated attacker may be able to read limited subsets of files and logs on the system, execute arbitrary JavaScript code in the web interface, or execute arbitrary code on the system.


Upgrade to a new product

McAfee has discontinued the VirusScan for Linux product in favor of the new McAfee Endpoint Security product, which addresses these vulnerabilities. McAfee recommends that affected users upgrade to Endpoint Security version 10.2 or later as soon as possible. The upgrade is available free of charge to existing users with current licenses.

Vendor Information


McAfee Affected

Notified:  December 05, 2016 Updated: December 12, 2016

Statement Date:   December 12, 2016



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

McAfee has released Security Bulletin SB10181 for this issue.

Vendor References

CVSS Metrics

Group Score Vector
Base 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C
Temporal 7.3 E:POC/RL:OF/RC:C
Environmental 5.5 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND



Thanks to Andrew Fasano for reporting these vulnerabilities to us.

This document was written by Garret Wassermann.

Other Information

CVE IDs: CVE-2016-8016, CVE-2016-8017, CVE-2016-8018, CVE-2016-8019, CVE-2016-8020, CVE-2016-8021, CVE-2016-8022, CVE-2016-8023, CVE-2016-8024, CVE-2016-8025
Date Public: 2016-12-09
Date First Published: 2016-12-12
Date Last Updated: 2016-12-13 20:37 UTC
Document Revision: 65

Sponsored by CISA.