McAfee has patched two high-severity bugs in its Agent component, one of which can allow attackers to achieve arbitrary code execution with SYSTEM privileges.
McAfee has patched two high-severity vulnerabilities in a component of its McAfee Enterprise product that attackers can use to escalate privileges, including up to SYSTEM.
According to McAfee’s bulletin, the bugs are in versions prior to 5.7.5 of McAfee Agent, which is used in McAfee Endpoint Security, among other McAfee products.
The Agent is the piece of McAfee ePolicy Orchestrator (McAfee ePO) that downloads and enforces policies and executes client-side tasks such as deployment and updating.
The McAfee Agent is also the component that uploads events and provides additional data regarding each system’s status. Periodically collecting and sending event information to the McAfee ePO server, the Agent – which also installs and updates endpoint products – is a required install on any network system that needs to be managed.
OpenSSL Component Bug Can Lead to SYSTEM Privileges
One of the flaws in the Agent – tracked as CVE-2022-0166 and given a CVSS base criticality rating of 7.8 – was discovered by Will Dormann of the Carnegie Mellon University’s CERT Coordination Center (CERT/CC).
On Thursday, CERT/CC published an advisory that said that the vulnerability is found in an OpenSSL component in Agent that specifies an OPENSSLDIR variable as a subdirectory that “[may] be controllable by an unprivileged user on Windows.”
According to the advisory, McAfee Agent “contains a privileged service that uses this OpenSSL component. A user who can place a specially crafted openssl.cnf file at an appropriate path may be able to achieve arbitrary code execution with SYSTEM privileges.”
Dormann found that an unprivileged user could exploit the bug to place a specially crafted openssl.cnf in a location used by McAfee Agent and thus potentially be able to execute arbitrary code with SYSTEM privileges on a Windows system that has the vulnerable McAfee Agent software installed.
When Dormann referred to an openssl.cnf, he was talking about an OpenSSL configuration file: a file that provides SSL defaults for items such as certificate files locations, and site details such as those entered during installation.
Arbitrary Shell Code
The second bug in the Agent – tracked as CVE-2021-31854 and given a CVSS criticality rating of 7.7 – can be exploited by a local user to inject arbitrary shell code into a file, McAfee said in its advisory. “An attacker can exploit the security hole to obtain a reverse shell that allows them to gain root privileges,” according to the company.
The vulnerability, which is still pending analysis by its discoverer – Russell Wells from Cyberlinx Security – is a command-injection vulnerability in McAfee Agent for Windows prior to 5.7.5. McAfee said that it allows local users to inject arbitrary shell code into the file cleanup.exe.
“The malicious clean.exe file is placed into the relevant folder and executed by running the McAfee Agent deployment feature located in the System Tree,” according to McAfee. “An attacker may exploit the vulnerability to obtain a reverse shell which can lead to privilege escalation to obtain root privileges.”
Wells told Security Week that exploiting this bug requires access to the McAfee ePO host, as in, the underlying Windows host, not the application itself.
Elevated Access Lets Threat Actors Run Amok
Exploiting privilege-escalation bugs lets threat actors paw at resources that should normally be locked safely away. Attackers can use those elevated privileges to steal confidential data, run administrative commands, read files from the file system and deploy malware, as well as to potentially evade detection during attacks.
This isn’t the first time that privilege-escalation bugs have turned up in McAfee’s Agent. A few months ago, in September, the security firm patched one such bug (CVE-2020-7315) that was discovered by Tenable security researcher Clément Notin.
That earlier bug involved DLL injection in McAfee Agent that could have allowed a local administrator to kill or tamper with the antivirus, without knowing the McAfee password.
Photo courtesy of M.O. Stevens. Licensing details.