McAfee has fixed a security vulnerability in its Windows McAfee Agent software that allowed arbitrary code to be launched with SYSTEM privileges.
McAfee Agent is a component of McAfee’s ePolicy Orchestrator (ePO), which is used to report data, status, and enforce policies on client machines. The company issued a security alert earlier this week noting two CVEs that affected previous versions of the ePO Agent used to assist ePO initiatives. The business published an upgraded version of the Agent that properly addresses the vulnerabilities, which were both rated as critical.
CVE-2021-31854 and CVE-2022-0166, two high-severity attack vectors discovered in the advisory, can make any asset with McAfee ePO Agents vulnerable to attack. According to McAfee’s recommendations, all deployments with Agents older than version 5.7.5 should update the Agent or risk additional exposure.
The security brief offers a full explanation of each CVE and cross-references the exploits with MITRE and NIST CVE reports.
- CVE-2021-31854—In McAfee Agent (MA) for Windows prior to 5.7.5, a command injection vulnerability allows local users to insert arbitrary shell code into the cleanup.exe file. The malicious clean.exe programme is placed in the appropriate folder and executed by using the System Tree’s McAfee Agent deployment feature. An attacker might use the flaw to get a reverse shell, which could lead to privilege escalation and root access.
- CVE-2022-0166 was a privilege escalation issue in the McAfee Agent Prior to 5.7.5. During the build process, McAfee Agent uses openssl.cnf to define the OPENSSLDIR variable as a subfolder within the installation path. By providing the necessary pathway to the precisely constructed malicious openssl.cnf file, a low-privilege user might have established subdirectories and executed arbitrary code with SYSTEM privileges.
Users and administrators tasked with resolving the vulnerabilities can download McAfee Agent version 5.7.5. Users of McAfee endpoint and ePO/server products can follow the steps in the advisory to see if their ePO and Agent implementations are susceptible. Any client system with the Agent installed will no longer be vulnerable to the described exploits once it has been deployed.
McAfee ePO is an administrative solution that allows users to manage all endpoints (PCs, printers, and other peripherals) on their network from a single location. It allows administrators to manage and monitor various system data, events, and policies across all eligible endpoints in their environment from a single location.