Technical Advisory – NULL Pointer Derefence in McAfee Drive Encryption (CVE-2021-23893)
Vendor: McAfee Vendor URL: https://kc.mcafee.com/corporate/index?page=content id=sb10361 Versions affected: Prior to 7.3.0 HF1 Systems Affected: Windows OSs without NULL page protection Author: Balazs Bucsay <balazs.bucsay[ at ]nccgroup[.dot.]com> @xoreipeip CVE Identifier: CVE-2021-23893 Risk: 8.8 - CWE-269: Improper Privilege Management
McAfee’s Complete Data Protection package contained the Drive Encryption (DE) software. This software was used to transparently encrypt the drive contents. The versions prior to 7.3.0 HF1 had a vulnerability in the kernel driver MfeEpePC.sys that could be exploited on certain Windows systems for privilege escalation or DoS.
Privilege Escalation vulnerability in a Windows system driver of McAfee Drive Encryption (DE) prior to 7.3.0 could allow a local non-admin user to gain elevated system privileges via exploiting an unutilized memory buffer.
The Drive Encryption software’s kernel driver was loaded to the kernel at boot time and certain IOCTLs were available for low-privileged users.
One of the available IOCTL was referencing an event that was set to NULL before initialization. In case the IOCTL was called at the right time, the procedure used NULL as an event and referenced the non-existing structure on the NULL page.
If the user mapped the NULL page and created a fake structure there that mimicked a real Even structure, it was possible to manipulate certain regions of the memory and eventually execute code in the kernel.
Install or update Disk Encryption 7.3.0 HF1, which has this vulnerability fixed.
February 24, 2021: Vulnerability was reported to McAfee
March 9, 2021: McAfee was able to reproduce the crash with the originally provided DoS exploit
October 1, 2021: McAfee released the new version of DE, which fixes the issue
Thanks to the Cedric Halbronn for his support during the development of the exploit.
About NCC Group
NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.
Published date: October 4, 2021
Written by: Balazs Bucsay