Privilege Escalation vulnerability in McAfee Total Protection (MTP)

Vulnerability

A privilege escalation vulnerability exists in McAfee Total Protection (MTP) for Microsoft Windows prior to version 16.0.29. The flaw lies in the software's handling of junctions; by creating a junction link, a local attacker can abuse the product to overwrite the contents of a chosen file during a small timing window where protection is lacking. Exploitation requires the ability to execute low-privileged code on the target system. [1]

Exploitation

An attacker must first gain a foothold on the target system and be able to execute code with low privileges. The exploit involves careful manipulation of a folder by creating a junction link, exploiting a lack of protection through a timing issue. The attack is only exploitable in a small time window. The specific sequence includes creating a junction to redirect file operations, thereby overwriting a protected file during the race window. [1]

Impact

Successful exploitation allows an attacker to escalate privileges and execute arbitrary code in the context of the SYSTEM account, leading to full compromise of confidentiality, integrity, and availability of the affected system. The CVSS v3.1 base score is 7.0 (High) with vector AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. [1]

Mitigation

McAfee addressed this vulnerability in Total Protection version 16.0.29. Users should update to this version or later. If upgrading is not immediately possible, restrict local access to trusted users only. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog at the time of writing. [1]