McAfee Bug Exploitable to Gain Windows SYSTEM Privileges!

McAfee Bug Exploitable to Gain Windows SYSTEM Privileges!

McAfee has patched 2 high-severity vulnerabilities in a component of its McAfee Enterprise product that attackers can use to escalate privileges, including up to SYSTEM.

According to McAfee’s bulletin, the bugs are in versions prior to 5.7.5 of McAfee Agent, which is used in McAfee Endpoint Security, among other McAfee products.

Client-Side Tasks

The Agent is the piece of McAfee ePolicy Orchestrator (McAfee ePO) that downloads & enforces policies & executes client-side tasks such as deployment & updating.

The McAfee Agent is also the component that uploads events & provides additional data regarding each system’s status. Periodically collecting & sending event information to the McAfee ePO server, the Agent – which also installs & updates endpoint products – is a required install on any network system that needs to be managed.

OpenSSL Component Bug

One of the defects in the Agent – tracked as CVE-2022-0166 & given a CVSS base criticality rating of 7.8 – was discovered by Will Dormann of the US Carnegie Mellon University’s CERT Coordination Center (CERT/CC).

On Thur., CERT/CC published an advisory that stated that the vulnerability is found in an OpenSSL component in Agent that specifies an OPENSSLDIR variable as a subdirectory that “may be controllable by an unprivileged user on Windows.”

Appropriate Path

According to the advisory, McAfee Agent “contains a privileged service that uses this OpenSSL component. A user who can place a specially crafted openssl.cnf file at an appropriate path may be able to achieve arbitrary code execution with SYSTEM privileges.”

Dormann found that an unprivileged user could exploit the bug to place a specially crafted openssl.cnf in a location used by McAfee Agent & thus potentially be able to execute arbitrary code with SYSTEM privileges on a Windows system that has the vulnerable McAfee Agent software installed.

When Dormann referred to an openssl.cnf, he was talking about an OpenSSL configuration file: a file that provides SSL defaults for items such as certificate files locations, & site details such as those entered during installation.

Arbitrary Shell Code

The 2nd bug in the Agent – tracked as CVE-2021-31854 and given a CVSS criticality rating of 7.7 – can be exploited by a local user to inject arbitrary shell code into a file, McAfee said in its advisory.

“An attacker can exploit the security hole to obtain a reverse shell that allows them to gain root privileges,” according to the company.

The vulnerability, which is still pending analysis from its discoverer – Russell Wells from Cyberlinx Security – is a ‘command-injection vulnerability’ in McAfee Agent for Windows prior to 5.7.5. McAfee explained that it allows local users to inject arbitrary shell code into the file cleanup.exe.

System Tree

“The malicious clean.exe file is placed into the relevant folder & executed by running the McAfee Agent deployment feature located in the System Tree,” according to McAfee. “An attacker may exploit the vulnerability to obtain a reverse shell which can lead to privilege escalation to obtain root privileges.”

Wells told Security Week that exploiting this bug requires access to the McAfee ePO host, as in, the underlying Windows host, not the application itself.

Elevated Access

Exploiting privilege-escalation bugs lets threat players interfere with resources that should normally be locked safely away.

Attackers can use those elevated privileges to steal confidential data, run administrative commands, read files from the file system & deploy malware, as well as to potentially evade detection during attacks.

This is not the 1st time that privilege-escalation bugs have appeared in McAfee’s Agent. In Sept., the security firm patched one such bug (CVE-2020-7315) that was discovered by Tenable security researcher Clément Notin.

This earlier bug involved DLL injection in McAfee Agent that could have allowed a local administrator to ‘kill’ or tamper with the antivirus, without knowing the McAfee password.

SHARE ARTICLE