McAfee Agent software for Windows was found to be vulnerable to running arbitrary code with SYSTEM privileges

McAfee Agent software for Windows

A vulnerability in McAfee Agent software for Windows, identified as CVE-2022-0166, has been patched by McAfee (now Trellix).An attacker can use this issue to gain elevated privileges and run arbitrary code as SYSTEM.

As part of McAfee ePolicy Orchestrator (McAfee ePO), the McAfee Agent distributes and enforces policies, and executes client-side tasks such as deployment and updating. As well as uploading events, the Agent also provides additional data about the status of all the systems in your network. It must be installed on all the machines you wish to manage.

Will Dormann, a vulnerability analyst at CERT/CC, discovered CVE-2022-0166.
McAfee Agent before 5.7.5 is vulnerable to a privilege escalation vulnerability. Throughout the building process, McAfee Agent uses OPENSSLDIR as a subdirectory within the installation directory to specify the OPENSSLDIR variable, which can lead to privilege escalation.” is the advisory published by McAfee. By creating the appropriate pathway to the malicious openssl.cnf file, a user with low privileges could have created subdirectories and executed arbitrary code with SYSTEM privileges.”

As of January 18, McAfee Agent 5.7.5 addressed the vulnerability, which allowed unprivileged attackers to execute code using the NT AUTHORITY/SYSTEM account. McAfee Agent, a software component of McAfee, is vulnerable to execute arbitrary code with SYSTEM privileges if a specially crafted openssl.cnf file is placed in a location used by the agent software.

CERT/CC issued a piece of advice on this subject “McAfee Agent software that is vulnerable to this attack can run malicious code with SYSTEM privileges if a specially crafted openssl.cnf file is placed in a location used by the software.” Even though this vulnerability can only be exploited locally, experts warn that it may be combined with other vulnerabilities to compromise a system and elevate permissions to carry out more malicious activities.

An attacker could exploit the CVE-2021-31854 command injection vulnerability in software Agent for Windows before 5.7.5 to inject arbitrary shellcode into cleanup.exe. McAfee has addressed this vulnerability as well. According to the recommendation “By running McAfee Agent deployment feature located in the System Tree, the malicious clean.exe file is placed in the relevant folder and executed. An attacker might be able to take advantage of this vulnerability to obtain a reverse shell, which could lead to privilege escalation.”

Visit Site For Online Cybersecurity Course:- Click Here

About Author

Leave a Reply

Your email address will not be published. Required fields are marked *

Open chat
Can we help you?