CVE-2020-7255 : Privilege escalation vulnerability in the administrative user interface in McAfe

Privilege escalation vulnerability in the administrative user interface in McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 February 2020 Update allows local users to gain elevated privileges via ENS not checking user permissions when editing configuration in the ENS client interface. Administrators can lock the ENS client interface through ePO to prevent users being able to edit the configuration.

Published 2020-04-15 13:15:13

Updated 2020-04-21 17:18:49

Source McAfee (DEFUNCT)

View at NVD, CVE.org

Vulnerability category: Gain privilege

Products affected by CVE-2020-7255

Mcafee » Endpoint Security » Version: 10.5.0 For Windows
cpe:2.3:a:mcafee:endpoint_security:10.5.0:*:*:*:*:windows:*:*
Matching versions
Mcafee » Endpoint Security » Version: 10.5.1 For Windows
cpe:2.3:a:mcafee:endpoint_security:10.5.1:*:*:*:*:windows:*:*
Matching versions
Mcafee » Endpoint Security » Version: 10.5.2 For Windows
cpe:2.3:a:mcafee:endpoint_security:10.5.2:*:*:*:*:windows:*:*
Matching versions
Mcafee » Endpoint Security » Version: 10.5.3 For Windows
cpe:2.3:a:mcafee:endpoint_security:10.5.3:*:*:*:*:windows:*:*
Matching versions
Mcafee » Endpoint Security » Version: 10.5.4 For Windows
cpe:2.3:a:mcafee:endpoint_security:10.5.4:*:*:*:*:windows:*:*
Matching versions
Mcafee » Endpoint Security » Version: 10.5.5 For Windows
cpe:2.3:a:mcafee:endpoint_security:10.5.5:*:*:*:*:windows:*:*
Matching versions
Mcafee » Endpoint Security » Version: 10.6.0 For Windows
cpe:2.3:a:mcafee:endpoint_security:10.6.0:*:*:*:*:windows:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2020-7255

EPSS FAQ

0.03%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 6 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2020-7255

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
3.6	LOW	AV:L/AC:L/Au:N/C:N/I:P/A:P	3.9	4.9	NIST
Access Vector: Local Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: Partial
4.4	MEDIUM	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L	1.8	2.5	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: None Integrity: Low Availability: Low
3.9	LOW	CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:L	0.8	2.7	McAfee (DEFUNCT)
Attack Vector: Local Attack Complexity: High Privileges Required: Low User Interaction: Required Scope: Changed Confidentiality: None Integrity: Low Availability: Low

CWE ids for CVE-2020-7255

CWE-264

Assigned by: psirt@mcafee.com (Secondary)
CWE-269 Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2020-7255

https://kc.mcafee.com/corporate/index?page=content&id=SB10309

McAfee Security Bulletin - Endpoint Security for Windows update fixes multiple vulnerabilities (CVE-2020-7250, CVE-2020-7255, CVE-2020-7257, CVE-2020-7259, CVE-2020-7261, CVE-2020-7273, CVE-2020-7274,
Vendor Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2020-7255

Products affected by CVE-2020-7255

Exploit prediction scoring system (EPSS) score for CVE-2020-7255

CVSS scores for CVE-2020-7255

CWE ids for CVE-2020-7255

References for CVE-2020-7255