CVE-2016-3984

moderate-risk
Published 2016-04-08

The McAfee VirusScan Console (mcconsol.exe) in McAfee Active Response (MAR) before 1.1.0.161, Agent (MA) 5.x before 5.0.2 Hotfix 1110392 (5.0.2.333), Data Exchange Layer 2.x (DXL) before 2.0.1.140.1, Data Loss Prevention Endpoint (DLPe) 9.3 before Patch 6 and 9.4 before Patch 1 HF3, Device Control (MDC) 9.3 before Patch 6 and 9.4 before Patch 1 HF3, Endpoint Security (ENS) 10.x before 10.1, Host Intrusion Prevention Service (IPS) 8.0 before 8.0.0.3624, and VirusScan Enterprise (VSE) 8.8 before P7 (8.8.0.1528) on Windows allows local administrators to bypass intended self-protection rules and disable the antivirus engine by modifying registry keys.

Do I need to act?

-
0.29% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
!
1 public exploit available
39531
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.1/10 Medium
LOCAL / LOW complexity

Affected Products (8)

Data Loss Prevention Endpoint
Host Intrusion Prevention
Active Response
Data Exchange Layer
Data Loss Prevention Endpoint

Affected Vendors

Mcafee

References (10)

Exploit http://lab.mediaservice.net/advisory/2016-01-mcafee.txt
http://seclists.org/fulldisclosure/2016/Mar/13
http://www.securitytracker.com/id/1035130
Vendor Advisory https://kc.mcafee.com/corporate/index?page=content&id=SB10151
Exploit https://www.exploit-db.com/exploits/39531/
Exploit http://lab.mediaservice.net/advisory/2016-01-mcafee.txt
http://seclists.org/fulldisclosure/2016/Mar/13
http://www.securitytracker.com/id/1035130
Vendor Advisory https://kc.mcafee.com/corporate/index?page=content&id=SB10151
Exploit https://www.exploit-db.com/exploits/39531/
32
/ 100
moderate-risk
Severity 17/34 · Moderate
Exploitability 1/34 · Minimal
Exposure 14/34 · Moderate