McAfee has issued patches for ten flaws in its enterprise version of VirusScan for Linux that allow attackers to remotely take over a system, after originally being notified of the security holes six months ago.
Security researcher Andrew Fasano from MIT Lincoln Laboratory said that a total of 10 security flaws allows the execution of code remotely as a root user.
“At a first glance, Intel’s McAfee VirusScan Enterprise for Linux has all the best characteristics that vulnerability researchers love: it runs as root, it claims to make your machine more secure, it’s not particularly popular, and it looks like it hasn’t been updated in a long time,” he explained.
Four of the flaws are deemed critical. Attackers can exploit CVE-2016-8020, CVE-2016-8021, CVE-2016-8022, and CVE-2016-8023 to escalate their privileges to root and remotely force the target machine to run malicious script.
The six additional flaws involve a cross-site scripting vulnerability, file test and read bugs, HTTP response splitting, tokens forgery, and authenticated SQL injection.
All these vulnerabilities have already been confirmed in version 1.9.2 to 2.0.2, so all Linux systems are recommended to update to the latest release that McAfee shipped this month.