CVE-2020-7280 : Privilege Escalation vulnerability during daily DAT updates when using McAfee Vi

Privilege Escalation vulnerability during daily DAT updates when using McAfee Virus Scan Enterprise (VSE) prior to 8.8 Patch 15 allows local users to cause the deletion and creation of files they would not normally have permission to through altering the target of symbolic links. This is timing dependent.

Published 2020-06-10 12:15:11

Updated 2020-06-17 16:24:46

Source McAfee (DEFUNCT)

View at NVD, CVE.org

Vulnerability category: Gain privilege

Products affected by CVE-2020-7280

Mcafee » Virusscan Enterprise » Version: 8.8 For Windows
cpe:2.3:a:mcafee:virusscan_enterprise:8.8:-:*:*:*:windows:*:*
Matching versions
Mcafee » Virusscan Enterprise » Version: 8.8 Update Patch1 For Windows
cpe:2.3:a:mcafee:virusscan_enterprise:8.8:patch1:*:*:*:windows:*:*
Matching versions
Mcafee » Virusscan Enterprise » Version: 8.8 Update Patch10 For Windows
cpe:2.3:a:mcafee:virusscan_enterprise:8.8:patch10:*:*:*:windows:*:*
Matching versions
Mcafee » Virusscan Enterprise » Version: 8.8 Update Patch11 For Windows
cpe:2.3:a:mcafee:virusscan_enterprise:8.8:patch11:*:*:*:windows:*:*
Matching versions
Mcafee » Virusscan Enterprise » Version: 8.8 Update Patch12 For Windows
cpe:2.3:a:mcafee:virusscan_enterprise:8.8:patch12:*:*:*:windows:*:*
Matching versions
Mcafee » Virusscan Enterprise » Version: 8.8 Update Patch13 For Windows
cpe:2.3:a:mcafee:virusscan_enterprise:8.8:patch13:*:*:*:windows:*:*
Matching versions
Mcafee » Virusscan Enterprise » Version: 8.8 Update Patch2 For Windows
cpe:2.3:a:mcafee:virusscan_enterprise:8.8:patch2:*:*:*:windows:*:*
Matching versions
Mcafee » Virusscan Enterprise » Version: 8.8 Update Patch3 For Windows
cpe:2.3:a:mcafee:virusscan_enterprise:8.8:patch3:*:*:*:windows:*:*
Matching versions
Mcafee » Virusscan Enterprise » Version: 8.8 Update Patch4 For Windows
cpe:2.3:a:mcafee:virusscan_enterprise:8.8:patch4:*:*:*:windows:*:*
Matching versions
Mcafee » Virusscan Enterprise » Version: 8.8 Update Patch5 For Windows
cpe:2.3:a:mcafee:virusscan_enterprise:8.8:patch5:*:*:*:windows:*:*
Matching versions
Mcafee » Virusscan Enterprise » Version: 8.8 Update Patch6 For Windows
cpe:2.3:a:mcafee:virusscan_enterprise:8.8:patch6:*:*:*:windows:*:*
Matching versions
Mcafee » Virusscan Enterprise » Version: 8.8 Update Patch7 For Windows
cpe:2.3:a:mcafee:virusscan_enterprise:8.8:patch7:*:*:*:windows:*:*
Matching versions
Mcafee » Virusscan Enterprise » Version: 8.8 Update Patch8 For Windows
cpe:2.3:a:mcafee:virusscan_enterprise:8.8:patch8:*:*:*:windows:*:*
Matching versions
Mcafee » Virusscan Enterprise » Version: 8.8 Update Patch9 For Windows
cpe:2.3:a:mcafee:virusscan_enterprise:8.8:patch9:*:*:*:windows:*:*
Matching versions
Mcafee » Virusscan Enterprise » Version: 8.8 Update Patch14 For Windows
cpe:2.3:a:mcafee:virusscan_enterprise:8.8:patch14:*:*:*:windows:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2020-7280

EPSS FAQ

0.04%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 10 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2020-7280

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.6	MEDIUM	AV:L/AC:L/Au:N/C:P/I:P/A:P	3.9	6.4	NIST
Access Vector: Local Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
7.8	HIGH	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	1.8	5.9	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
7.8	HIGH	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	1.8	5.9	McAfee (DEFUNCT)
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2020-7280

CWE-269 Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Assigned by:
- nvd@nist.gov (Primary)
- psirt@mcafee.com (Secondary)

References for CVE-2020-7280

https://www.zerodayinitiative.com/advisories/ZDI-20-702/

ZDI-20-702 | Zero Day Initiative
Third Party Advisory;VDB Entry
https://kc.mcafee.com/corporate/index?page=content&id=SB10302

McAfee Security Bulletin - VirusScan Enterprise update fixes three vulnerabilities (CVE-2019-3585, CVE-2019-3588, and CVE-2020-7280)
Vendor Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2020-7280

Products affected by CVE-2020-7280

Exploit prediction scoring system (EPSS) score for CVE-2020-7280

CVSS scores for CVE-2020-7280

CWE ids for CVE-2020-7280

References for CVE-2020-7280