McAfee Agent bug allows hackers to run code with Windows SYSTEM privileges


McAfee Enterprise (now rebranded as Trellix) has fixed a security vulnerability discovered in the company’s McAfee Agent for Windows software, allowing attackers to elevate privileges and execute arbitrary code with SYSTEM privileges.

McAfee agent is a client-side component of McAfee ePolicy Orchestrator (McAfee ePO) that downloads and applies endpoint policies and deploys anti-virus signatures, upgrades, patches, and new products to enterprise endpoints.

The company has fixed the high-severity Local Privilege Escalation (LPE) flaw tracked as CVE-2022-0166 and discovered by CERT/CC vulnerability analyst Will Dormann released security updates with the release of McAfee Agent 5.7.5 on January 18.

All versions of McAfee Agent prior to 5.7.5 are vulnerable and allow unprivileged attackers to execute code using NT AUTHORITYSYSTEM account privileges, the highest privilege level on a Windows system. used by the operating system and operating system services.

“McAfee Agent, included with various McAfee products such as McAfee Endpoint Security, includes an OpenSSL component that specifies an OPENSSLDIR variable as a subdirectory that can be controlled by an unprivileged user on Windows,” Dormann said. Explain.

“McAfee Agent contains a privileged service that uses this OpenSSL component. A user who can place a specially crafted openssl.cnf file in an appropriate path may be able to execute arbitrary code with SYSTEM privileges.”

Exploitable for evasion, loading malicious payloads

After successful exploitation, threat actors could persistently execute malicious payloads and potentially evade detection during attacks.

Although only locally exploitable, threat actors typically exploit this type of security flaw during the later stages of their attacks, after infiltrating the target machine to elevate permissions to gain persistence and compromise the system more.

This isn’t the first time security researchers have discovered vulnerabilities while scanning McAfee’s Windows security products.

For example, in September 2021, the company fixed another McAfee Agent privilege escalation bug (CVE-2020-7315) discovered by Clément Notin, security researcher at Tenable, which allowed local users to execute arbitrary code and kill antivirus.

Two years earlier, McAfee patched a security flaw affecting all editions of its antivirus software for Windows (i.e., Total Protection, Anti-Virus Plus, and Internet Security) and allowing would-be attackers to elevate the privileges and execute code with the authority of the SYSTEM account.


Comments are closed.