[German]McAfee Total Protection had a vulnerability (CVE-2022-43751) that allowed Windows privilege escalation. The cause was the use of the OpenSSL variable OPENSSLDIR. McAfee issued a security alert in late October 2022 pointing out the vulnerability, which has since been closed via update in McAfee Total Protection.
The topic passed me by a bit until I became aware of the following message from Will Dormann on Twitter.
Dormann points out that the use of the OpenSSL variable OPENSSLDIR allowed a Windows privilege escalation. This error appeared again and again. McAfee published a security bulletin on October 31, 2022, regarding a vulnerability in the search path element. The vulnerability, CVE-2022-4375, could allow an attacker to gain access to the device running the vulnerable software or other connected devices.
McAfee Total Protection prior to version 16.0.49 is affected, with the vulnerability receiving a CVSSv3.1 score of 5.6. McAfee has promptly released an update to version 16.0.49 that closes this vulnerability. This update should have been automatically distributed to the affected target systems.
Cookies helps to fund this blog: Cookie settings