A vulnerability in McAfee Agent allows programmes to run with SYSTEM privileges on Windows

McAfee has fixed a security vulnerability in its Windows McAfee Agent software that allowed arbitrary code to be launched with SYSTEM privileges.

McAfee Agent is a component of McAfee’s ePolicy Orchestrator (ePO), which is used to report data, status, and enforce policies on client machines. The company issued a security alert earlier this week noting two CVEs that affected previous versions of the ePO Agent used to assist ePO initiatives. The business published an upgraded version of the Agent that properly addresses the vulnerabilities, which were both rated as critical.

CVE-2021-31854 and CVE-2022-0166, two high-severity attack vectors discovered in the advisory, can make any asset with McAfee ePO Agents vulnerable to attack. According to McAfee’s recommendations, all deployments with Agents older than version 5.7.5 should update the Agent or risk additional exposure.

The security brief offers a full explanation of each CVE and cross-references the exploits with MITRE and NIST CVE reports.

  • CVE-2021-31854—In McAfee Agent (MA) for Windows prior to 5.7.5, a command injection vulnerability allows local users to insert arbitrary shell code into the cleanup.exe file. The malicious clean.exe programme is placed in the appropriate folder and executed by using the System Tree’s McAfee Agent deployment feature. An attacker might use the flaw to get a reverse shell, which could lead to privilege escalation and root access.
  • CVE-2022-0166 was a privilege escalation issue in the McAfee Agent Prior to 5.7.5. During the build process, McAfee Agent uses openssl.cnf to define the OPENSSLDIR variable as a subfolder within the installation path. By providing the necessary pathway to the precisely constructed malicious openssl.cnf file, a low-privilege user might have established subdirectories and executed arbitrary code with SYSTEM privileges.

Users and administrators tasked with resolving the vulnerabilities can download McAfee Agent version 5.7.5. Users of McAfee endpoint and ePO/server products can follow the steps in the advisory to see if their ePO and Agent implementations are susceptible. Any client system with the Agent installed will no longer be vulnerable to the described exploits once it has been deployed.

McAfee ePO is an administrative solution that allows users to manage all endpoints (PCs, printers, and other peripherals) on their network from a single location. It allows administrators to manage and monitor various system data, events, and policies across all eligible endpoints in their environment from a single location.

Share This Post:

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on pinterest
Pinterest
Share on email
Email
Share on whatsapp
WhatsApp
Steve Byrom
Steve Byrom
What our clients say:
Subscribe to our newsletter

Sign up to receive updates, promotions, and sneak peaks of upcoming products. Plus 20% off your next order.

Promotion nulla vitae elit libero a pharetra augue
Subscribe to our newsletter

Sign up to receive updates, promotions, and sneak peaks of upcoming products. Plus 20% off your next order.

Promotion nulla vitae elit libero a pharetra augue