Vulnerability identifier: #VU12533

Vulnerability risk: Low

CVSSv3.1: 5.4 [CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-6674

CWE-ID: CWE-264

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
McAfee VirusScan
Client/Desktop applications / Antivirus software/Personal firewalls

Vendor: McAfee

Description
The vulnerability allows a physical authenticated attacker to obtain potentially sensitive information and gain elevated privileges on the target system.

The weakness exists due to VSE might spawn a process inheriting the parent's privileges when the process McTray.exe runs with elevated privileges. A physical attacker can gain access to potentially sensitive information and gain root privileges.

Mitigation
Update to version 8.8 Patch 11.

Vulnerable software versions

McAfee VirusScan: 8.8 - 8.8 Patch 10

---

External links
http://kc.mcafee.com/corporate/index?page=content&id=SB10237

---

Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.