McAfee Total Protection (MTP) privilege escalation vulnerability

Vulnerability

A privilege escalation vulnerability exists in McAfee Total Protection (MTP) prior to version 16.0.30. The flaw resides in the implementation of the QuickClean feature. By creating a directory junction, an attacker can abuse QuickClean to delete arbitrary files as the SYSTEM user, potentially causing a denial-of-service condition [1]. The attack requires low-privileged code execution on the target system.

Exploitation

An attacker must first obtain the ability to execute low-privileged code on the target system. The attacker then manipulates a junction link at a specific time after enumerating certain files to trigger the vulnerability. The specific flaw allows the QuickClean feature to follow the junction to a target file or location, causing deletion of that file under the SYSTEM account context [1].

Impact

Successful exploitation allows a local attacker to delete arbitrary files as the SYSTEM user. This can lead to a denial-of-service condition on the system, potentially rendering the system unstable or unusable. The vulnerability does not directly allow information disclosure or remote code execution, but the file deletion impact is severe [1].

Mitigation

McAfee has released version 16.0.30 of Total Protection to address this vulnerability. Users should update to the latest version. No workarounds are documented. The vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog [1].