McAfee has patched two critical bugs in its Agent component, one of which allows attackers to execute arbitrary code with SYSTEM privileges


Image Source: Bleeping Computer

McAfee has patched two high-severity vulnerabilities in a component of its McAfee Enterprise product that attackers can exploit to gain SYSTEM-level privileges.

According to McAfee’s bulletin, the bugs exist in versions of McAfee Agent prior to 5.7.5, which is used in McAfee Endpoint Security and other McAfee products.

The McAfee ePolicy Orchestrator (McAfee ePO) Agent is the component that downloads and enforces policies as well as performs client-side tasks such as deployment and updating. The McAfee Agent is also the component that uploads events and provides additional information about the status of each system. The Agent, which also instals and updates endpoint products and collects and sends event information to the McAfee ePO server on a regular basis, is a required install on any network system that needs to be managed.

Will Dormann of Carnegie Mellon University’s CERT Coordination Center (CERT/CC) discovered one of the Agent flaws, CVE-2022-0166, with a CVSS base criticality rating of 7.8. The vulnerability was discovered in an OpenSSL component in Agent that specifies an OPENSSLDIR variable as a subdirectory that “[may] be controllable by an unprivileged user on Windows,” according to an advisory published on 20th , Thursday by CERT/CC.

The advisory states that McAfee Agent “contains a privileged service that uses this OpenSSL component. A user with SYSTEM privileges who can place a specially crafted openssl.cnf file in an appropriate path may be able to achieve arbitrary code execution.

Dormann discovered that an unprivileged user could exploit the flaw to place a specially crafted openssl.cnf in a location used by McAfee Agent, potentially allowing them to execute arbitrary code with SYSTEM privileges on a Windows system running the vulnerable McAfee Agent software.

Image Source: Business Telegraph

Dormann was referring to an OpenSSL configuration file when he mentioned an openssl.cnf: a file that provides SSL defaults for items such as certificate file locations and site details such as those entered during installation.

Threat actors can paw at resources that should normally be locked safely away by exploiting privilege-escalation bugs. Attackers can use those elevated privileges to steal sensitive data, run administrative commands, read files from the file system, and deploy malware, as well as possibly evade detection during attacks.


Please enter your comment!
Please enter your name here