November 30, 2023

Trellix is urging customers to patch a high-severity flaw that allows local attackers to bypass restrictions and exfiltrate sensitive data.

The flaw tracked as CVE-2023-0400  with a CVSS score of 8.2 impacts Windows versions of Trellix DLP (11.9.x), released in August 2022. Customers are urged to upgrade to Trellix for Windows 11.10.0 which mitigates the flaw.

Though it is rated high, Trellix believes the flaw poses less of a threat rating it medium severity. The primary reasoning for the Trellix rating is that the vulnerability is only exploitable during the installation of the product.


To exploit the vulnerability, threat actors must have the ability to map a network drive to their local machine. Additionally, the attacker would need permission to either access data already on the mapped drive or copy data to the mapped drive, according to a Trellix description of the flaw.

The flaw is tied to Trellix’s use of a third-party Advanced Installer library, made by tool maker Caphyon. The technical specifics of the flaw are outlined by Trellix.

The attack required an attacker to place a malicious file named decoder.dll in a specific temp directory (C:\Windows\Temp\McAfee\McAfee DLP Endpoint\install\) and change the permissions so the Administrator and SYSTEM users weren’t permitted to remove it. The DLP for the Windows installation process would fail to replace the malicious file with the one it required and would continue the installation process using the malicious file. This would result in the malicious DLL’s code being executed with system privileges,

Trellix advisory,

Leave a Reply

%d bloggers like this: