Leading data loss prevention (DLP) vendor Trellix is urging customers to patch a high-severity flaw that allows local attackers to bypass restrictions and exfiltrate sensitive data they wouldn’t otherwise have access to.
The flaw (CVE-2023-0400) impacts Windows versions of Trellix DLP (11.9.x), released in August 2022. Customers are urged to upgrade to Trellix for Windows 11.10.0 that mitigates the flaw.
Security researchers warn the bug, which NIST gave an 8.2 or “high” severity rating, is not an easy upgrade, increasing the odds that security teams might overlook the fix.
While NIST rates the bug as high, Trellix believes the flaw poses less of a threat, rating it “medium severity”. The primary reasoning for the Trellix rating is that the vulnerability is only exploitable during the installation of the product.
Mike Parkin, senior technical engineer at Vulcan Cyber, said while he believed the exploitation of the bug was unlikely, urged organizations that utilize DLP to prioritize installing the patch. “I don't want to over-state the issue, but it's not a zero-risk vulnerability,” he said.
“In the very rare circumstances where this vulnerability could be exploited, it could effectively bypass DLP protections and let an attacker export valuable data,” he said.
To exploit this vulnerability, Trellix wrote, the adversary must have the ability to map a network drive to their local machine. Additionally, the attacker would need permission to either access data already on the mapped drive or copy data to the mapped drive, according to a Trellix description of the flaw.
Trellix, formed last year out of McAfee Enterprise and FireEye, owns nearly a 12% market share of the $1.8 billion DLP products market and does business with some 40,000 business and government customers.
Phil Neray, vice president of cyber defense strategy at CardinalOps, confirmed the fix is not as straightforward as IT staff would hope. Neray, who walked SC Media through the Trellix documentation Monday, said it looked like admins would have to upgrade multiple appliances and add certificates as well.
The flaw is tied to Trellix’s use of a third-party Advanced Installer library, made by tool maker Caphyon. The technical specifics of the flaw are outlined by Trellix.
“The attack required an attacker to place a malicious file named decoder.dll in a specific temp directory (C:\Windows\Temp\McAfee\McAfee DLP Endpoint\install\) and change the permissions so the Administrator and SYSTEM users weren't permitted to remove it. The DLP for Windows installation process would fail to replace the malicious file with the one it required and would continue the installation process using the malicious file. This would result in the malicious DLL's code being executed with system privileges,” Trellix wrote.