Vulnerabilities in McAfee Agent allows privilege escalation and code execution as Windows SYSTEM

Sicherheit (Pexels, allgemeine Nutzung)[German]McAfee Agent for Windows is vulnerable to privilege escalation due to a serious vulnerability, allowing program code to execute with Windows SYSTEM privileges. The vendor has since corrected the CVE-2022-0166 vulnerability, which was introduced into products such as McAfee Endpoint Security via an OpenSSL component. The same is true for the second code injection vulnerability, CVE-2021-31854.


Advertising

The CERT Coordination Center at Carnegie Mellon University described this vulnerability CVE-2022-0166, discovered by Will Dormann, on Jan. 20, 2022, here.

CVE-2022-0166 in McAfee Agent

The McAfee Agent that ships with various McAfee products, such as McAfee Endpoint Security, includes an OpenSSL component. This OpenSLL component specifies an OPENSSLDIR variable as a subdirectory that can be written to and manipulated by an unprivileged user on Windows.

The McAfee Agent, on the other hand, contains a privileged service that uses this OpenSSL component. A user who can place a specially crafted openssl.cnf file in a suitable path may be able to execute arbitrary code with SYSTEM privileges.

This vulnerability is fixed in McAfee Agent version 5.7.5. Mc Afee has published this security advisory about it, which even calls a second vulnerability CVE-2021-31854 (reported by Russell Wells/Cyberlinx Security) fixed, in addition to CVE-2022-0166. The2nd vulnerability allows command injection in McAfee Agent (MA) for Windows prior to version 5.7.5, which allows local users to inject arbitrary shell code into the cleanup.exe file.


Advertising

The malicious file clean.exe is dropped in the appropriate folder and executed by running the McAfee Agent deployment function in the system tree. An attacker can exploit the vulnerability to obtain a reverse shell that can lead to privilege escalation to gain root privileges.

On January 18, 2022, Mc Afee made McAfee Agent version 5.7.5 available on the Enterprise product download page to address the above vulnerabilities. However, access requires an ID. See this Mc Afee security advisory for more details. (via Bleeping Computer)


Cookies helps to fund this blog: Cookie settings
Advertising


This entry was posted in Security, Software, Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published.