A bug in McAfee Agent allows running code with Windows SYSTEM privileges

McAfee addressed a security flaw in its McAfee Agent software for Windows that allows running arbitrary code with SYSTEM privileges.

McAfee (now Trellix) has addressed a high-severity vulnerability, tracked as CVE-2022-0166, that resides in McAfee Agent software for Windows. An attacker can exploit this flaw to escalate privileges and execute arbitrary code with SYSTEM privileges.

The McAfee Agent is the distributed component of McAfee ePolicy Orchestrator (McAfee ePO). It downloads and enforces policies, and executes client-side tasks such as deployment and updating. The Agent also uploads events and provides additional data regarding each system’s status. It must be installed on each system in your network that you wish to manage.

The CVE-2022-0166 flaw was discovered by CERT/CC vulnerability analyst Will Dormann.

“A privilege escalation vulnerability in the McAfee Agent prior to 5.7.5. McAfee Agent uses openssl.cnf during the build process to specify the OPENSSLDIR variable as a subdirectory within the installation directory.” reads the advisory published by McAfee. “A low privilege user could have created subdirectories and executed arbitrary code with SYSTEM privileges by creating the appropriate pathway to the specifically created malicious openssl.cnf file.”

The security firm addressed the vulnerability with the release of McAfee Agent 5.7.5 on January 18.

The issue affects Agent versions prior of 5.7.5 and allows unprivileged attackers to run code using NT AUTHORITY\SYSTEM account privileges.

An unprivileged user can place a specially-crafted openssl.cnf in a location used by McAfee Agent, to execute arbitrary code with SYSTEM privileges on a Windows system running a vulnerable version of the agent software.

“By placing a specially-crafted openssl.cnf in a location used by McAfee Agent, an unprivileged user may be able to execute arbitrary code with SYSTEM privileges on a Windows system with the vulnerable McAfee Agent software installed.” reads the advisory published by CERT/CC.

The vulnerability is only exploitable locally, anyway, experts warn that this issue could be chained with other issues to compromise the target system and elevate permissions to carry out additional malicious activities.

McAfee also addressed a command Injection vulnerability, tracked as CVE-2021-31854, in software Agent for Windows prior to 5.7.5. An attacker could exploit this vulnerability to inject arbitrary shell code into the file cleanup.exe.

“The malicious clean.exe file is placed into the relevant folder and executed by running the McAfee Agent deployment feature located in the System Tree. An attacker may exploit the vulnerability to obtain a reverse shell which can lead to privilege escalation to obtain root privileges.” states the advisory.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, McAfee)

[adrotate banner=”5″]

[adrotate banner=”13″]